Captchas vs. Spambots: Why the Slider Captcha Wins

by on 04/21/11 at 5:07 am

Anyone who has a form on their website has seen their fair share of spam. Spam is a huge problem for site owners. It can cost businesses time and money. To fight spam, many sites put captchas on their forms. These captchas can stop spambots from spamming. But they can also stop users from filling out your form. That’s the last thing you want when you’re running a business.

Captchas force users to type random words that don’t make sense. Not only that, but the letters are so warped and distorted they’re hard for anyone to read. Users often have to try captchas many times to get it right. That’s why most users avoid filling out the form when they see one. It’s good that captchas stop spam, but it shouldn’t come at the cost of losing users. The perfect captcha is one that not only stops spambots, but does it without hurting your form conversion rate.

Checkbox Captcha

The checkbox catpcha can stop some spambots, but not all. What’s good about this one is that it’s smaller and less intrusive than traditional captchas. All it takes is putting a checkbox generated with client-side Javascript on your form. All the user has to do is tick it. No typing necessary.

Most spambots won’t be able to tick the checkbox because they don’t parse client-side javascript shown to users. But some spambots that can detect client-side javascript through training. Although it’s less intimidating to users, it’s not 100% effective in stopping spambots.

Honeypot Captcha

Another captcha that’s less intrusive than traditional captchas are honeypots. They can stop some spambots, but not all. They may also create accessibility issues for some users.

Honeypot captchas work by hiding a text field from users through CSS. It’ll only accept entries that leave the field blank. Users can’t fill out this field because they can’t see it. But spambots will see and fill it in. The form will then reject the spambot’s entry.

Some spambots have learned to avoid honeypot text fields if they’re labeled in a way that tells users to avoid it. This presents accessibility issues for screen reader users who have CSS disabled. If the label on the honeypot field doesn’t tell them not fill out the honeypot, they won’t know to avoid it.

You could give the honeypot field a common label, such as “name”, to trick the spambot into filling it in. But it would also trick screen reader users to fill it in too. Honeypot captchas are not 100% effective at stopping spambots, nor are they accessible to all users. But they are far better than traditional captchas.

Slider Captcha

The slider captcha separates itself from the rest of the pack. It stops 99% of spambots because most can’t interact with the slider. It’s also user-friendly because all users need to do is slide the knob across to verify they’re not a spambot. All mobile users need to do is swipe. One potential drawback is that keyboard-only users might not be able to activate the slider if you don’t make it accessible.

Final Thoughts

Traditional captchas are the worst. Stopping spam should not come at the cost of stopping users from filling out your form. In the battle of captchas versus spambots, the slider captcha is the most effective. It’s not only easy for users to use, but it fights spam without hurting form conversion rates. The war on spambots is far from over. But this is the best of what’s out there for sites who don’t want to lose users.


Light Resume Light Freelancer Wireframe Sheets Wireframe Patterns Flow Patterns


Elegant Themes UX T-Shirts

Author and founder of UX Movement. Founded this site to help you learn user experience design for a more user-friendly world.

67 Responses to “Captchas vs. Spambots: Why the Slider Captcha Wins”

  1. Stéphane Rangaya

    Apr 21st, 2011

    Nice article, but I’m wondering what happens if the user has javascript disabled.

    • anthony

      Apr 21st, 2011

      If javascript is disabled, it’ll tell users to turn on javascript to submit the form. But most screen reader users won’t have javascript disabled:

      • john

        Apr 23rd, 2011

        Is it really likely that more users will have CSS disabled than Javascript disabled?

        Most modern browsers have the capability to disable Javascript in their settings, as well as support for third party add-on, like NoScript, that disable Javascript.

        • anthony

          Apr 24th, 2011

          I think more screen reader users have CSS disabled more than Javascript. Not having Javascript degrades the functional experience of a site. Not having CSS peels away the aesthetics of a site. Which do you think a screen reader user would rather have?

          • Stomme poes

            Apr 30th, 2011

            Not sure what the point is in “worrying” about the blind but airliy stating that “users just have Javascript enabled”. I care about both groups.

            I use the honeypot, and it’s clearly labled. uses something similar: a final question (which is hidden with Javascript I believe, so those who *do* have it on don’t see it, don’t fill it in) asks if you’re a spammer. On the other side of the field, there’s some hint text “fill in No”. So if you don’t have JS, fine: you’re told not to leave it blank, but what you should fill in.

