captcha recaptcha security

Spam Protection for Your Drupal Forms: A Guide to CAPTCHA and reCAPTCHA

Nadiia Nykolaichuk

Spam bots are one of the banes of today’s web. They crawl across sites looking for open forms to exploit, leaving behind junk content, malicious links, and unwanted traffic. Without protection, even a simple contact form can quickly become a gateway for spam, security risks, and wasted resources. That’s why Drupal provides multiple tools that detect and block spam bots.

 

In an earlier article, we reviewed how you can protect your Drupal forms from spam using the Honeypot module. Honeypot is one of the Drupal modules with food-inspired names, and its creative name reflects its approach to spam protection in Drupal forms — creating a sweet trap for bots. Today, we’ll take a look at other technologies that serve the same mission, CAPTCHA and reCAPTCHA. Let’s dive into the principle of their work, the key difference between them, the Drupal modules that can seamlessly add them to your site, and the main steps to configure them.

What are CAPTCHA and reCAPTCHA?

 

CAPTCHA and reCAPTCHA are security systems that distinguish between humans and bots by presenting a test during form submission. Their mission is perfectly captured in the full definition of CAPTCHA: “Completely Automated Public Turing test to tell Computers and Humans Apart.”  

 

The test is difficult for bots but easy for humans to pass. Depending on the specific technology, it may even require no action at all from humans, working automatically behind the scenes. We’ll discuss this in more detail further in the article.

 

Both technologies were created at Carnegie Mellon University in 2000 and 2007, respectively. reCAPTCHA was later acquired by Google in 2009 and started its own journey. 

What’s the difference between CAPTCHA and reCAPTCHA?

 

CAPTCHA is the general concept of challenge-response tests that distinguish humans from bots, while reCAPTCHA is Google’s specific implementation that has significantly evolved over time. In practice, they are often treated as two distinct technologies because of their different approaches:

 

  • CAPTCHA is a traditional, task-based system. It presents a visible challenge, such as typing distorted text from an image, solving a math problem, or answering a question, and checks the response against the correct answer. Every user must complete the task to proceed.
  • reCAPTCHA is a more advanced, behavior-based system. It analyzes user interactions in the background to decide whether someone is human. Most users see only a simple checkbox (‘I’m not a robot’) or nothing at all, while only suspicious cases trigger an additional test, like selecting images. This approach has become popular for being more user-friendly.

 

The “I’m not a robot” checkbox
The “I’m not a robot” checkbox

CAPTCHA subtypes

  • text-based: distorted letters/numbers that users must type
  • math-based: simple calculations (like 7 + 3)
  • image-based: users select images matching a pattern or object
  • question-based / riddler-style: admin-defined questions with answers (like “What color is the sky?”)

reCAPTCHA versions

  • v1 was the classic distorted text, but it retired in 2018.
  • v2 is the famous “I’m not a robot” box. Usually one click, but may trigger image-selection challenges if behavior seems suspicious.
  • v2 (“Invisible badge”) runs in the background without a visible checkbox. If user behavior looks suspicious, it triggers a challenge automatically.
  • v2 (Android) provides native Android APIs that you can add to a mobile application.
  • v3 is completely invisible and score-based. It assigns each interaction a risk score (0.0–1.0), allowing the site to decide when or if extra verification is needed. Unlike earlier versions, it never shows a challenge.

 

Note: There has been a lot of negative coverage of the image selection test because it has been shown to not be user-friendly, and the trend now is towards less user interaction required.

Have bots learned to bypass CAPTCHA?

 

Today’s bots can mimic human behavior, and with AI, they’re getting smarter than ever. So it’s natural to ask: can bots solve CAPTCHAs? You’ve probably even seen memes of a robot easily checking the “I’m not a robot” box, and there’s some truth to that. Over time, bots have found ways to bypass the anti-spam checks, for example:

 

  • OCR (Optical Character Recognition) can sometimes read distorted text.
  • Machine learning can help recognize objects in images (like traffic lights, buses, or crosswalks).
  • Bots that simulate human behavior for systems that analyze mouse movement, timing, or browsing patterns. Advanced bots, such as AkiraBot, use AI to bypass CAPTCHA challenges.
  • Popular QA tools like Playwright and Selenium can automate browser interactions, including anti-spam tests.
  • Some services (“CAPTCHA farms”) even exist to outsource the solving of challenges to humans.

