Spam Control for Webforms

There are several modules installed on Drupal to aid in controlling spam when using Webforms. These aids will significantly reduce or even eliminate bots and spammers from filling out your webforms. These modules are Captcha, Antibot, and Honeypot. They can be used together for a more protected experience. Antibot and Honeypot are newly added as of the June 2021 sprint release and are pre-configured. Logs of failed submissions from these modules are not kept within Drupal. 

Within Structure -> Webforms -> Configuration, the third party settings for each module should be checked. If checked, the module will be enabled for all Webforms on that site. 

screenshot of third party settings for spam control - all checked



The Antibot module checks for robotic submissions by first requiring javascript and waits to detect keypresses, mouse movements or swipes. If this activity does not happen, submissions are not recorded, they are blocked. Administrators can include additional form IDs that are protected by Antibot (Configuration -> User interface -> Antibot).

Default protected form IDs

  • comment_*
  • user_login_form
  • user_pass
  • user_register_form
  • contact_*
  • webform_submission_*


The Honeypot module uses a hidden form field that attracts bots and a timestamp method to prevent bots from submitting. Both the Honeypot element name and the minimum time limit to complete the form can be updated. The default element name is "url" and the minimum time to submit is set at 5 seconds. These settings can be adjusted by administrators at Configuration -> Content authoring -> Honeypot configuration.


Captcha refers to capturing a response. This type of spam control requires the human visitor to do something, called a "challenge". In the case for Captcha on Drupal, there are two choices. The first choice is the math challenge type where the submitter will be required to solve a simple math problem. The second choice is the reCaptcha challenge type which requires your site to be registered for reCaptcha and the site and secret keys to be configured in the module. The settings and information can be found under Configuration -> People -> CAPTCHA module settings. If using Captcha with Webforms, either challenge type can be used and added as a webform element.