Spam Protection for Your Drupal Forms: A Guide to CAPTCHA and reCAPTCHA
Spam bots are one of the banes of today’s web. They crawl across sites looking for open forms to exploit, leaving behind junk content, malicious links, and unwanted traffic. Without protection, even a simple contact form can quickly become a gateway for spam, security risks, and wasted resources. That’s why Drupal provides multiple tools that detect and block spam bots.
In an earlier article, we reviewed how you can protect your Drupal forms from spam using the Honeypot module. Honeypot is one of the Drupal modules with food-inspired names, and its creative name reflects its approach to spam protection in Drupal forms — creating a sweet trap for bots. Today, we’ll take a look at other technologies that serve the same mission, CAPTCHA and reCAPTCHA. Let’s dive into the principle of their work, the key difference between them, the Drupal modules that can seamlessly add them to your site, and the main steps to configure them.
What are CAPTCHA and reCAPTCHA?
CAPTCHA and reCAPTCHA are security systems that distinguish between humans and bots by presenting a test during form submission. Their mission is perfectly captured in the full definition of CAPTCHA: “Completely Automated Public Turing test to tell Computers and Humans Apart.”
The test is difficult for bots but easy for humans to pass. Depending on the specific technology, it may even require no action at all from humans, working automatically behind the scenes. We’ll discuss this in more detail further in the article.
Both technologies were created at Carnegie Mellon University in 2000 and 2007, respectively. reCAPTCHA was later acquired by Google in 2009 and started its own journey.
What’s the difference between CAPTCHA and reCAPTCHA?
CAPTCHA is the general concept of challenge-response tests that distinguish humans from bots, while reCAPTCHA is Google’s specific implementation that has significantly evolved over time. In practice, they are often treated as two distinct technologies because of their different approaches:
- CAPTCHA is a traditional, task-based system. It presents a visible challenge, such as typing distorted text from an image, solving a math problem, or answering a question, and checks the response against the correct answer. Every user must complete the task to proceed.
- reCAPTCHA is a more advanced, behavior-based system. It analyzes user interactions in the background to decide whether someone is human. Most users see only a simple checkbox (‘I’m not a robot’) or nothing at all, while only suspicious cases trigger an additional test, like selecting images. This approach has become popular for being more user-friendly.

CAPTCHA subtypes
- text-based: distorted letters/numbers that users must type
- math-based: simple calculations (like 7 + 3)
- image-based: users select images matching a pattern or object
- question-based / riddler-style: admin-defined questions with answers (like “What color is the sky?”)
reCAPTCHA versions
- v1 was the classic distorted text, but it retired in 2018.
- v2 is the famous “I’m not a robot” box. Usually one click, but may trigger image-selection challenges if behavior seems suspicious.
- v2 (“Invisible badge”) runs in the background without a visible checkbox. If user behavior looks suspicious, it triggers a challenge automatically.
- v2 (Android) provides native Android APIs that you can add to a mobile application.
- v3 is completely invisible and score-based. It assigns each interaction a risk score (0.0–1.0), allowing the site to decide when or if extra verification is needed. Unlike earlier versions, it never shows a challenge.
Note: There has been a lot of negative coverage of the image selection test because it has been shown to not be user-friendly, and the trend now is towards less user interaction required.
Have bots learned to bypass CAPTCHA?
Today’s bots can mimic human behavior, and with AI, they’re getting smarter than ever. So it’s natural to ask: can bots solve CAPTCHAs? You’ve probably even seen memes of a robot easily checking the “I’m not a robot” box, and there’s some truth to that. Over time, bots have found ways to bypass the anti-spam checks, for example:
- OCR (Optical Character Recognition) can sometimes read distorted text.
- Machine learning can help recognize objects in images (like traffic lights, buses, or crosswalks).
- Bots that simulate human behavior for systems that analyze mouse movement, timing, or browsing patterns. Advanced bots, such as AkiraBot, use AI to bypass CAPTCHA challenges.
- Popular QA tools like Playwright and Selenium can automate browser interactions, including anti-spam tests.
- Some services (“CAPTCHA farms”) even exist to outsource the solving of challenges to humans.
Don’t worry, CAPTCHA can still give you a lot of protection:
- Stopping the majority of bots. Most low-effort spam scripts and mass sign-up attempts will fail.
- Raising the cost of attacks. If an attacker has to pay for a solving service, their campaign becomes more expensive and less appealing.
- Adding an important layer to your overall security strategy. Combined with Honeypot, rate limiting, firewall rules, API-based protection, and other techniques, CAPTCHA can be much more effective.
Top Drupal modules for CAPTCHA and reCAPTCHA
CAPTCHA
Let’s begin with the central module in the entire ecosystem. It provides a framework for adding visible challenge-response tests to online forms. Math and image challenges are available out of the box.
There are also a variety of additional modules to expand its capabilities with specific challenge types for spam protection in Drupal forms. A few of them are up next.