            Users without JS do a hair more work, and unlike the javascript-created checkbox, allows ALL human users access.

          • Anna Funk

            Jun 7th, 2011

            When using a honeypot, you generally hide the blank field with CSS so the human users that have CSS turned on don’t even see it.

            Both solutions are completely valid.

            My only concern with the checkbox is that to someone who isn’t paying attention, it could look like you’re trying to get them to sign up for something.

      • Gambler

        Jul 21st, 2011

        JavaScript should not be required for performing trivial actions, such as commenting. There are many, many architectural reasons for that. Besides, many people browse with JS disable for security and privacy purposes.

        How about adding two checkboxes? “I am not a spambot” and “I am a spambot”. Both are unchecked by default. The second one is hidden via CSS. This would thwart bots that check everything and fill every field.

    • Thomas

      Apr 1st, 2013

      Re captcha is too difficult to read

  2. weston deboer

    Apr 21st, 2011

    If you are using the plugin, as i see below.

    It is doing it all wrong, the box needs to be checked and the text needs to say like it does in your image above. Then if you are not a spammer it should be unchecked.

    Spam bots know how to check things, but uncheck?

    We don’t get much spam in the first place, but I am going to implement this right now and see what happens.

    • anthony

      Apr 21st, 2011

      Don’t think that’ll won’t work. If the checkbox is already checked, the spambot doesn’t have to do anything but fill in the remaining fields. Also, making the user uncheck a checkbox to submit the form, is an odd and confusing request in and of itself.

      • MarQ

        Apr 23rd, 2011

        Weston’s suggestion is that condition be reversed: the server-side check is for an unchecked checkbox – i.e., if it is checked the submission is spam.

  3. Geoffrey Lee

    Apr 21st, 2011

    Do spam bots even run JavaScript? It seems to me that simply inserting a hidden field via JavaScript is enough to combat spam if the bots don’t run JavaScript. The checkbox itself is unnecessary.

    And the argument that people surf the web with CSS disabled is no different from the argument that people surf the web with JavaScript disabled. Besides, you can still target screen readers with CSS using the “media” attribute.

    • Matt

      Apr 22nd, 2011

      I was thinking the same thing: if the assumption is that the bot is not parsing javascript, a hidden field or a modification to the submit value should be enough to do the do the test without a normal user ever seeing a prompt.

    • anthony

      Apr 22nd, 2011

      Should be enough, but it’s not. Many spambots can detect and avoid honeypot fields. You should try them all out and see which one is most effective. Would love to see the results.

      • Jonas

        Apr 25th, 2011

        Here is a javascript hidden field example. I haven’t received any spam at all this way (and I have been using it for years) and if I would it is very easy to sophisticate it.

        PS. Putting the “I am not a spambot.” checkbox above this textarea would make it more likely to be seen.

        • Gavin

          Apr 27th, 2011

          I also have used the hidden checkbox field for a long time (years).
          Never get any spam, but obviously it requires javascript to be enabled.

          The hidden verification code (vc) input stores a randomly generated MD5 hash stored in a session server side, and inserts via JS.

    • Stomme poes

      Apr 30th, 2011

      @Geoffrey Lee I haven’t seen any media queries that successfully target screen readers. What one do you use.

  4. Dey Alexander

    Apr 21st, 2011

    Have you tested this with users? I wonder how many ordinary users (non geeks) know what a spambot is and hence, know what the question is asking and how to answer it.

  5. Jonas Arnklint

    Apr 22nd, 2011

    So, if no spam bot can execute client side code, why don’t you just insert a hidden field client side that has a value that needs to be there in order for the form to validate?
    Google bot executes JavaScript, so i suppose spam bots will too.

  6. Tim

    Apr 22nd, 2011

    It surely does work if a small percentage of people use it. However if it becomes more popular and less unique, it will be easy to work around.

  7. Jonas

    Apr 22nd, 2011

    The traditional Captchas are mainly used because they don’t require javascript.

    If you decide to use javascript (I do) then there is no point in having a checkbox at all as you can easily generate a hidden field with an obfuscated string. No spam – no checkbox – no (visible) captcha 🙂

  8. David

    Apr 22nd, 2011

    This depends on the nature of your site.

    If you have a simple comments section that you’re trying to avoid the majority of generic spambots spamming, then this will work fine, as will any javascript approach (using jQuery to capture the onSubmit event and adding a hidden field prior to the http post would also do the trick), providing, as Stéphane points out, javascript is enabled.

