What is Antibot?

Antibot is an extremely lightweight module designed to eliminate robotic form submissions on your website in an innovative-fashion. The module works completely behind the scenes and doesn't require any interaction from the end-users (no annoying CAPTCHAs!). The only requirement to the end user is that they must have Javascript enabled. If they do not, the protected forms will be hidden and a message will appear, telling the user that the form requires Javascript be enabled in order to use it.

Antibot aims to:

  • Prevent automatic spam submissions on your site's forms (like comments).
  • Be as lightweight as any module could possibly be.
  • Protect forms while still being able the cache the page.
  • Avoid any end-user interaction or annoying CAPTCHA codes.
  • Be more reliable than a honeypot trap.

How does it work?

  1. Admins choose which forms to enable protection for by specifying the form IDs.
  2. CSS is used to hide the form and display a message that the form requires Javascript in order to be used.
  3. The form's action path is switched to /antibot.
  4. When the page is loaded, if the user has Javascript enabled, the form is revealed and the message is removed.
  5. After the page is loaded, Antibot waits for a mouse to move or an enter or tab key to be pressed before the action of the form is switched back to the path that it was originally set to be. This indicates that the person behind the controls is a human and not a robot.
  6. Since there is no dynamic code generated for each form, pages with Antibot can be cached safely.


  1. A user has Javascript enabled. They never know the difference and submit the form as they normally would.
  2. A user does not have Javascript enabled. The form is hidden and a message is present in it's place, telling them they need Javascript in order to use the form.
  3. A bot without Javascript hits your site and attempts to submit the form. Since it does not have Javascript, the form action redirects them to /antitbot, which is a landing page explaining what happened. The form data is completely disregarded.
  4. A bot with Javascript hits your site (unlikely). Since Antibot waits for keypresses or mouse movements, the form remains protected, and the robotic submissions brings them to /antibot, where nothing happens.

How do I set it up?

  1. Install the module like you would any other module.
  2. Navigate to /admin/config/system/antibot (admin/config/user-interface/antibot for D8) and create a list of form Ids that you want to protect. You can use wildcard (*) characters. By default, comment forms, site-wide contact forms, and user forms are protected. There is no limit.
  3. There is an additional admin setting that allows admins to be shown the form IDs of all forms on the page and whether or not they are Antibot-activated.

Drupal 8

The Drupal 8 release is ready for use. The only thing missing at this point is an upgrade path from Drupal 7. Since the configuration is very limited and because many form IDs have changed just manually copy over the form IDs you want activated and review them to make sure they are still valid.

Drupal 8 uses dynamic placeholders for the form action in order to maintain cacheability. To keep that intact, the approach here is slightly different. During form processing, we change the #action to '/antibot' and move the placeholder to an attribute (data-action). The JS, once activated, will copy the action from data-action to action; which restores the normal functionality of the form.

Project information