10 Ways to Block Spam Registrations in Drupal

Spam Blocking

If you’re going to use popular software like Drupal, one of the downsides is that you’ll need to deal with spam.

A lot of OSTraining members report that they receive many spam user registrations on their sites.

In this blog post, we’ll look at 10 of the best ways to avoid getting overwhelmed by spam users.

#1. Core approval features

Drupal has a default feature that allows you to either completely block or moderate all user registrations.

Go to Configuration > Account settings. You can set “Who can register accounts” to a couple of useful settings:

  • Administrators only: this will block all registrations.
  • Visitors, but administrator approval is required: This will require you to manually approve all users.

#2. E-mail verification

Another Drupal core feature allows you to require e-mail verification before a user account becomes active. This add a significant hurdle for spammers. Go to Configuration > Account settings to enable this feature.


https://drupal.org/project/user_verify add some more sophisticated options to the email verification process, including the requirement for the user to enter a special token.

#3. Block certain user details

If you have a lot of spam registrations, there’s a good chance there will be some patterns in the spam user details. For example, you might have a lot of users signing up as “John Smith” or using .ru email addresses.

https://drupal.org/project/user_restrictions allows you to block both emails and usernames based on certain patterns. Here’s an example which blocks .ru domains:


#4. Captchas

A Captcha presents a visual challenge that is supposed to be difficult for spammers to solve. https://drupal.org/project/captcha provides easy integration with your Drupal registration forms.


However, Captchas have several problems. They can often be hard for even normal users to see. They are also not good for users with visual disabilities.

https://drupal.org/project/riddler is an interesting variation on a captchas. It allows you to ask a question that will probably stump spambots:


#5. Honeypots / Secret form fields

One spam-defeating technique that we’ve found to be very effective is hidden fields. You add an extra input field to every form and then hide it with CSS. Humans never see the field but spambots do and when they fill in the field the form is discarded.

https://drupal.org/project/spamicide is a module that makes it easy to create hidden fields.

This technique is often called a Honeypot and there’s a module with the same name: https://drupal.org/project/honeypot. Click here to read the modules’s author explaining the meaning behind the name “Honeypot”.

There are some funny variations on this idea. For example, https://drupal.org/project/simpleantispam add a visible checkbox marked “I’m not a spammer” and a hidden checkbox marked “I’m a spammer”:


#6. Block by location

http://drupal.org/project/geoblocker allows you to black-list or to white-list access to a Drupal site by countries.

It’s not the most sophisticated technique because determined spammers will find a way around these restrictions, but it will block a lot of low-level spam attempts.

Certainly it’s worth considering if your site is specifically focused on one location and you have little to no interest in overseas users.

#7. Secret codes

If you have a site without a large audience, you could consider giving out a secret code to potential members.

https://drupal.org/project/mothermayi allows you set a secret code that people must enter in order to register successfully.

#8. 3rd party spam tools

There a wide variety of 3rd party systems that try to prevent spam registrations. These are often paid services. Here are some of the most popular:

Here’s an introduction to Mollom. This video is part of our class on using Mollom to beat spammers:

{snippet mollomintrovideo}

#9. Delayed roles

https://drupal.org/project/role_delay is an interesting approach. It allows you to slowly give users more permissions over time.

For example, a brand new user might not be able to post comments or forum posts. Over time they can automatically be moved into Drupal user roles with more permissions.

#10. Warning message

https://drupal.org/project/warning made me smile. Instead of providing a sophisticated technical solution, the Warning module simple tells your users that won’t tolerate spam. Here’s how the module create describes it:

“I wrote this module because my personal blog was listed in do-follow lists and generated up to 30 spam comments per day that were not filtered by Mollom. After adding a simple (default) warning for comment submission about the fact that I do not tolerate unrelated links and the comments are moderated, this number dropped to 3 spam comments on average.”

Find more spam blocking options

There is a huge list of spam-blocking modules at https://groups.drupal.org/node/77093.


  • Steve Burge

    Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

0 0 votes
Blog Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Juan Pablo Donoso

Thank you Steve, grate job, is good to see that this simple tips stop spam!


You’re welcome, Juan. Glad it’s useful.


I hope your are not going to use configuration from the third screenshot in real life.
// Kate from Moscow


No, I promise we won’t 🙂

James @ Symposium Digital

Honeypot should be #1 and the rest should follow only once Honeypot stops working. Honeypot is unobtrusive to the user and stops 99% of spam for most sites that are plagued with the usual bots.
If your site is getting specifically targeted by a spammer that avoids Honeypot then you’ll need to look at putting something else in. It also has the added benefit of protecting various other forms across the site.

Nancy W.



Thanks Nancy. I was going to put that under option 2, but was hesitant due to “Maintenance status: Unknown”

Nancy W.

That just means that the maintainer hasn’t filled that out since it was added to D.O. You have at least one in your list that hasn’t had a commit in 3 years, so I went ahead an mentioned this one.

Wendy Wentzel

that’s a good one – thanks for adding it.


We’ve used honeypot fields, required profile fields, and pattern-recognition of automated registration attempts, which have taken the number of bogus registrations per day down from a maximum of 300 attempts/day down to just a few. (We also block IPs that match spammer signatures, and our blocked_ips table now has over 8000 entries.) But we found that the Windows password manager “1Password” sometimes fills in honeypot fields by mistake, so honeypots are not a sure-fire way of distinguishing between spammers and legit users.

Mary Briggeman

There’s also a nice module for Drupal called SpamBot that checks the new visitor against the StopForumSpam site’s records of reported forum spammers and can automatically block them based on the criteria you set for matching. It also lets you report new spammers to StopForumSpam. I’ve found it very useful.

Wendy Wentzel

We use this one on all sites that allow registration (along with honeypot, and often some pattern-matching rules) – it blocks a lot of spammers.


very good article ..useful to

David Latapie

Excellent list. I went with riddler for [url=http://xmrmonero.com]xmrmonero.com[/url], we’ll see if it suffices (admin approval + email definitely did not suffice, although the first one at least prevented comment spam, if not spam registration).


Thanks a lot for a nice wrap-up … [url=https://www.drupal.org/project/httpbl]https://www.drupal.org/proj…[/url] does also a decent job

Muhammad Khadafi

thanks man, i really annoyed about spammer,.. there 10-20 and more user register on my marketplace


Modules like [url=https://www.drupal.org/project/spamfree_email]https://www.drupal.org/proj…[/url] can be used to prevent email harvesting.


great post it solve my spam problem thank Steve



I use User restrictions to block certain email from registering. Unfortunately I cannot select user roles here. I would like to block some domains for a specific user role. Any suggestions?


Would love your thoughts, please comment.x