CAPTCHA Pack
This module provides extra types of tests like highly configurable math challenges, text challenges for entering the lost character or picking the right word from a phrase, and so on.
Captcha Riddler
With this module, you can create custom question-and-answer challenges.
CAPTCHA after
This tool shows challenges only after repeated failed submissions, reducing friction for genuine users.
Hidden CAPTCHA
Using this module, you can add a hidden field trap that bots typically fill in, while humans don’t.
reCAPTCHA
This module connects Drupal forms to Google’s reCAPTCHA service. It supports v2, while support for v3 is a work in progress. The module handles the communication with Google.
reCAPTCHA v3
Here is a module designed specifically for integrating v3. It lets you configure actions based on the returned scores and set up fallback challenges if the initial check doesn’t give a confident result.
Simple Google reCAPTCHA
Meet another module that integrates Google’s spam protection service with Drupal websites. It supports both v2 and v3.
Cloudflare Turnstile
This tool uses the Turnstile web service for spam protection in Drupal forms.
CAPTCHA: Friendly Captcha
Next up is the Drupal tool that offers a user-friendly anti-spam solution integrated via a third-party JavaScript library. It offers GDPR compliance and accessibility.
hCaptcha
This module integrates a privacy-focused platform that protects your Drupal website from spam bots and automated abuse. It features AI bot detection, risk scores, and more.
How to configure CAPTCHA in Drupal
Setting up the classic CAPTCHA on your Drupal site basically comes down to 3 main steps, and the 4th one is optional customization.
1. Install the module
Install the CAPTCHA module on your Drupal site. The preferred way to install Drupal modules is via Composer:
composer require drupal/captcha
Use the Extend tab of your Drupal admin dashboard to enable the main module and, optionally, the additional Image CAPTCHA submodule (if you are interested in image challenges).

2. Select the default challenge type
Tell Drupal which challenge to use by default if no form-specific override is set. You’ll find this setting at Configuration > People > CAPTCHA settings.
If the Image CAPTCHA submodule is not enabled, you’ll only have math challenges, and if it is enabled, you’ll have a choice between math and image challenges. With additional modules, you’ll have even more options. Select the needed challenge type from the dropdown menu and save the configuration at the bottom of the page.

3. Enable CAPTCHA for forms
Use the “CAPTCHA points” tab to enable your spam protection test for specific forms. By default, it’s disabled for all forms. You can also use this tab to set up the challenge type individually for each form by clicking “Edit” in the “Operations” dropdown.

4. Customization for CAPTCHA
The settings page also enables you to fine-tune various aspects of the security check behavior:
- the messages users will see
- the challenge details like font, colors, distortion level, and so on
- case sensitivity in validation
- the “whitelisted” IP addresses for which you’d like the anti-spam check to be skipped
- and more

How to configure reCAPTCHA in Drupal
Let’s now see how to set up the latest version of Google’s free service using the Drupal module that is designed specifically for it.
1. Install the reCAPTCHA v3 module
Install the reCAPTCHA v3 module on your Drupal site. It depends on the CAPTCHA module and will share certain parts of the settings interface with it. The best way to install the module is by using the Composer command:
composer require drupal/recaptcha_v3
Then go to the Extend tab of your Drupal admin dashboard and enable the module.
2. Get your credentials from Google
Visit the Google reCAPTCHA Admin Console and register your site.
- Select v3 as the type.
- Add a label for your website (like “My Website”) and its domain (like “my-website.com”).
- Accept the terms and click “Submit.”
Google will generate a Site Key and a Secret Key for you. Keep them handy.

3. Add Google’s credentials to Drupal
Go to Configuration > People > CAPTCHA settings > reCAPTCHA v3.
- Enter the Site Key and Secret Key you got from Google.
- Select the default fallback challenge type.
- Customize the error message that the users will see.
Click “Save configuration.”

4. Configure a reCAPTCHA action
On the “reCAPTCHA v3 actions” tab, you can configure “actions.” Actions define how your spam test should behave in a specific form.
This means that when you create a v3 action and then assign it to a form, you’re telling Drupal: “Please run this invisible reCAPTCHA scoring check on this form, and if the score is too low, show the fallback challenge.”
Each action has the following settings:
- Label. It’s just a name to identify this action (like “Login check”).
- Threshold. It’s the minimum score required to be treated as human (0.0 = bot, 1.0 = human). Default 0.5 is fine.
- Fallback challenge. That’s what happens if the score is too low. Usually, users will see the classic CAPTCHA.

5. Assign v3 to specific forms
Similarly to how we did it with the previous module, you can use the “CAPTCHA points” tab to enable v3 spam protection for specific forms. Click “Edit” to specify that the needed form should use the action you just created (in this example, “Login check”). Save the result.

Final thoughts
Adding CAPTCHA or reCAPTCHA to your site is a straightforward way to enhance spam protection in your Drupal forms. While no system is completely foolproof, these technologies will make a big difference in keeping your forms safe and reliable. In combination with other techniques, they will be an important part of your comprehensive Drupal website security strategy.