If your established Drupal website has a public facing account registration form, contact forms, or any other type of data collection facility, you will have experienced unwanted form submissions or user registrations that have evidently come from spam bots.
In order to reduce the number of unwanted spam submissions, registration attempts and the like, this post looks at some of the free and paid-for solutions at your disposal on Drupal that can help overcome the perennial problem of spam. These modules and techniques are applicable to all supported versions of Drupal (7, 8 and 9).
The versatile CAPTCHA spam prevention technique uses a challenge-response test to attempt to determine if a user is human or not. The Drupal CAPTCHA module is the mainstay of the Drupal spam prevention contrib module arena, and acts as a framework module that enables a variety of sub-modules to apply their specific CAPTCHA technique. There are varying flavours of CAPTCHA sub-modules that exist for a wide range of techniques, such as Image CAPTCHA Refresh, Draggable Captcha, Captcha Riddler to name a few.
Drupal has a very popular spam protection module called Honeypot which uses the honeypot and timestamp methods of deterring spam bots from completing forms on your Drupal site. These methods are effective against many spam bots, and are not as intrusive as the typical CAPTCHA or other methods (such as hCaptcha or Image Captcha) which can add friction to user journeys. The Honeypot module can be useful in thwarting the efforts of the less sophisticated spam bots, but will struggle against those that are slightly smarter in their automatic form filling capabilities.
The http:BL module queries a centrally managed Black List (hence the BL bit of the module name) that aims to prevent malicious bots from interacting with your site. It does this by determining a users IP address, and then comparing it to known blacklisted IP's - given a match, site owners can then choose how to handle the interaction. Usage of the http:BL module requires a (free) membership to the Project Honey Pot.
Protected Submissions is a light-weight, non-intrusive spam prevention module that analyses any form submissions (spanning Drupal node, comment, webform, user profile, contact form and revision logs) for undesired words and language characters (based on a pre-existing dictionary) or manually configurable list of preset patterns. In the event of a match, those submissions can either be discarded, or flagged for manual moderation.
The Spambot module integrates with the Stop Forum Spam web service and performs a lookup check on any new user registration attempts on your site. In the event of a registration attempt from a known spammers / spambots email address, then that user can be prevented from creating an account on your site.
If you are looking for a very lightweight module to help reduce the amount of spam that your Drupal website has to handle, then the Spamicide module can prove useful. The module uses a fairly crude, unsophisticated approach (using CSS) to prevent spam submissions, and may prove effective for you until more sophisticated spam bots start paying an interest to your site.
The Drupal reCAPTCHA module is a sub-module of the CAPTCHA module mentioned above which integrates with the Google ReCaptcha V2 service, and the more modern Drupal reCAPTCHA v3 module which integrates with the latest Google ReCaptcha V3 service. This style of spam prevention presents users with a 'test' which it is necessary for them to pass before the form becomes submittable.
This is a free service to a point, but when your usage of the facility becomes high enough and reaches a certain threshold, a subscription is required. Cloudflare notably moved away from Google reCAPTCHA services in early 2020 in favour of the hCaptcha service (largely due to the cost implications of using their service).
hCaptcha is a relatively new CAPTCHA service, famously adopted by Cloudflare over Google reCAPTCHA as mentioned above. There is a Drupal contrib module available called hCaptcha which provides the integration with the service. The service provides some interesting Captcha challenges for users which promise to be easy for humans and hard for bots, such as:
- Comparison: Selecting all images that match query
- Bounding Box: Defining a bounding area for objects
- Categorization: Identifying the corresponding labels for an image
CleanTalk is a very modestly priced service starting at $8/year. The Spam protection that it offers is imperceptible to end users (as the submission analysis all happens behind the scenes on the CleanTalk system) and so doesn't come with any of the Accessibility considerations that a number of the other challenge based solutions here are potentially encumbered with. There is a Drupal contrib module called CleanTalk which provides the integration and so site owners can be up and running on the service in no time.
With prices starting at $4.99 per month, Human Presence offers a service which uses “human-centered” learning algorithms to protect against suspicious activity from spammers and spambots. Much in the same way as the CleanTalk service operates, Human Presence performs its bot analysis away from your site and is imperceptible to end users, again bringing the advantage of not impeding the Accessibility of your site. In order to facilitate the integration with the Human Presence service, there is a Drupal module called Human Presence Form Protector which is actively maintained.
Akismet (using the AntiSpam module)
The final paid for solution worth consideration is the Akismet service which is eponymous for its association with WordPress, but is also compatible with Drupal. On Drupal, the AntiSpam module provides the integration with the Akismet service. There is however no Drupal 8 or 9 contrib module for this service which limits its relevance here, but worth mentioning nonetheless.
A case could be made for each of the different solutions outlined in this post depending on the circumstances and configuration of your site, along with the amount of effort and resources you are prepared to invest in maintaining and honing your spam protection capability.
If you are just starting to experience an issue with spam, then you may find that the application of a basic module such as Honeypot sufficiently reduces the volume of spam submissions to make it no longer a problem for you.
If however your Honeypot defence is no longer up to the job, then the low-maintenance, fire and forget Freemium and Paid solutions are worth giving consideration to.