Magic Login 2.8 introduces native honeypot protection for passwordless WordPress login forms, helping site owners reduce automated login requests without adding CAPTCHA friction for real users.
Passwordless login should stay simple: enter an email address, receive a secure magic link, and sign in. But public login forms can still attract automated submissions, fake requests, and bot traffic.
With Magic Login 2.8, both Magic Login and Magic Login Pro now include a built-in honeypot layer designed to quietly catch common automated form submissions before they trigger unnecessary login emails.
Native Honeypot Protection
The highlight of Magic Login 2.8 is native honeypot protection.
When enabled, Magic Login adds hidden-field and timing checks to supported forms. Real users do not see anything new and do not need to solve a challenge. Bots, however, often submit forms too quickly, miss required hidden payloads, or fill fields that should remain empty.
This gives site owners a lightweight first layer of protection without requiring an external CAPTCHA service.
Less Friction for Real Users
CAPTCHA services can be useful, but they are not always the best first step for a login form. They may add extra clicks, third-party scripts, or visible challenges that slow down legitimate users.
Honeypot protection works quietly in the background. For normal users, the login experience remains unchanged. They request a magic link exactly as before.
For suspicious requests, Magic Login can block the request before sending a login email.
Reduced Account Enumeration Signals
Magic Login 2.8 also improves how suspicious login link requests are handled.
When a suspicious login request is detected, Magic Login can return a generic success-style response instead of exposing whether a matching user account exists. This helps reduce account enumeration signals while also limiting unnecessary login emails.
In short: real users get a smooth login flow, while automated submissions receive less useful feedback.
Magic Login Pro: Registration Coverage
Magic Login Pro 2.8 extends honeypot protection beyond login requests.
In Pro, the native honeypot layer also covers registration flows, making it useful for sites that allow front-end signups, membership access, WooCommerce customer workflows, or other public authentication entry points.
Magic Login Pro already supports stronger spam protection options such as reCAPTCHA, Cloudflare Turnstile, and Friendly Captcha. Honeypot protection adds a native, no-CAPTCHA option that can be used as a lightweight protection layer.
Developer Configuration
Developers can adjust the honeypot timing rules with the magic_login_honeypot_config filter.
By default, Magic Login checks for submissions that happen too quickly or after the form payload has become too old.
Default values:
- Minimum form age: 2 seconds
- Maximum form age: 1 hour
Example:
add_filter( 'magic_login_honeypot_config', function ( $config ) {
$config['min_render_age'] = 3;
$config['max_render_age'] = 30 * MINUTE_IN_SECONDS;
return $config;
} );These defaults should work well for most sites, but the filter is available for advanced setups.
Better Test Coverage
Alongside the new protection layer, Magic Login 2.8 adds focused test coverage for honeypot validation.
The tests cover valid submissions, filled honeypot fields, too-fast submissions, expired payloads, invalid code login requests, and Pro registration validation.
This helps keep the new security layer predictable as Magic Login continues to evolve.
How to Enable Honeypot Protection
After updating to Magic Login 2.8:
- Go to your WordPress admin dashboard.
- Open Magic Login > Settings.
- Go to the Spam Protection section.
- Enable Honeypot Protection.
- Save your settings.
No API key or external account is required.
Easier Spam Protection for Magic Login
Magic Login 2.8 makes spam protection easier for passwordless WordPress login forms. With the new native honeypot option, site owners can add a quiet protection layer without setting up an external service or changing the experience for real users.
After updating to Magic Login 2.8, you can enable Honeypot Protection from the Spam Protection settings. It is lightweight, requires no external setup, and helps reduce unwanted automated requests while keeping the passwordless login flow smooth for real users.