CAPTCHA

Provides CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) functionality to protect web forms from automated spam submissions.

captcha

251,764 sites

109

drupal.org

gui api

spam protection security form protection captcha bot prevention anti-spam challenge-response

Drupal 9 Drupal 10 Drupal 11

インストール

Drupal 11, 10, 9 v2.0.9

composer require 'drupal/captcha:^2.0'

概要

CAPTCHAモジュールは、Drupalフォームにチャレンジ・レスポンステストを追加する包括的なスパム保護システムです。他のモジュールがさまざまなCAPTCHAタイプを実装できるAPIを提供し、組み込みのMath CAPTCHAチャレンジが含まれています。

CAPTCHAチャレンジは、「CAPTCHA Points」という概念を通じて、事実上すべてのDrupalフォームに追加できます。これはフォームを特定のチャレンジタイプに関連付ける設定エンティティです。このモジュールには、ユーザーログイン、登録、パスワードリセットなどの一般的なフォーム用に事前設定されたCAPTCHA Pointsが含まれています。

主な機能には、信頼できるアドレスのチャレンジをバイパスするIPホワイトリスト、成功した応答後にCAPTCHAをスキップする設定可能な永続化設定、簡単なセットアップのための管理モード、ブロックされた送信の統計追跡が含まれます。このモジュールはDrupalのページキャッシュシステムと統合され、CAPTCHAチャレンジのあるページのキャッシュを自動的に無効化します。

開発者はhook_captcha()を実装してカスタムCAPTCHAタイプを作成でき、hook_captcha_placement_map()を使用してフォーム内のCAPTCHAの配置をカスタマイズできます。

Features

Math CAPTCHAチャレンジ - ユーザーが解く必要がある簡単な算術問題（例：5 + 3 = ?）を表示
CAPTCHA Pointsシステム - フォームIDをチャレンジタイプにマッピングし、有効/無効状態を持つ設定エンティティ
グローバルCAPTCHAモード - サイト全体のすべてのフォームにチャレンジをオプションで追加
IPアドレスホワイトリスト - 信頼できるIPアドレスまたはIP範囲のCAPTCHAをスキップ
永続化設定 - CAPTCHAを常に表示するか、成功した応答後にスキップするかを設定（フォームごと、フォームタイプごと、またはサイト全体）
管理モード - 管理者向けにフォーム上にCAPTCHA管理リンクを表示
カスタマイズ可能なメッセージ - CAPTCHAのタイトル、説明、エラーメッセージを設定
大文字小文字を区別するまたは区別しない検証オプション
統計追跡 - ステータスレポートでブロックされたフォーム送信をカウント
誤った応答のログ記録 - 不正なCAPTCHA応答をオプションでログに記録
cronによる自動クリーンアップを伴うCAPTCHAセッション管理
Drupalのページキャッシュとの統合（CAPTCHAのあるページのキャッシュを無効化）
プログラムによるCAPTCHA挿入のためのフォーム要素（#type => 'captcha'）
Drupal 7からの移行サポート
カスタムCAPTCHA実装のためのフックを備えた開発者API

Use Cases

Protecting User Registration from Spam Bots

Enable the CAPTCHA Point for user_register_form to require visitors to solve a Math or Image CAPTCHA before creating an account. This effectively blocks automated account creation by spam bots while maintaining a reasonable user experience for legitimate visitors.

Securing Contact Forms

Add CAPTCHA to contact forms to prevent automated spam messages. The module includes a pre-configured CAPTCHA Point for the personal contact form, and you can add additional points for site-wide or custom contact forms.

Protecting Comment Forms

Create CAPTCHA Points for comment forms (comment_*_form) to prevent spam comments. Consider using persistence settings to skip CAPTCHA after one successful response to improve user experience for legitimate commenters.

Site-wide Protection with IP Whitelisting

Enable 'Add CAPTCHA challenges on all forms' for maximum protection, then add your office IP addresses or trusted partner IPs to the whitelist so internal users don't see CAPTCHAs.

Custom Form Protection

Create custom CAPTCHA Points for any form by specifying its form_id. You can find form IDs by enabling administration mode, which displays CAPTCHA management links on all forms showing their form_id.