    However, if you’ve a site which you’re trying to prevent automated sign-ups, and there is any value to someone writing a specific bot for your site (which is really very little work to do), then it is trivial for them to bypass this. You could randomise the field name and match it to a session variable (CSRF token style) which would make their life harder, but there’s a good reason why Google et. al. have fallen back to the captcha, despite its very real issues.

    • Wladimir

      Apr 22nd, 2011

      If people are really targeting your site, captchas do not protect against spam signups either. They can use services like decaptcha which hire cheap typers to “solve” these images in bulk. If your site is worth targetting against, a signup will probably be worth more than 1/10 of a cent.

  9. David Reynolds

    Apr 22nd, 2011

    It doesn’t work. If the spambot simply records the submit request sent to the server, it will include the checkbox tick and it can repeat it as often as it wants.
    captchas work because the server sends a coded message and only a human can return the message.
    Any solution involving javascript will not work.
    Even if you get javascript to generate a captcha, you will have to give javascript the unencoded word to generate. The spambot will be able to get the unencrypted word to pass back.

    • anthony

      Apr 24th, 2011

      You’re right, it’s not 100%. But it eliminates a lot more spam than not having anything at all.

  10. Constantin

    Apr 22nd, 2011

    Is not complicated to write a spam bot that can run javascript 🙂

    • tupolev

      May 2nd, 2011

      Totally agree. And no need even to write it. Just use a fake browser like the ones we use to test interfaces. In fact, it’s called “Fake” 😛

  11. Anon

    Apr 23rd, 2011

    Although current spam bots couldn’t get around these captchas on your website, it is super trivial to write one that can. They will only work to stop spam until someone writes a spam bot specifically for the site, which won’t take a whole lot of effort. All it needs to do is submit the same information in the form that a valid form would have.

  12. Ramenos

    Apr 25th, 2011

    I agree with checkbox captcha. However, i am not sure that all robots could not fill javascript…

  13. Brad

    Apr 25th, 2011

    This stuff does my head in. What about generating a random string and random string index to be used as the session index for the token ($_SESSION[$_SESSION[‘index’]]), stored in a server side session for each page load, then ajax posting the index and string to receive a psudeo random token based on the previous random string (only if $_SESSION[$_SESSION[‘index’]] is set and equal to the random requested index/string) which is stored in a server side session variable then injected into the form in a hidden field that is generated on the fly (so cannot be detected on a page load, as it is injected into the DOM when the doc is loaded) which is posted at submit time and compared to the token that was generated and stored server side?

  14. Chefil

    Apr 26th, 2011

    Best captcha is hidden email field. Real email field have a different name. Spam bot always put email in hidden email field, but really user couldn’t do this.

  15. Ruben Vandenbussche

    Apr 26th, 2011

    I made some css hidden fields with the name website and a hidden field with the name url. If one of those fields are filled in IP comes in a database of blocked ip’s. Nothing for the user to be required. Thats the perfect user experience :).

  16. Jon

    Apr 26th, 2011

    I was going to write a similar blog concerning this topic, you beat me to it. You did a nice job! Thanks and I well add your RSS to our blogs. Thanks so much, Jon B.

  17. Peter J. Hart

    Apr 26th, 2011

    Tools like Selenium make it easy to do automated UI regression testing, but also makes it easy to make spam bots that use JavaScript.

    But, blocking non-JS bots might be enough for you. If you get spam every once in a while, a checkbox, hidden field, or even JS that changes the form action URL might be enough.

  18. Web Axe

    Apr 30th, 2011

    Nice article, and interesting idea, but I like the honeypot method.

    I believe JS must be supported. But not because of screen reader users; same percentage of those user have JS enable as “regular” users. Remember 1% or so of 100,000 is still 1,000 users you’re blocking. Cases includes low-end mobile devices, corporate firewalls, broken JS, very old browsers, and text-only browsers.

    There are many other accessible non-captcha methods here:

  19. Luciano

    May 5th, 2011

    This method doesn’t work… if someone wants to register 1000 users in your site, he programs the bot to send a checkbox, or to not complete the “hidden field”… in that case you have to use traditional captcha


    • Tony McGurk

      May 28th, 2011

      But it does work. I have proved it on my own site. Using Akismet I was often getting hundreds of spam a day. Now using Growmap Anti-Spambot Plugin (GASP) with the checkbox I get a big fat ZERO amount of spam.

  20. Jason

    May 9th, 2011

    A typical designer’s idea.

