CAPTCHA for Drupal: Anti-spam Protection and Usability

in category.
Spam SignSo, you have done a great work and created own website on Drupal. Great! Seems like it's the best time to get on the back of your chair and live quiet and happy life like a proud owner of the very own Internet corner. Well, that's not the case — actually supporting, protecting and further development of website can take a lot of time and effort, while at the same time it's pretty important task that can't be undervalued.

One of the worst Drupal webmaster enemy is the spam bots — this little guys can turn any unprotected website into spammed trash heap, flooded with undesirable junk messages about viagra, pharmacy or something like that. Do I need to tell that human visitors and Search Engines will be not verry happy about that?.. Unfortunately, many of ready-to-use CMS ( Content Management Systems ) like Drupal doesn't have built-in anti-spam protection "from the box", so it will be necessary to add such kind of functionality by yourself. 

Most common way to prevent spam submissions is to implement a [tooltip title­Completely Automated Public Turing test to tell Computers and Humans Apart]CAPTCHA[/tooltip] system on your site — usually it's an image and a textfield, where user must enter digits and/or letters, displayed on this image. This way humans are distinguished from bots and automatic submission programs ( what are the same things ).

But, this way of spam protection has some problems:
  • Some image generation scripts is too primitive and bots can easily recognize symbols and complete the test
  • Reverse case — some scripts ( or their settings that was defined by site administrator ) produce too distorted and noisy images, so now a human barely can recognize symbols and often will fail test many times in a row, what is very frustrating for a human site visitor
  • Frequent need to enter some digits and letters to pass the test each time user wants to do something ( like submitting a comment ) also will be irritating and not very user-friendly
Now, since Drupal is our main hero, we will look more closely on how this post applies to it.

"Vanilla" Drupal 6 does not provide spam prevention tools, but there is enough third-party modules that capable with success to solve this problem. Let's look at some of them.

CAPTCHA module

Image CAPTCHA exampleCAPTCHA is base module for most of anti-spam solutions in Drupal, this module provides core functionality ( much like an API for adding test to a forms ), and other modules likely will be dependent on it. This module already has built-in anti-spam features, such as image and math tests. In some cases having this module enabled with math ( or image ) test will be enough to fight with random attacks of spam bots, but if your site falls under siege of spam botnet — most likely this module alone will be unable to stop them.

Below and to the right are examples of CAPTCHA tests by this module ( math test below, image test is to the right ):

Math CAPTCHA example 


reCAPTCHA examplereCAPTCHA is a very popular and common type of CAPTCHA, which can be seen on many sites. It's a very good addition to previous module and can be recommended for usage in many cases. reCaptcha uses it's own web service for creating challenge forms and requires obtaining an API access key.

So now we briefly reviewed some of classic, standard forms of spam protection using CAPTCHA systems. But, for purpose of usability and more convenient way of separating bots from humans, its may be really good idea to search for other ways.

Alternative to CAPTCHA and reCAPTCHA modules

CAPTCHA and reCAPTCHA modules are the very widely used anti-spam solution for Drupal websites. But what if you're wanting something other than this two? For completely alternative anti-spam protection without usage of any CAPTCHA modules read Alternative CAPTCHA for Drupal. And if you wanting something with a slightly different approach for CAPTCHA implementation — read further down.

With Drupal itself and two third-party modules you can offer simplified and more user-friendly challenge. Requirements are:

NotCaptcha module additionally requires:
  • JavaScript enabled in user browser
  • Enabled PHP mcrypt on hoster server ( most likely it's enabled by default )
  • Enabled PHP GD on hoster server ( similarly, it's likely that it will be available by default )
As you can see from this requirements — such kind of challenge may not be suitable for all web sites, because if user can't use JS — he will be unable to pass NotCaptcha for Drupal test, because for now there is no not-JS functionality in this module. But if your visitors is mostly desktop PC users — there is may be no problem, because every modern broweser supports JavaScript.  


We already overviewed CAPTCHA module, so now let's look at NotCaptcha. Key feature of this module is the way it implements "human-or-bot" test — in difference from any other solutions, with NotCaptcha user don't need to enter any letters of digits in test form. System is different — to pass the test user should vertically align a set of three pictures with sliders below them. That's it — move sliders and test is passed.

NotCaptcha test example

That's looking pretty good, but how to not forcing users to pass test each time they want to submit a comment, for example? Easy with Drupal. For such task CAPTCHA module settings has a very useful option:

CAPTCHA Persistence options

Point: in this settings block is possible to select how CAPTCHA module will behave for each separate user. Well, all of them pretty self-explanatory, so i will just say that in my opinion second option is the way to go — user will have to pass a test only once and if he or she pass it successfully — CAPTCHA will not appear again, and this user will be qualified as "human".

But still this function must be used with caution — if spam bot somehow managed to pass challenge once — he will be green-lighted to post in every page anything he wants without any problems.


In this post we discussed spam issues with Drupal websites and how to fix them with CAPTCHA modules in a good way. Always keep in mind that users don't like any challenges and difficulties — so try to find most easy and simple way to achieve your goals.

And there is one more very important thing about CAPTCHA in Drupal you should know. Unfortunately Drupal caching incompatible with CAPTCHA module! For not to overload this article I moved all details to another post, which can be found by link just slightly up from here. Also I've found even more elegant alternative to CAPTCHA in the light of such incompatibility — read about Spamicide module in mentioned above post.
No votes yet
About the Author: Sergey “Treidge” Danchenko

AvatarSergey "Treidge" Danchenko is a founder and the author of 3DG.Me blog, 3D Artist and game developer, Drupal web-developer and one-man-band with experience in some other areas. Personal credo — "If you want a thing done well, do it yourself". In times of great inspiration writes poetry and plays volleyball. Primary professional tools — Autodesk Maya & Mudbox, Adobe Photoshop. Wild about turkeys and parrots, loves music and videogames.  Thanks for reading and come again!

Copyright © 2010-2013 Sergey "Treidge" Danchenko. Feel free to Contact me with any questions. Theme based on a BlogBuzz design by