10 Ways to Block Spam Registrations in Drupal

| Drupal

Spam BlockingIf you're going to use popular software like Drupal, one of the downsides is that you'll need to deal with spam.

A lot of OSTraining members report that they receive many spam user registrations on their sites.

In this blog post, we'll look at 10 of the best ways to avoid getting overwhelmed by spam users.

#1. Core approval features

Drupal has a default feature that allows you to either completely block or moderate all user registrations.

Go to Configuration > Account settings. You can set "Who can register accounts" to a couple of useful settings:

  • Administrators only: this will block all registrations.
  • Visitors, but administrator approval is required: This will require you to manually approve all users.

#2. E-mail verification

Another Drupal core feature allows you to require e-mail verification before a user account becomes active. This add a significant hurdle for spammers. Go to Configuration > Account settings to enable this feature.


https://drupal.org/project/user_verify add some more sophisticated options to the email verification process, including the requirement for the user to enter a special token.

#3. Block certain user details

If you have a lot of spam registrations, there's a good chance there will be some patterns in the spam user details. For example, you might have a lot of users signing up as "John Smith" or using .ru email addresses.

https://drupal.org/project/user_restrictions allows you to block both emails and usernames based on certain patterns. Here's an example which blocks .ru domains:


#4. Captchas

A Captcha presents a visual challenge that is supposed to be difficult for spammers to solve. https://drupal.org/project/captcha provides easy integration with your Drupal registration forms.


However, Captchas have several problems. They can often be hard for even normal users to see. They are also not good for users with visual disabilities.

https://drupal.org/project/riddler is an interesting variation on a captchas. It allows you to ask a question that will probably stump spambots:


#5. Honeypots / Secret form fields

One spam-defeating technique that we've found to be very effective is hidden fields. You add an extra input field to every form and then hide it with CSS. Humans never see the field but spambots do and when they fill in the field the form is discarded.

https://drupal.org/project/spamicide is a module that makes it easy to create hidden fields.

This technique is often called a Honeypot and there's a module with the same name: https://drupal.org/project/honeypot. Click here to read the modules's author explaining the meaning behind the name "Honeypot".

There are some funny variations on this idea. For example, https://drupal.org/project/simpleantispam add a visible checkbox marked "I'm not a spammer" and a hidden checkbox marked "I'm a spammer":


#6. Block by location

http://drupal.org/project/geoblocker allows you to black-list or to white-list access to a Drupal site by countries.

It's not the most sophisticated technique because determined spammers will find a way around these restrictions, but it will block a lot of low-level spam attempts.

Certainly it's worth considering if your site is specifically focused on one location and you have little to no interest in overseas users.

#7. Secret codes

If you have a site without a large audience, you could consider giving out a secret code to potential members.

https://drupal.org/project/mothermayi allows you set a secret code that people must enter in order to register successfully.

#8. 3rd party spam tools

There a wide variety of 3rd party systems that try to prevent spam registrations. These are often paid services. Here are some of the most popular:

Here's an introduction to Mollom. This video is part of our class on using Mollom to beat spammers:

#9. Delayed roles

https://drupal.org/project/role_delay is an interesting approach. It allows you to slowly give users more permissions over time.

For example, a brand new user might not be able to post comments or forum posts. Over time they can automatically be moved into Drupal user roles with more permissions.

#10. Warning message

https://drupal.org/project/warning made me smile. Instead of providing a sophisticated technical solution, the Warning module simple tells your users that won't tolerate spam. Here's how the module create describes it:

"I wrote this module because my personal blog was listed in do-follow lists and generated up to 30 spam comments per day that were not filtered by Mollom. After adding a simple (default) warning for comment submission about the fact that I do not tolerate unrelated links and the comments are moderated, this number dropped to 3 spam comments on average."

Find more spam blocking options

There is a huge list of spam-blocking modules at https://groups.drupal.org/node/77093.

About the author

Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.