    You need to take into account exactly what a CAPTCHA is, and what it’s designed to do.

    A CAPTCHA is designed to prevent a script or program from filling out a form many times automatically, be it to make hundreds of spam email accounts, or to flood a messageboard with spam comments.

    The idea behind a captcha is as follows: humans can perform the task, but a script cannot.

    Your checkbox idea is not a CAPTCHA because It is simple to make a script that clicks the checkbox, just as a user might.

    While the checkbox may decrease the number of users who decide not to sign up, you might end up with thousands of spam elements, and a waste of crucial server resources.

    The bottom line: if you’re going to have something that doesn’t require human intellegence to pass, you might as well not have anything at all.

  21. CableCat

    May 9th, 2011

    I totally agree with this last comment from Jason. This checkbox model can easily be defeated by a custom script. All you have is security by (slightly) obscurity.

    Of cause it will help a lot. Because all the automated spambots that crawls the web, do not work. But it will not work for anyone how target your site specificity.

    This is the same as writing your email as name(a) – It will only work until somebody writes a bot that replaces (a) with @. BTW I had great success replacing @ with @ in the HTML code.

    In the end you can do something even simpler the achieve the same goal.

    AAARG, I had to enbale javascript to post this comment… FAIL!

  22. John

    May 18th, 2011

    I love this alternative to the ugly captcha. How about if javascript is turned on show checkbox, if not show the ugly captcha? Seems like the number of people with javascript turned off would be minimal so this should work…and still stops the spammers. I also think like everything else, the method used depends on your audience. If you have a lot of people with JS turned off this is not for you.

  23. Tony McGurk

    May 28th, 2011

    Seems a lot of people in prevous comments are critical of the checkbox type setup. I hate having to type out captchas. If they are hard to read you have to keep clicking the refresh to get one you can read. I use GASP with the checkbox & it works so well I have uninstalled Akismet completely. Every time I check my Spam folder the amunt is always ZERO…
    Easy to criticize something if you haven’t tried it. GASP is the ultimate in anti-spambot defence.

    • anthony

      Jun 2nd, 2011

      Akismet is not accurate in targeting spam. Sometimes it’ll mark real comments as spam.

  24. Captcha Monster

    Jun 6th, 2011

    Both CAPTCHAs have their advantages and shortcomings, but when it comes to the ordinary user, who is not going to spam your website, he should have some solution which would help him complete CAPTCHA verifications.

    And here comes Captcha Monster, a completely automated Firefox add-on which lets you forget about CAPTCHAs forever!

  25. Ian

    Jun 13th, 2011

    I’m willing to try the Checkbox Captcha, but am not a WordPress user (or any blogging software, for that matter).

    The Growmap site offers a plug-in for WordPress, but does not suggest any script for non-Wordpress or non-blogger pages (i.e.: ordinary HTML).

    I’ve searched the keyword string [“Checkbox Captcha” script], but was unable to find anything useful. Any suggestions as to where I should look?

  26. Thomas

    Jun 27th, 2011

    Why do you not use JavaScript to offer the Send-Button? If a spambot have no Send-Button I think they can’t send it.

    • anthony

      Jul 3rd, 2011

      Interesting. I think that works too, but some spambots will still be able to interact with it.

      • Thomas

        Jul 4th, 2011

        Thank you for your answer. I prefere to hide the whole form with the submit-Button, because the visitors of my site don’t recognize that I make this check. So I do not disturb the contact-workflow.

  27. Thomas

    Jun 30th, 2011

    It should also work if you show the whole form with javaScript. So you could be sure, that bots without JavaScript “see” nothing.

    Is it surely right that bots don’t use JavaScript. Are there any bots who use JavaScript?

    I be thankfull if you could answere me in a short comment.

  28. Craig Smith

    Aug 1st, 2011

    An interesting concept and a great solution for smaller websites, however, this wouldn’t work for high-volume websites (traffic or revenue or both) because hackers would spend the time to develop a bespoke solution as the reward is worth the effort.

  29. Matt

    Aug 7th, 2011

    Appreciate your write-up about this method.

    I am looking to incorporate captcha for our registration page. Because we also have a TOS that needs to be agreed to before sign-up occurs, I am considering using the checkbox as an agreement to the TOS. This way, we subvert spambot submissions while also not displaying an obvious captcha to the user.

  30. Mike

    Feb 17th, 2012

    Use an image next to the box if they have css disabled that says this is only for spambots to fill in. Then the spambot won’t see the text.

