The examples in this article are on a Drupal site and use Drupal modules to easily implement the functionality. However, the technology is agnostic: you can set up a honeypot or Turnstile on any platform.
I have no affiliation to Cloudflare.
Imagine setting up a spam protection but still getting spam. I am kind of being a little tongue in cheek here, as there will always be people that find ways to beat the system. Or will there, read on to find out.
Last year I set up a Honeypot to catch unwanted from submissions, but some were still getting through. So recently I set up Turnstile, and I am surprised by the results.
What is a Honeypot?
Honeypot is a hidden input element added to a form that is not meant to be filled in. Bots are likely to fill in the hidden input element and if it is filled in then the submission is flagged and stopped. This is a rudimentary implementation and as good of an idea as it is, it is not fail proof.
Related Filtering Contact Form Spam in Drupal.
What is Turnstile?
Turnstile, on the other hand, is an intelligent form interaction algorithm, it can accurately work out who is interacting with your site. Let's have a look at how they compare.
How good is a Honeypot?
I had written about Honey Pot, and it was rewarding in blocking most spam. However, some form submissions were still being made. Even though this may seem manageable, I don't want to go through the submissions manually. This was especially true for the comments, which were still receiving submissions on the handful of articles they were open. Imagine if I had site-wide comments open.
To get an idea, let's look at how many submissions were being made and how many were getting through. Below is a chart for how many submissions Honeypot had blocked and how many were still getting through.
| Blocked total | Got through total | |
| Contact form | 841 | 254 |
| Comments form | 410 | 4 |
As the data shows, in the sample period February 15th to March 27th, only 4 comments got though and 410 comment submissions were blocked, over 41 days that's 10 a day, excellent. This isn't really an issue as mentioned, however, there are only 3 articles with comments open. Imagine if I had every comment form open on the site. That's 120 plus articles. It would be unmanageable.
On the other hand, the contact form honeypot blocked 841 submissions (20 a day) and 254 got through. Now that is a lot, but still good that it can block 75% of the submissions.
Overall, a honeypot is fairly successful at blocking spam. However, since I want to implement comments site-wide I thought I would look at some other options for spam, and Turnstile came up. Let's have a look.
Enter Turnstile and How good is it?
I set this up on 27th of March, and then I sent myself a message and also added a comment to test it. And Turnstile has rendered the bots useless. To date, not one submission has been made, which to me is victorious in blocking most ALL spam.
This is so victorious that I need to send myself a message just to make sure the form is still working. Yes, I don't get any messages through this form currently (sad face).
Summary
So that's it for me, Turnstile is the go-to spam warrior from now on. It takes a little more to set up, and it requires an API key from Cloudflare. But for now, I think it is worth it, as the time difference is negligible. In Drupal, it is an easy quick win.
The next thing I will look at is the comment system itself. Should I use a social commenting system, so the comments are shared wider: A system like Disqus. Or could web-mentions be the way to go? This is a conversation for another day.
I hope this article has given you enough insight in to spam protection and which one to choose. Turnstile being the obvious winner here, however, if you have one contact form, and you don't want to sign up for an API key, the Honeypot solution could be the way to go; Honeypot has served me well.
Well, thanks for reading and be sure to sign up to my newsletter, I share my thoughts on front-end development and design and also frameworks like Drupal and Vue.js. Until next time, seize the day!