 

Don’t worry, CAPTCHA can still give you a lot of protection:

 

  • Stopping the majority of bots. Most low-effort spam scripts and mass sign-up attempts will fail.
  • Raising the cost of attacks. If an attacker has to pay for a solving service, their campaign becomes more expensive and less appealing.
  • Adding an important layer to your overall security strategy. Combined with Honeypot, rate limiting, firewall rules, API-based protection, and other techniques, CAPTCHA can be much more effective.

Top Drupal modules for CAPTCHA and reCAPTCHA

CAPTCHA

 

Let’s begin with the central module in the entire ecosystem. It provides a framework for adding visible challenge-response tests to online forms. Math and image challenges are available out of the box.

There are also a variety of additional modules to expand its capabilities with specific challenge types for spam protection in Drupal forms. A few of them are up next.

 

An image challenge in the login form
An image challenge in the login form

 

CAPTCHA Pack

 

This module provides extra types of tests like highly configurable math challenges, text challenges for entering the lost character or picking the right word from a phrase, and so on.

Captcha Riddler

 

With this module, you can create custom question-and-answer challenges. 

 

CAPTCHA after

 

This tool shows challenges only after repeated failed submissions, reducing friction for genuine users.

Hidden CAPTCHA

Using this module, you can add a hidden field trap that bots typically fill in, while humans don’t. 

reCAPTCHA

 

This module connects Drupal forms to Google’s reCAPTCHA service. It supports v2, while support for v3 is a work in progress. The module handles the communication with Google. 

 

reCAPTCHA v3

 

Here is a module designed specifically for integrating v3. It lets you configure actions based on the returned scores and set up fallback challenges if the initial check doesn’t give a confident result. 

Simple Google reCAPTCHA

 

Meet another module that integrates Google’s spam protection service with Drupal websites. It supports both v2 and v3.

Cloudflare Turnstile

 

This tool uses the Turnstile web service for spam protection in Drupal forms.

CAPTCHA: Friendly Captcha

 

Next up is the Drupal tool that offers a user-friendly anti-spam solution integrated via a third-party JavaScript library. It offers GDPR compliance and accessibility.

hCaptcha

 

This module integrates a privacy-focused platform that protects your Drupal website from spam bots and automated abuse. It features AI bot detection, risk scores, and more.

How to configure CAPTCHA in Drupal

 

Setting up the classic CAPTCHA on your Drupal site basically comes down to 3 main steps, and the 4th one is optional customization.

1. Install the module

 

Install the CAPTCHA module on your Drupal site. The preferred way to install Drupal modules is via Composer:

 

composer require drupal/captcha

 

Use the Extend tab of your Drupal admin dashboard to enable the main module and, optionally, the additional Image CAPTCHA submodule (if you are interested in image challenges).

 

The CAPTCHA module and its submodule on the Extend tab
The CAPTCHA module and its submodule on the Extend tab

2. Select the default challenge type

 

Tell Drupal which challenge to use by default if no form-specific override is set. You’ll find this setting at Configuration > People > CAPTCHA settings.

 

If the Image CAPTCHA submodule is not enabled, you’ll only have math challenges, and if it is enabled, you’ll have a choice between math and image challenges. With additional modules, you’ll have even more options. Select the needed challenge type from the dropdown menu and save the configuration at the bottom of the page. 

 

Selecting the default challenge type for the spam protection test
Selecting the default challenge type for the spam protection test

3. Enable CAPTCHA for forms

 

Use the “CAPTCHA points” tab to enable your spam protection test for specific forms. By default, it’s disabled for all forms. You can also use this tab to set up the challenge type individually for each form by clicking “Edit” in the “Operations” dropdown.

