Honeypot
A spam prevention module that uses honeypot fields and time-based restrictions to deter automated form submissions without using CAPTCHAs.
honeypot
インストール
composer require 'drupal/honeypot:^2.2'
composer require 'drupal/honeypot:^2.1'
概要
Honeypotモジュールは、Drupalサイトのフォームでスパムボットによる送信を防ぐための効果的で目立たない方法を提供します。ユーザー操作を必要とするCAPTCHAとは異なり、Honeypotは2つの補完的な技術を使用してバックグラウンドで見えない形で動作します。
1つ目の技術は、フォームに隠しハニーポットフィールドを追加します。スパムボットは通常すべてのフィールドを埋めるため、実際のユーザーには見えないこの隠しフィールドも入力します。ハニーポットフィールドにデータが含まれる送信はスパムとして拒否されます。
2つ目の技術は、時間ベースの保護を実装します。フォームが読み込まれた時点でタイムスタンプが保存され、人間が可能な速度より速くフォームが送信された場合(設定可能な時間制限)、その送信は拒否されます。スパムボットは通常ほぼ瞬時にフォームを送信するため、これは効果的です。
Honeypotには、繰り返し違反する者に対する指数関数的な時間ペナルティが含まれています。送信に失敗するたびに必要な待機時間が指数関数的に増加し、執拗なボットがフォームを正常に送信することがますます困難になります。
Features
- ハニーポットフィールド保護 - ボットが入力すると拒否をトリガーする隠しフィールドを追加
- 時間ベースのフォーム保護 - フォーム送信が受け入れられる前に最小限の時間を要求
- 失敗した送信履歴に基づく繰り返し違反者への指数関数的な時間ペナルティ
- サイト全体のすべてのフォームを保護、または特定のフォームを個別に選択
- 特定の権限を持つユーザー(管理者など)の保護をバイパス
- 監視と分析のためのブロックされたフォーム送信のログ記録
- スパム拒否に対するカスタムアクションのためのRulesモジュールとのイベント連携
- 設定ガイダンスのためのインタラクティブツアー
- cronによる古い失敗送信レコードの自動クリーンアップ
- 時間保護がアクティブな場合の自動キャッシュ無効化によるページキャッシュ処理
- カスタムフォームに保護を追加するためのプログラマティックAPI
Use Cases
Protecting User Registration from Spam Bots
Enable Honeypot on the user registration form to prevent automated account creation. Navigate to /admin/config/content/honeypot and check 'User Registration form' under Honeypot Enabled Forms. Set a time limit of 5-10 seconds to catch bots that submit instantly.
Site-wide Form Protection
For sites under heavy spam attack, enable 'Protect all forms with Honeypot' to add protection to every form. Be aware this disables page caching on pages with forms when time limit is enabled. System forms, search forms, and views exposed forms are automatically excluded.
Adding Honeypot to Custom Forms
Use the honeypot service to add protection to custom module forms. In your form builder or hook_form_alter: \Drupal::service('honeypot')->addFormProtection($form, $form_state, ['honeypot', 'time_restriction']); You can include just 'honeypot' or just 'time_restriction' if needed.
Monitoring Spam Attempts
Enable 'Log blocked form submissions' to track spam attempts in Drupal's log. Review logs at /admin/reports/dblog filtered by 'honeypot' to understand spam patterns and verify protection is working.
Custom Reaction to Spam with Rules
Install the Rules module and create a rule that reacts to the 'After rejecting a form submission' event. Use this to send email notifications, add IPs to a blocklist, or trigger other automated responses to spam attempts.
Allowing Administrators to Bypass Protection
By default, users with the 'bypass honeypot protection' permission are not subject to honeypot checks. Assign this permission to trusted roles like Administrator to prevent false positives when testing or during legitimate rapid form submissions.
Tips
- Use a tempting element name like 'url', 'homepage', or 'link' to encourage bots to fill it out
- Start with time_limit of 5 seconds and adjust based on form complexity and user feedback
- For commerce or checkout forms, consider disabling time protection to avoid false positives during quick purchases
- The exponential time penalty means repeat offenders face increasingly long wait times automatically
- Use hook_honeypot_form_protections_alter to add protection to forms from other modules
- Monitor the log regularly after enabling to ensure legitimate users aren't being blocked
- Combine Honeypot with other spam prevention methods for defense in depth
Technical Details
Admin Pages 1
/admin/config/content/honeypot
Configure Honeypot spam prevention settings including protection methods, time limits, and select which forms to protect. This page allows administrators to fine-tune the anti-spam behavior for their site.
権限 2
Hooks 4
hook_honeypot_form_protections_alter
Alter the honeypot protections applied to a particular form. Use this to add or remove protection types for specific forms.
hook_honeypot_add_form_protection
React after honeypot protection has been added to a form. Useful for tracking when protected forms are displayed.
hook_honeypot_reject
React when a form submission is rejected by Honeypot. Allows custom handling of spam attempts.
hook_honeypot_time_limit
Add additional time to the Honeypot time limit. Return an integer of seconds to add to the limit.
Troubleshooting 5
The time limit may be too high for simple forms. Reduce the time_limit setting at /admin/config/content/honeypot, or set it to 0 to disable time-based protection while keeping the honeypot field active.
Time-based protection requires disabling page cache for anonymous users. Set time_limit to 0 if caching is critical, or use the honeypot field protection only by removing 'time_restriction' from form protection options.
Change the element_name setting to something that doesn't conflict with your form's existing fields. Common alternatives: homepage, link, website_url, contact_url.
Increase the time_limit to a higher value (10-15 seconds). Consider enabling protection on all forms. Check that the honeypot element name isn't being recognized by sophisticated bots.
Ensure you're not logged in as a user with 'bypass honeypot protection' permission. Administrative users bypass protection by default.
Security Notes 5
- Honeypot is not a complete spam solution - determined attackers with JavaScript-capable bots may bypass protection
- Always use Honeypot in combination with other security measures for sensitive forms
- The bypass permission should only be granted to highly trusted roles
- Failed submission logs may contain information about attackers - review and clear periodically
- Consider rate limiting at the server level in addition to Honeypot protection