Implementing Custom CAPTCHA Types

Developers can create custom CAPTCHA challenges by implementing hook_captcha(). Return available types in the 'list' operation and generate challenges in the 'generate' operation. This allows integration with third-party CAPTCHA services or custom challenge types.

Tips

Grant 'Skip CAPTCHA' permission to administrators and trusted roles to avoid them seeing challenges
Use administration mode during site building to easily identify form IDs and manage CAPTCHA Points
For comment forms, set 'Display on separate page' in content type settings for better caching efficiency
In development environments, add $settings['disable_captcha'] = TRUE; to settings.php to bypass all CAPTCHAs
Consider persistence settings carefully - 'Skip once successful' improves UX but reduces security
Use IP whitelisting for known good IPs (office, CI servers) to bypass CAPTCHA
Monitor the status report for blocked submission statistics if stats are enabled
Clear the CAPTCHA placement cache after significant form structure changes

Related Projects

node コア

Automatically creates disabled CAPTCHA Points for all node type forms during installation

contact コア

Pre-configured CAPTCHA Point for personal contact form (contact_message_personal_form)

user コア

Pre-configured CAPTCHA Points for user_login_form, user_register_form, and user_pass forms

dblog コア

When enabled, provides a link to the log in the wrong response logging setting description

Technical Details

CAPTCHA settings /admin/config/people/captcha

Main configuration page for CAPTCHA module settings including default challenge type, global options, persistence behavior, and message customization.

CAPTCHA Points /admin/config/people/captcha/captcha-points

Manage CAPTCHA Points - the associations between forms and CAPTCHA challenge types. Lists all configured CAPTCHA Points with their form IDs, challenge types, and enabled status.

Add CAPTCHA point /admin/config/people/captcha/captcha-points/add

Create a new CAPTCHA Point to protect a specific form with a challenge.

CAPTCHA examples /admin/config/people/captcha/examples

Preview page showing examples of all available CAPTCHA challenge types with their current settings. Useful for testing and comparing different CAPTCHA implementations.

Administer CAPTCHA settings

Allows users to configure CAPTCHA settings, manage CAPTCHA Points, and see administration information on forms when administration mode is enabled.

Skip CAPTCHA

Users with this permission will not be shown any CAPTCHA challenges. Grant this to trusted roles like administrators.

hook_captcha

Main hook for implementing CAPTCHA challenge types. Modules implement this to provide their own challenges.

hook_captcha_alter

Allows modules to alter a CAPTCHA after it has been generated.

hook_captcha_placement_map

Define custom placement positions for CAPTCHA elements in specific forms.

CAPTCHA validation error: unknown CAPTCHA session ID

This typically occurs with aggressive caching. The CAPTCHA module disables page caching for pages with CAPTCHAs, but other caching mechanisms (Varnish, CDN) may cause issues. Configure your caching layer to bypass cache for forms with CAPTCHAs, or consider using a cacheable CAPTCHA type like reCAPTCHA.

CAPTCHA not appearing on forms

1. Check that the user doesn't have 'Skip CAPTCHA' permission. 2. Verify the CAPTCHA Point exists and is enabled. 3. Clear the CAPTCHA placement cache. 4. Check if the IP is whitelisted.

CAPTCHA appears in wrong position on form

Clear the CAPTCHA placement cache from the settings page. If the problem persists, implement hook_captcha_placement_map() to specify the exact placement for that form.

Page caching issues with CAPTCHA

CAPTCHA disables page caching for forms with challenges. If you need caching, place CAPTCHA-protected forms on separate pages, use AJAX form loading, or use a cacheable CAPTCHA implementation like reCAPTCHA.

CAPTCHA provides protection against automated attacks but determined attackers may use CAPTCHA-solving services
The Math CAPTCHA is less secure than image-based CAPTCHAs but more accessible
Always combine CAPTCHA with other security measures like honeypots and rate limiting
CAPTCHA session IDs are validated with tokens to prevent reuse attacks
Whitelisted IPs bypass all CAPTCHA validation - use this feature carefully
The module logs CAPTCHA session reuse attacks for security monitoring