Enabling the spam protection test for specific forms
Enabling the spam protection test for specific forms

4. Customization for CAPTCHA

 

The settings page also enables you to fine-tune various aspects of the security check behavior:

 

  • the messages users will see
  • the challenge details like font, colors, distortion level, and so on
  • case sensitivity in validation
  • the “whitelisted” IP addresses for which you’d like the anti-spam check to be skipped
  • and more
     
Customizations for the image challenge: fonts, colors, distortion, and more
Customizations for the image challenge: fonts, colors, distortion, and more

How to configure reCAPTCHA in Drupal

 

Let’s now see how to set up the latest version of Google’s free service using the Drupal module that is designed specifically for it. 

1. Install the reCAPTCHA v3 module

 

Install the reCAPTCHA v3 module on your Drupal site. It depends on the CAPTCHA module and will share certain parts of the settings interface with it. The best way to install the module is by using the Composer command:

 

composer require drupal/recaptcha_v3

 

Then go to the Extend tab of your Drupal admin dashboard and enable the module.

2. Get your credentials from Google

 

Visit the Google reCAPTCHA Admin Console and register your site.

 

  • Select v3 as the type.
  • Add a label for your website (like “My Website”) and its domain (like “my-website.com”).
  • Accept the terms and click “Submit.”
     

Google will generate a Site Key and a Secret Key for you. Keep them handy.

 

Registering a website in Google reCAPTCHA Admin Console
Registering a website in Google reCAPTCHA Admin Console

3. Add Google’s credentials to Drupal

 

Go to Configuration > People > CAPTCHA settings > reCAPTCHA v3.

 

  • Enter the Site Key and Secret Key you got from Google.
  • Select the default fallback challenge type.
  • Customize the error message that the users will see.

 

Click “Save configuration.”

 

Entering the site key and secret key from v3 on your Drupal website
Entering the site key and secret key from v3 on your Drupal website

4. Configure a reCAPTCHA action

 

On the “reCAPTCHA v3 actions” tab, you can configure “actions.” Actions define how your spam test should behave in a specific form.

 

This means that when you create a v3 action and then assign it to a form, you’re telling Drupal: “Please run this invisible reCAPTCHA scoring check on this form, and if the score is too low, show the fallback challenge.”

 

Each action has the following settings: 

 

  • Label. It’s just a name to identify this action (like “Login check”).
  • Threshold. It’s the minimum score required to be treated as human (0.0 = bot, 1.0 = human). Default 0.5 is fine.
  • Fallback challenge. That’s what happens if the score is too low. Usually, users will see the classic CAPTCHA.
Configuring a v3 action in a Drupal form
Configuring a v3 action in a Drupal form

5. Assign v3 to specific forms

 

Similarly to how we did it with the previous module, you can use the “CAPTCHA points” tab to enable v3 spam protection for specific forms. Click “Edit” to specify that the needed form should use the action you just created (in this example, “Login check”). Save the result.

 

Enabling Google’s v3 spam protection in Drupal forms
Enabling Google’s v3 spam protection in Drupal forms

Final thoughts

 

Adding CAPTCHA or reCAPTCHA to your site is a straightforward way to enhance spam protection in your Drupal forms. While no system is completely foolproof, these technologies will make a big difference in keeping your forms safe and reliable. In combination with other techniques, they will be an important part of your comprehensive Drupal website security strategy.

Last Updated

6 October, 2025

Reading time

9 mins

Related content
drupal taxonomy categorization
Drupal Content Categorization, #2: Scale Your Vocabularies with Ease Using Taxonomy Manager
get ahead of the competition
Is Staff Augmentation Your Lifeline?
choose-drupal-for-your-website
Why Companies Should Choose Drupal for Their Website
add-rating-widgets-to-drupal-content
Give It a Five: Why and How to Add Rating Widgets to Your Drupal Content

You might also like