This documentation explains how to install, configure, and test the Honeypot module in a Drupal site to protect forms from spam bots using hidden fields and time-based submission validation.
π¦ Installation and Enabling with Composer and Drush
Step 1: Require the Module with Composer
composer require drupal/honeypotStep 2: Enable the Module Using Drush
drush en honeypot -ydrush pm:list | grep honeypotβοΈ Basic Configuration
- Navigate to
/admin/config/people/honeypot. - Enable Protect all forms.
- Set Minimum time to e.g., 5 seconds.
- Optionally enable Log blocked form submissions.
- Save configuration.
π§Ύ Enabling Honeypot for Webforms
- Go to
/admin/structure/webform/config. - Scroll to Form settings.
- Enable Honeypot checkbox.
- Optionally configure Time limit and Element name.
- Save configuration.
π Permissions
Admins with bypass honeypot protection permission are not affected.
For testing: Use a logged-out or non-admin account.
β Confirming Honeypot is Applied
- View the form as an anonymous user.
- Use browser dev tools (F12) to inspect the form.
- Look for:
- A hidden
honeypot_timefield - A hidden honeypot text input (e.g.,
url)
- A hidden
π§ͺ Testing Honeypot Blocking
π Test 1: Hidden Field Trigger
- Open a form as an anonymous user.
- Use developer tools to locate the honeypot field.
Modify it:
<input type="text" name="url" value="spamtest" />- Wait the minimum time (e.g., 5 sec).
- Submit the form.
- Expect: Form is blocked; check logs if enabled.
β±οΈ Test 2: Minimum Time Trigger
- Load the form and immediately submit within 1-2 seconds.
- Do not fill in the honeypot field.
- Expect: Submission blocked due to time restriction.
Using cURL:
curl -X POST https://example.com/form-path \
-d "honeypot_time=1" \
-d "field_name=value"π§― Troubleshooting Steps
- β
Ensure Honeypot is enabled:
drush pm:list | grep honeypot - π§ Check config at
/admin/config/people/honeypot - π€ Test with an anonymous user
- π Enable logging for blocked submissions
- β οΈ Look for conflicts with CAPTCHA/Webform Protect
- π§Ή Run
drush crto clear cache
π οΈ Configuration Reference Table
| Setting | Description |
|---|---|
| Enable Honeypot globally | Applies to all forms |
| Minimum time | Minimum seconds before valid submission |
| Honeypot element name | Name of the hidden field (default: url) |
| Log blocked submissions | Enable logging in watchdog |
β Example Recommended Configuration
| Setting | Value |
|---|---|
| Enable Honeypot globally | β Enabled |
| Minimum time | 5 seconds |
| Honeypot element name | url |
| Log blocked submissions | β Enabled (for debugging) |
βοΈ Advanced Usage Notes
- π Change the honeypot field name to something non-standard (e.g.,
contact_token) to evade bots targeting defaults. - π§ͺ Temporarily enable logging to troubleshoot spam problems in
/admin/reports/dblog. - β οΈ Disable βProtect all formsβ if you want to configure Honeypot only on specific content types or forms.
π Summary
- π¦ Install Honeypot via Composer and Drush
- βοΈ Configure globally or per-form
- π§ͺ Test protection: hidden field and timing
- π οΈ Log and monitor blocked attempts
- β Use recommended defaults and test with anonymous users
