Control Spam in Drupal with Honeypot and/or Antibot

Control Spam in Drupal with Honeypot and/or Antibot

From its conception, the fundamental (ground) idea of the internet was the exchange of information through code snippets of a markup language. This is still the ground principle that moves the internet these days. There are, of course, a lot of other things you can do over the internet, but it all comes down to an exchange of information.

With this kind of freedom, it is not surprising, that people abuse this for their own benefit. Spam comments are a form of abusing this privilege.

The combination of the Drupal modules Honeypot and Antibot will ensure that your site is “almost” 100% protected from spam (at least the ones produced by robots).

Keep reading to learn how to Control Spam in Drupal with Honeypot and/or Antibot!

 Step #1. – Install the Required Modules

  • Open the terminal application of your computer.
  • Place the cursor on the root of your Drupal installation.
  • Type:

composer require drupal/honeypot

composer require drupal/antibot

These two commands will install the codebase of both modules on your site.

Control Spam with Honeypot and Antibot in Drupal

Now it is time to enable them.

  • Click Extend and look for the Honeypot and Antibot modules.
  • Click Install.

Control Spam with Honeypot and Antibot in Drupal

Step #2. – Configure Honeypot

  • Click Configuration > (Content authoring) > Honeypot configuration.

Honeypot uses two methods to detect whether a form is filled by a human being or a pre-written script (also known as robot or just bot):

  1.  A hidden field (added by Honeypot). You can label this field whatever you want, but it makes sense to give it a unique “sticky” name, like “homepage” or “url” – this field is mandatory. Since people are not able to see this field, they also will not be able to fill it out. Bots will fall into the trap, and the form will be filed out; therefore detected as spam.
  2. The timestamp. If the form is filled out in less than 5 seconds, Honeypot will assume that it is being filled out by a robot, since people usually need more time to fill out a form on the internet. You can configure the time in seconds or leave this setting disabled at all if you prefer – with 0.

Notice: Pages containing honeypot-protected forms will NOT be cached.

  • Check Log blocked form submissions.

Consider it some kind of “best practice” to get as much information as possible about what is happening within your Drupal system. Always use and check the logs.

  • Leave the default “Honeypot default element” value.
  • Leave the honeypot time limit of 5.
  • Select the forms you wish to be protected by Honeypot
  • Click Save configuration.

Control Spam with Honeypot and Antibot in Drupal

Step #3. – Honeypot Permissions

It is possible to bypass the Honeypot method by assigning the right permissions to certain roles.

  • Click People > Permissions
  • Locate the Honeypot permissions.
  • Make the required changes.
  • Scroll down and click Save permissions.

Control Spam with Honeypot and Antibot in Drupal

Step #4. – Configure Antibot

Antibot checks if the browser has JavaScript enabled. If not, it will ask the user to enable it. Since bots do not use graphical browsers, it is very unlikely for the bot to fill out the form in the first place.

If it has JavaScript enabled, Antibot will check for a keypress, a mouse movement, or a swipe gesture. This determines the human nature of the user once again.

Control Spam with Honeypot and Antibot in Drupal

Antibot uses JavaScript in the same way to prevent bots from submitting data remotely to the forms on your site via cURL for example. cURL is a command-line program used to transfer files over networks, e.g. over the internet. It adds a unique key to the form values. This key is also generated via JavaScript.

The code of Antibot runs statically, so page caching will be not be disabled on pages containing antibot-protected forms.

  • Click Configuration > User Interface > Antibot.

You can configure the forms protected by Antibot on this interface. To protect multiple forms with the same base URL, add a ‘*’ character.

Control Spam with Honeypot and Antibot in Drupal


It is possible to control computer-generated spam either with the Drupal Honeypot, or the Drupal Antibot modules. You can also use a combination of both modules if you prefer on all forms or using one of them to particular forms on your site. It all depends on your needs and the ones of your web site..

Thanks for reading!


  • Jorge Montoya

    Jorge lived in Ecuador and Germany. Now he is back to his homeland Colombia. He spends his time translating from English and German to Spanish. He enjoys playing with Drupal and other Open Source Content Management Systems and technologies.

0 0 votes
Article Rating
Notify of

Newest Most Voted
Inline Feedbacks
View all comments
Hugh worm
Hugh worm
3 years ago

Thanks for this. We’re using recaptcha 2 but still getting spam form submissions. Worried you recommend replacing it with these or adding them too?

Christoph Weber
Christoph Weber
3 years ago

With ReCaptcha you are giving data to Google. If the service doesn’t work all that great for you, replacing it with these two modules might make sense. Maybe you will get better results [i]and[/i] improve privacy.

Would love your thoughts, please comment.x