Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This project is not covered by Drupal’s security advisory policy.
BotBattler is a free, effective, lightweight, 100% clientside, anti-spam solution for forms, proudly made in Australia, by a Dutchman. The BotBattler name is a cheeky nod to the term Aussie battler.
BotBattler is based on BotBattler-JS, a non-intrusive early-detection approach to prevent forms on your website from being abused by bots aiming to spam your server with inappropriate comments, annoying advertising on "contact us" forms, as well as malicious registration or login attempts.
Unlike CAPTCHA-type solutions, BotBattler, like honeypot, works "under the wraps" and does not affect the form workflow or user experience in any way. This combined with the fact that BotBattler is a 100% clientside solution that is easy to implement on your site, makes it a great first line of defence - in fact, it may be the only defence you'll need.
How does it work?
BotBattler employs a number of strategies.
First, it operates 100% clientside (i.e. via Javascript). This means that BotBattler doesn't require the spammy data to first make a trip to your server (or a third-party API) before the attack can be detected.
BotBattler adds an extra field to your forms that is invisible to humans. Bots, unaware that the field is hidden, are tempted to fill out most fields on the form, including the hidden field. This then traps the bots into detection. This technique is similar to the honeypot approach (be it that Drupal Honeypot module does this server-side). What's different though is that BotBattler doesn't check for the field to be empty. Rather it insists the field has a specific value. This then allows the field to be marked as required, forming an extra temptation for a bot to populate the field, and seal its fate, as without a required value the form will refuse to be submitted!
The specific value is a random non-guessable, non-reusable number that is different every time the page is served.
A final strategy used in conjunction with the above is measuring, clientside, how many seconds pass between the time the page was loaded and the time the form was submitted. If the form was populated in, say, less than 5 seconds (configurable), it was most likely a bot at work -- or a person entering rubbish quickly, which we're also happy to block!
What if the bot browser/robot software has JavaScript disabled?
With BotBattler the server destination is initially NOT on the form. It gets set after a few seconds, or, when JavaScript is switched off, not at all. Therefore, if JavaScript is turned off, form data does not even enter the Internet.
What are some other modules operating in this space and can I use BotBattler in combination with these?
Some modules with D8/D9 releases are:
Yes you should be able to use BotBattler with the above. Be aware that most spam blockers operate serverside, whereas BotBattler is a clientside solution. This means that when BotBattler traps a bot, the server, and therefore any serverside spam blockers, will never know about spam already prevented by BotBattler and will have no work to do.
Just listen to the sound of silence!
Supporting organizations:
All code and documentation
Project information
- Module categories: Security
- Ecosystem: AntiSpam
4 sites report using this module- Created by RdeBoer on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
