Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
On a large site, we've seen much better spam prevention (from bots) using a modified version of honeypot that allows multiple honeypot form elements instead of only one element.
Proposed resolution
Attached patch allows multiple form elements. Instead of entering a single value in the admin form, the administrator can enter multiple values, separated by commas.
Remaining tasks
Still need to modify the test, as well as write patches for 6.x and 8.x releases.
User interface changes
Administrator can now enter multiple form element names, separated by comma. Entering a single value still works fine.
Comment | File | Size | Author |
---|---|---|---|
#1 | allow_multiple_honeypot_form_elements-2467743-1-against_7.x-1.17.patch | 4.55 KB | krisahil |
#1 | allow_multiple_honeypot_form_elements-2467743-1.patch | 4.75 KB | krisahil |
Comments
Comment #1
krisahil CreditAttribution: krisahil commentedAttached is patch against latest 7.x-1.x branch (c60a524a8f7a6135149aa26df9e6580556f31966).
Also attached is a patch against 7.x-1.17 tag release.
Comment #2
geerlingguy CreditAttribution: geerlingguy commented@krisahil - I can see generally that adding more elements could potentially trick certain bots, but it seems the main value might just be in picking a better / non-default element name instead of adding multiple names. I'm wondering if this is the right route to go—it might be almost as effective (yet less complicated, code-wise and form-wise) to simply allow multiple field names, and just pick one at random each time a form is rendered?
Comment #3
geerlingguy CreditAttribution: geerlingguy commentedComment #6
geerlingguy CreditAttribution: geerlingguy commentedAfter giving some more consideration, I'd rather leave it at one element, as this trick may be enough to trip up some human spammers, but one or a hundred fields won't make much difference to bots, IMO. It would be better to go for more advanced/'intelligent' spam control like Akismet or Cleantalk if necessary.