The Honeypot Module: A Sweet Way To Trap Spam Bots On Your Drupal Website
The future came closer when humans learned to create computer programs able to mimic the behavior of real users. A friendly bot that efficiently and tirelessly helps website visitors with their tasks and questions could be one of the best examples. However, unfortunately, there is also a totally different type of bot — malicious, intrusive, and unwelcome. Let’s dig deeper into the problem with spam bots and explore one of the ways to fight them on a Drupal website — using the Honeypot module.
Spam bots: the “visitors” you never invited
Spam bots are computer programs designed to distribute messages or comments on website comment forms, emails, or social media. Some of their common goals are to share false information, manipulate public opinion, advertise products, or add backlinks to third-party websites for increasing their authority in Google’s “eyes.” At a deeper level of maliciousness, spam bots can also share malware or infections. For example, they can be components of phishing attacks meant at stealing user data, including login credentials or credit card details.
For posting comments and messages, spam bots often create fake accounts or even gain access to existing ones that have been compromised. Creating a standard user account on most websites is a matter of filling out a few fields, which is a piece of cake for a bot. As they are automated, spam bots never tire of doing repetitive actions and delivering vast amounts of spam.
That said, spam bots certainly do not behave like good guests on your Drupal website. Still, you can be a friendly host even with them — just treat them with some “honey.” If you do it properly using the Honeypot module, chances are high that they will never come to your website again.
A glimpse at fighting spam bots in Drupal
There are multiple techniques and best practices to fight spam bots on your Drupal website. You might want to protect user accounts with the help of Drupal modules for password security, forbid anonymous comments on your website’s blog, monitor comment activity, etc.
And, of course, there are a number of Drupal modules designed specifically for fighting spam bots. They all use different techniques or connect Drupal websites to various free, freemium, or premium anti-spam services. The modules include CAPTCHA, reCAPTCHA, Honeypot, Antibot, Spamicide, AntiSpam, Anti-Spam by CleanTalk, Protected Submissions, Spambot, http:BL, and more. Some of them are actively maintained and ready for Drupal 9 and even for the newly released Drupal 10, while others are no longer supported or their development stopped after a version for Drupal 7.
The top 3 most popular spam-fighting Drupal modules include CAPTCHA, reCAPTCHA, and the hero of our story — the Honeypot module. Let’s move on to it right now.
The Honeypot module as an anti-spam solution for Drupal sites
The Honeypot module helps you fight spam bots thanks to the following features:
-
it combines 2 anti-spam methods — the Honeypot method and the timestamp method
-
it is unintrusive and user-friendly (while, of course, being bot-unfriendly)
-
it enables you to configure protection for individual forms
- it integrates with Drupal’s Webform module — a very popular and powerful form builder
- it enables you to set permissions to administer Honeypot or to bypass its protection
- it can be used with custom forms and has an API for more customization
Two methods of protection in the same tool
Just like two locks on a door provide more protection than one, a combination of two anti-spam methods adds efficiency to the Honeypot module’s work:
- The Honeypot method. Spam bots can be tricked into filling out a form field that is invisible to humans but is usually visible to bots. A bot cannot resist filling out a form field just like a bear would not resist getting its paws into a pot of sweet honey. The module then detects the trespasser and forbids the form from being submitted. This invisible field can be added to a registration form, a password reset form, a comment form, or any other form on your Drupal website.
- The Timestamp method. A human user would need some time to fill out a form. This is true for all kinds of forms, be it providing registration information or leaving a comment below an article a user has read. A spam bot fills out forms instantly on an automated basis. That’s why, to tell a human from a bot, the module enables you to set the time in seconds that needs to elapse before the form submission, otherwise, it will be considered the work of a bot.
Usability as a priority
The measures on website security enhancement, including spam protection, are bound to have a certain impact on usability. This starts with something simple like the need to create a password.
Jeff Geerling, the maintainer of the Honeypot module, mentioned “A Constant User-Experience Battle” in his “Preventing Form Spam” article. Jeff wrote about a constant struggle between providing your real users with a good website experience and fighting spam bots. As an example, he mentioned the CAPTCHA system which could be difficult to read for people with visible disabilities.
