Drupal 8 Module of the Week: Honeypot

Each day, more Drupal 7 modules are being migrated over to Drupal 8 and new ones are being created for the Drupal community’s latest major release. In this series, the Acquia Developer Center is profiling some of the most prominent, useful modules available for Drupal 8. This week: Honeypot.

I spoke with the module’s maintainer, Jeff Geerling, aka geerlingguy on Drupal.org about his work. Jeff is a technical architect at Acquia, and also a leading expert and book author on Ansible.

What does the Honeypot Module do?

Honeypot is a valuable module to help prevent spammers from submitting forms on Drupal sites. It is currently in use on more than 68,000 websites. It's a little different than most other anti-spam modules because it doesn’t harm the user experience on the forms; it doesn’t make you decrypt distorted text or do math to submit the form, for example. Instead, Honeypot uses a couple of hidden form fields to determine whether the submission comes from a spambot or a real human and blocks the bots.

Honeypot spambot filter fields

Why is this important?

Honeypot is one of the simplest and most effective anti-spam modules for Drupal, and it doesn't require any external service integrations. It also has an extremely simple API that allows developers to customize its rules in case spammers are more persistent.

Almost every website that allows user interaction or content submission has to deal with form spam. If you have a form on your website or you allow user registration, chances are you've been overwhelmed by spam accounts and postings at one point or another. The grateful testimonials on Drupal.org’s Honeypot success stories tell how Honeypot effectively ends bot registrations and submissions with a very high success rate in the wild.

“This module completely eliminated spam bots attempting to register on my site. Logs show more than 20 attempts per hour being effectively blocked. Now only real people are showing up for new accounts. Thanks for a creative solution.” - David
“Works wonders on a site that is constantly plagued by spam bots coming from more than 2000 different IP addresses. Thanks to the maintainers of this great module.” - HD
“I opened my site for registration and within minutes I was getting bogus account applications. But as soon as I installed Honeypot and enabled it, they all stopped. Chuffed to bits.” - ChrisValentine

Honeypot configuration interface

When was Honeypot created?

“Honeypot was created in 2011 when I was building Flocknote, a community site with over a million user accounts,” Jeff was facing a large-scale problem, “User registration was one of the most important parts of the site, and we were getting hundreds or thousands of spambot registrations every day. I built Honeypot for Flocknote and cut down spam user registrations by more than 98%. After that, the company's founder and I decided we should share the module with the Drupal community, and the rest is history!”

Has Drupal 8 changed this module?

“So far it has only changed Honeypot in small ways; some of the code is more organized, since it's not all in the .module file or simple includes, and some of the administrative aspects of the module are more streamlined. I'm planning on a 2.0 rewrite later, which should be able to abstract some of the important spam prevention parts into a general PHP library, and all aspects of the module will integrate with that more generic library.”

Jeff put in an enormous amount of effort to upgrade the module early in the Drupal 8 development cycle and keep it up to date with the myriad changes that happened between then and Drupal 8’s general release in late 2016. “I started porting the module way back in early 2013, and have had a working version of the module for every alpha, beta, and RC release of Drupal 8 since (with all tests passing!). At the time, I thought Drupal 8 might've been released in late 2013 or early 2014. Little did I know I'd be continuously porting aspects of the module to new APIs all the way to Drupal 8's first full release in late 2015!”

Read Jeff’s blog post about the process for more: Honeypot for Drupal 8, 3 years in the making.

Also check out the AMA Jeff did on Reddit in February, 2016: IamA contrib module maintainer, book author, and Acquian, and I just released Drupal VM 2.3.0; I am Jeff Geerling, AMA!