Skip to main content

Preventing Spam In Drupal 8


Nobody likes Spam, and I’m not talking about the luncheon meat brand. Fortunately, preventing spam in your Drupal 8 website form submissions is easy, as Drupal has been around for a long time, and has an excellent and loving community, there are already some modules out there you can use right away to get instant results. there are some really easy ways to fix this. We’ll show you a few ways of preventing spam in Drupal 8.



Honeypot, alongside Captcha, is really the king when it comes to preventing spam in Drupal, it should be the first thing you try before resorting to other measures.

What does Honeypot do? A few things.

First of all, it attaches a hidden form element to your forms, usually, bots will fill out all of the fields, when the field is filled out it is instantly marked as spam. Honeypot also provides a timer on submissions, because only bots can fill out a full webform in one or two seconds (apart from autofill of course), so by allowing a custom timer on forms, we can tune it to mark any forms that submit before the time elapses as spam. To install it on Drupal 8 using Composer, use the following command:

composer require drupal/honeypot

Enable the honeypot module and then go to Configuration -> Honeypot configuration. Here you’ll be able to edit the name of the element that will appear hidden on the webform to trick bots and spammers. You can also select the time limit and whether or not to log and protect all webforms.


The best approach is to have a time limit of around 3 seconds and selectively choose which forms to include Honeypot on.

If you want to test it, set it for a webform you have in mind and clear the caches. There are also permissions you can adjust which will include Honeypot for certain users. By default, the admin will bypass honeypot, which is something that can trip up some people the first time around.

To test it, view the webform you set honeypot on in an anonymous tab and inspect the form, you should see the hidden honeypot element. If you have any custom forms that have been created via code, then you can use the honeypot_add_form_protection function to apply for protection.

honeypot_add_form_protection($form, $form_state, array('honeypot', 'time_restriction'));



Antibot fulfils a function that Honeypot does for Drupal 7 only, but not currently Drupal 8, and that is to determine if someone is a bot by whether or not they have Javascript enabled, which makes things pretty simple.

The theory is that if there is no Javascript, someone is likely trying to submit the form from a script or somewhere else other than a browser. It’s an excellent bit of extra protection and adds that one extra vector you can use to batten down the hatches.

To install it on Drupal 8 using Composer, use the following command:

composer require drupal/antibot

Once you have that installed and enabled, to configure it you can go to Configuration -> Antibot

Unlike Honeypot, Antibot is a little more simple in that you have a text area where you can add form ID to apply Antibot to. You can use wildcards to define patterns. There is also a setting to display form IDs, you should leave this off and only turn it on during development if you want an easy way of figuring out the form ID for a given form or set of forms.

Due to the ease of being able to add form IDs to the configuration, you shouldn’t need to programmatically protect any of your forms, but in case you do, you can use the following function to apply for protection.




Before venturing into Captcha, which can at times be unnecessary when there are hidden methods to detect spam, we’ll take a look at http:BL.

The http:BL module is connected to a free subscription service called Project Honey Pot, not to be confused with the honeypot module, but actually connects to a central server that logs malicious or possible scammer IP addresses, this list is kept up to date and as Drupal is connected to it, can easily deflect any potential bots coming off of known IPs, which not only prevents spam, but can actually prevent people who might be aiming to do other things to your site from visiting.

In some rare instances, a genuine user may be locked out, for this, there is a greylist, you can provide a URL for the user to access and prove they aren’t a bot, thus unlocking that user. Project Honey Pot boasts over 300 million plus addresses monitored, along with plenty more impressive statistics you can see on the homepage of their website, where you can also sign up for the free service The module is currently in a development state but we can still take a look.

To install it on Drupal 8 using Composer, use the following command:

composer require drupal/httpbl

The config can be accessed at Configuration -> Http:BL Config

The Configuration page also has links to Http:BL Evaluated Hosts and IP address bans, which can be used to check visitors to the site via IP and also ban particular IPs if necessary.

On the config page, we can add our access key generated at Project Honey Pot, we can also add a Honeypot link, which will help detect spammers who might choose to access this hidden link. We can also tweak things like logging, statistics, blacklist and greylist messages and expiry times. As you can tell Project Honey Pot is pretty serious and a good addition to your site if you’re combating malicious traffic.


Captcha and ReCaptcha

Although there are a plethora of other modules out there, we will end this article with Google’s reCaptcha.

Captcha isn’t really something you should need, if you’re still getting spam it’s advisable to look into other methods and to tweak existing ones to see if maybe you just have something wrong in your set up.

Yet, for some, there is comfort in Captcha, because it’s been around for a long time and a lot of site owners tend to ask for it as it’s the one spam deterrent that most non-technical people know of in some shape or form.

So if you’re still having issues with spam and want a Captcha, the goods news is that Drupal 8 is working to implement “invisible captcha” which should work in a similar way to Honeypot in that you won’t see it. But for now, we still have to encounter it if enabled.

To install it on Drupal 8 using Composer, use the following command:

composer require drupal/captcha

You can configure the module by going to Configuration -> CAPTCHA module settings

Clicking on the reCAPTCHA tab at the top will allow you to enter a Google site key and secret key. You will need to go here and generate them for your domain You can also adjust the theme and type of Captcha you will see here also.


You can head to the CAPTCHA Points tab to configure where exactly to enable it, the CAPTCHA Settings tab will allow you to configure the module logging, persistence and protection, including clearing the CAPTCHA cache; which you should do when you make changes to the settings.

One thing to be aware of with CAPTCHA, just like the Honeypot module, is there is a permission setting that bypasses Captcha and is set by default for admins, so if you’re wondering why you can’t see your Captcha enabled, then you need to try as an anonymous user or any other user that it isn’t set to bypass.

If you’re still not seeing it, check the CAPTCHA Points tab and ensure that the Form ID you are using has been set up correctly.