Filtering Contact Form Spam in Drupal

Published Sep 16, 2022
Updated Sep 17, 2022
By Simon
Table of contents

I've been getting a bit of spam through my contact form on my Drupal site for quite a while now and even though it is easy enough to delete I thought I'd research what spam filters were available from the community and install something. I didn't really want to add anything too intrusive so after researching various modules I felt the Honeypot module seemed like a good option as it didn't need any API key from a third party to use and also it doesn't require the user to do anything when using the form. Instead, it adds a hidden field to the form that if someone fills in it deems them a bot. It also has a few other features to determine if the person who is filling in the form is in fact a person or a bot. Let's look at the simplicity of this honeypot technique by setting up the module.

Honeypot Drupal Spam Filter Set up


Actively maintained Yes, about 150,000 sites report using it at the time of writing.
Requires No extra requirements.
Libraries No library.

Install either using the UI or composer.


Once you have installed the Drupal Honeypot module you need to visit the configuration page where settings are fairly self-explanatory. I pretty much left it as is, below is the path you can find the module at.

Manage > Administration > Configuration > Content authoring > Honeypot configuration

On this page, there are only a few settings as illustrated.

drupal honeypot module configuration page

I have left the time set to 5 seconds and the default setting of URL set for the hidden field.

I checked log blocked from submissions and extended the time the records are kept in the logs so I could evaluate its effectiveness. I added a few 0's to the default setting that is set in seconds.
I also set it up only to filter my contact form which is recommended due to having it set on every form would be overkill. This is done in the Honeypot Enabled Forms section.

I also set up logging to a much higher number so my records weren't deleted because Drupal logs a lot by default. This can be done on the /admin/config/development/logging page and I set it to 10,000 for now while I observe it's effectiveness.


Perms are not necessary as the admin can only access the backend. If you have other user roles then you may want to configure who can administer Honeypot or who can bypass the protection. This will obviously differ on sites with more roles and users and how the forms are used on the site. You can see the permission setting page below. You can either visit the admin/people/permissions page where all the site permissions are set or follow the link from the extend page.

honeypot permission settings in Drupal

The effectiveness of Honeypot technique and module

Since the field added is a hidden field, no real person should use it, and since the module also times the time from page load to submitting the form I thought this would be a great solution and it is. In the first week, I was surprised that it blocked over 150 submissions. In the same week, I only got 8 spam. I think these may have gotten through with a captcha style as it seems they were more a marketing style email so possible a manually submitted, oh what a job!

40 Blocked in 48 hours 
150 Blocked in 7 days

Note that the messages that got through as well as them being forwarded to my email address are stored in the Drupal backend because I also have Contact Storage module installed. Contact Storage is a great module that stores the default contact form submissions. For more on this, you can check out my article on Contact Storage.

For now, this seems like great results so I won't be trying the Captcha solution anytime soon. I would also recommend this to anyone looking for a solution over the Captcha

Thanks for reading and hope this was helpful for you in deciding if using a Honeypot technique works for blocking spam either in Drupal or on another platform. If you enjoyed this article and are interested in front-end development and design be sure to sign up for my newsletter below. Until next time, kia ora.