And while CAPTCHA has improved in the years since Jeff published that article (2011), it still introduces some friction. In this regard, we must admit that the Honeypot module is a very good usability-first solution that does not impact human users because they just cannot see the honeypot field in forms.
Does Honeypot offer enough protection
The module is pretty effective thanks to its combination of two anti-spam methods. However, it is considered a simple solution. According to Jeff Geerling’s explanation in the above-mentioned article, there are situations where simple spam prevention techniques might fail. This is especially true for popular websites whose protection spammers are eager to outsmart. In these cases, Jeff advised using some intelligent spam prevention systems such as Mollom or Akismet, as well as external comment services such as Disqus.
Unfortunately, with years, Mollom and Akismet have ceased to be the options. The Antispam module that connects Drupal websites to the Akismet service is only available for Drupal 7 websites. The Mollom service was totally discontinued, so Jeff Geerling dedicated another article to “Post-Mollom” spam prevention. He suggested using Honeypot, CAPTCHA, reCAPTCHA, and Antibot, which could be good protection for simpler websites that mostly fight bot spam. To substitute Mollom in fighting large amounts of heavy spam — not just bot spam but also human spam — Jeff suggested the Anti-Spam by CleanTalk module.
A step-by-step guide to using Honeypot
With the Honeypot module downloaded and enabled on your Drupal website, you can go to its settings by clicking “Configure” on the Extend tab next to the module. Alternatively, you can reach the settings page by going to the Configuration > Content authoring > Honeypot configuration page on your Drupal admin dashboard.
The options on the Honeypot configuration page
- “Protect all forms with Honeypot”
There is a checkbox to protect all forms with Honeypot. You need to be careful with it, however, because page caching is disabled for every page that has a Honeypot-protected form if the time limit is set to something higher than 0. Disabled caching could affect website performance. So it makes sense to leave this box unchecked and enable protection for individual forms further down the settings page.
- “Log blocked form submissions”
When enabled, this option helps website admins keep track of all blocked form submissions. They will be saved in the database as log entries of the “honeypot” type.
- “Honeypot element name”
This element is the actual “pot of honey” that is meant to lure spam bots. It needs to have some generic name that would resemble a real field name (email, homepage, link, etc.). The default is “URL” (it used to be “homepage” in earlier versions of the module). The more creative you are with this field name, however, the more chances are that spam bots don’t bypass it.
- “Honeypot time limit”
This setting defines how many seconds need to pass for the submission to be assumed as one made by a human. The default value is 5 seconds, which looks very sensible. Setting this value to 0 would mean you are disabling the timestamp protection.
- “Honeypot expire”
This is the setting that defines how long the Honeypot-related entries should live in the database table. All entries that are older than this value will be deleted on the next run of cron.
- “Honeypot Enabled Forms”
Check the boxes for all forms on your website that you want to be protected by the module.
Using Honeypot with the Webform module
If you are using Drupal’s Webform module for creating forms, you might also need to configure the Honeypot settings for your forms. The form-wide settings are available on the Webform’s configuration page (Structure > Webforms> Forms > Configuration).
In addition, every individual web form has Honeypot settings on its Settings tab, under “Third-party settings.”
The Honeypot permissions
On the People > Permissions page, you can select trusted user roles on your Drupal websites for which you would like to do the following:
- allow them to administer Honeypot
- turn off Honeypot protection for them
More customizations for Honeypot
To use the module’s capabilities with custom forms, developers can add the following function call inside the form builder function or inside a hook_form_alter:
honeypot_add_form_protection($form, $form_state, array('honeypot', 'time_restriction'));
Including or not including the 'honeypot' and 'time_restriction' options in the above array will lead to enabling or disabling the honeypot field or the time restriction for the form.
Developers can also check out the Honeypot's API to add or remove protection for specific forms, customize the time restriction, and more.
Final thoughts
We have reviewed the capabilities of the Honeypot module with the mission to help you fight spam bots. The specific combination of spam-fighting modules and techniques that would fit your website like a glove depends on many factors. You can talk to our Drupal experts for a consultation and, of course, the seamless implementation of optimal anti-spam configuration.