Category Technology
Publication date
02 February 2015

The 5 Best Modules to Eliminate Spam on a Drupal Website

Time to read 4 minutes read

I hate spam. It's that little annoyance, just a tiny one, that keeps chipping away. And it gets worse, more intense, more frequent. But can it be beaten? In truth, probably not. But we can go a long way towards lessening it. Which means fewer spam accounts and comments.

On my personal blog I had someone adding a lot of spam - about one comment every 30 minutes - not much, but irritating. To combat it, I set up a rule that said "Do you see that green message below saying your comment was posted? Well, it wasn't; we don't allow you to post spam. If you think we have blocked you incorrectly, please get in contact". Amazingly, it worked. Thankfully that person had been using the same email address to post their spam so it was easy to target them. But usually spam submitters are not so easy to target so precisely and we need mass approaches to tackling it.

Spam comes in two forms - human input (sorry, there is very little you can do to get around a real person sitting at a real computer typing real spam - unless my little rule above works for you) and spambots.

Using Drupal, there are a number of approaches to pulling the plug on spam. Let's look at them.


The captcha module provides a base API for other spam modules, but also comes with some preconfigured captchas, such as a maths question. You are asked 2 + 4 = ? and if you get the question right, you must be posting legitimate comments. Right? I've found it very easy for spambots to get around this, however, so don't recommend it as a standalone solution.


I love the idea of re-captcha. Basically, many old books have been scanned, but some of the words are not readable by the scanners. These squiggly words are then presented as captchas (and very hard for spambots to read). If enough people enter the same word as the answer, that word will be accepted as the correct word for the book and you can pat yourself on the back for helping humanity in your efforts to digitise old manuscripts. One website that I developed did fall foul of re-captcha being beaten and led to loads of spam getting past. I still don't know how! And since it can be very difficult to read some of the words, it does have the potential to turn people away. On the bright side, here's a great Ted talk from the inventor of captchas and re-captcha.


Mollom is a freemium (free up to a certain level) anti-spam measure created by Dries, the creator of Drupal. You can configure it to  only present the captcha after scanning the user's input and figuring out that it might be spam. While it apparently works quite well, I've never been a fan of it. I find it ugly and I find that sites with it keep asking me to fill it out. Perhaps the comments I leave on the internet are all spam.


Honeypot is the daddy of anti-spam. It's so good that Drupal doesn't use Mollom, it uses honeypot. Honeypot creates a hidden field with a label that is enticing to a spambot, something like URL or Website. if that field is filled in, then you must be a spambot. You can also configure it to be time-based, defaulting to 5 seconds. If you can fill out this form in under 5 seconds, you must be a spambot. I tend not so use it on very short forms like a password reset one as it's easy to fill this in in under 5 seconds. Overall: simple, beautiful, and oh so effective. And the great thing is, users do not see it - it's totally unintrusive.

Simple Anti-spam

Simple Anti-spam is a module that I haven't tried out. It appears to do what Honeypot does and then some more as well, which means it's potentially even better than honeypot.

And that's our round up. 5 modules you can use right now to dramatically cut down on spam on your Drupal website. And a bonus rule to let you know when comments have been added, here's:


This isn't an anti-spam module, per se. The rules module lets you set up custom rules to say do certain things upon certain events. On my blog I have set up a custom rule to send me an email whenever a new comment is posted. Since I get notifications immediately, spam comments are removed within seconds/minutes. You can grab a copy of the rule on my github page.

Do you use any of these modules or something better? Let me know your favourite anti-spam measures in the comments.

If you want to discuss Annertech helping you build an award-winning website, please feel free to contact us by phone on 01 524 0312, by email at, or using our contact form.

Profile picture for user Mark Conroy

Mark Conroy Director of Development

When not promoting sustainable front-end practices at conferences across Europe, Mark leads our development team to create ambitious digital experiences for clients, so they, in turn, can have success with their clients.