  31. Willy

    Feb 20th, 2012

    There is something I’m not getting with this somewhat popular technique. Since this technique forces the user to have Javascript enabled, why bother with a checkbox? Why not have a Javascript function that will put an obfuscated value in a hidden field, and you check the value of that field on the server. It’s as safe (or should I say unsafe) as the checkbox technique, but you won’t need the user to click on anything.

    A safer technique would be to use an Ajax call to set a random value in a hidden field, a value that was also saved in the user’s session on the server. This way, the spammer would actually have to simulate sessions and call the Ajax script. Doable, but more work for them.

  32. Jovino Margathe

    Mar 19th, 2012

    I’m surprised no one had even bother using an input text field which is hidden through css, which means normal users wouldn’t be able to see it.

    Simple really, if it is filled, then the request is invalid since it didn’t come from a “normal” user.

    You can do the checking on client or server side as well.

  33. The Rata

    Jul 14th, 2012

    Stating that the Javascript solution is better than the honeypot one is just stupid. There are enough people who have Javascript turned off, or their smartphone/mobile computer just doesn’t support it.

  34. Thomas

    Apr 1st, 2013

    Very good article..The captcha in facebook and re captcha are hard to read.Even a human also cannot pass it..

  35. Siegfried

    Apr 15th, 2013

    I use Growmap Antispam Plugin for WordPress and it works perfectly – I forgot what spam is ;D
    sometimes spammers use manual entry but it is rare

    best regards!

  36. Nikolay Krustev

    Aug 23rd, 2013

    This is totally pointless and protects nothing, if I want to attack the specific site with spam, it takes 1 line of JS to make this useless.

  37. TheDarkSide

    Feb 12th, 2014

    Anything that is pure client-side is useless.
    It will stop the lousy random bots, but it will not stop someone who decides to attack your website – post comments, register users, try sql injection etc etc.
    I can write from the scratch a bot that posts multiple times in under 15 minutes.

  38. Mitch

    Feb 24th, 2014

    A client/customer who doesn’t want to fill the captcha, is perhaps better off moving to Facebook, anyway.

    A checkbox thing, does not work, it can easy checked by spam bots. c’mon.

    Besides, just go and check the “WordPress” Growmap Anti Spambot Plugin, what a joke!

    Seriously, one need to wonder if you wrote this article with a second thought in your mind!

  39. Mark

    May 19th, 2014

    The checkbox idea is good. But Can I just create one of my own though the Form Mail that I have setup on my site?

  40. Shad

    Nov 4th, 2014


    #start_timer { display:none; }
    #email { display: none; } /* Spambot trap: If not empty, deny */
    #email_address { position:absolute; left:-9000px; } /* Off screen trap for bots that can ignore display:none */

    //Hidden field from the user
    //Hidden field from the user

    //Legit field that needs to be filled in for the real e-mail

    ############## SUBMIT CHECKER ##############################

    DIM error_message
    error_message = “Double Authentication Required: You have been detected as a Spam Bot.
    error_message = error_message & “If you received this message in error and would like to submit your e-mail: ”
    error_message = error_message & “Please Click Here To Continue Sending E-mail >> ”
    error_message = error_message & “An e-mail will be sent to “& customers_email &”. Please click on the link in the e-mail to verify you are human. Thank-You!”

    IF email = “” OR email_address = “” OR email = NULL OR email_address = NULL THEN

    IF Total_Time_To_Submit <= 5 THEN

    Call Spam_Bot_Error(error_message) 'Double authentication required


    Call SEND E_MAIL

    END IF


    Call Spam_Bot_Error(error_message) 'Double authentication required

    END IF

  41. NNM

    Nov 25th, 2014

    Guess what percent of the people have JavaScript disabled as of 2014? or have CSS disabled.

    1% or 2%

  42. boichu

    Jan 19th, 2015

    Try an invisible captcha on 😉

  43. Will K

    Mar 5th, 2015

    I’m wondering what happens if the end user is physically disabled, cannot use a mouse, and has to rely on keyboard commands to facilitate use on a web page: unless you can select the element and use the arrow keys to nudge the button across, this is an enormous usability fail.

  44. QuyUY

    Jan 26th, 2016

    I’m wondering what happens if the end user is physically disabled, cannot use a mouse, and has to rely on keyboard commands to facilitate use on a web page: unless you can select the element and use the arrow keys to nudge the button across, this is an enormous usability fail.

Leave a Comment