A sample form including a Hidden CAPTCHA!


Hidden CAPTCHA is an extension to the CAPTCHA module. It offers a hidden CAPTCHA (duh!)

The idea is very simple: If you offer an input box in any form, 99% of the time, robots will fill it with something before posting the form. If you offer an input box that has to stay empty, then the CAPTCHA system will prevent posts by robots.

This module allows you to add a Hidden CAPTCHA on forms where you don't absolutely need to have a human enter a text, number, etc. but that still needs a little anti-spam control.

How does it work?

This is just like any text CAPTCHA. You can set it up with a question specific to your website or that people just cannot answer in their right mind (i.e. How many stars are they in the Universe?) By changing the question regularly (once a month?) then you can prevent even more spam as the spammers need to adjust their robots to understand the new question (and some won't do that...) Long questions are better since they are not very likely to have been asked in any CAPTCHA before.

The CAPTCHA system will create a form with your question and an input box. The Hidden CAPTCHA system adds a specific CSS class to that form. The class references a CSS definition in the Hidden CAPTCHA file that says that the whole CAPTCHA box shall be hidden (i.e. display: none;).

The style is put in a separate file because it makes it a little harder for hackers to test whether the CAPTCHA is hidden or not. Imagine if you are using a random CAPTCHA...

Note that the form is definitively present on the page.

Does it work in all cases?

If the question is: does it prevent all Spam? Then, no. It does not. However, it does help dramatically (i.e. with it or without any CAPTCHA... quite a difference.) And the difference between having a reCAPTCHA (what I usually select,) or a Hidden CAPTCHA... you get a lot more posts from your users.

If the question is: does it work anywhere a regular CAPTCHA works? Then, yes. At least so far I have not encountered any problems and it is used on many of my websites.

Demo Site

There are several sites where I use this CAPTCHA. I give you one here:

Turn Watcher

Go to the home page. Wait until a box appears asking you for your name and email address (and don't forget to fill that form and submit it... 9-) .) At that point check out the form. Yes. There is a Hidden CAPTCHA... which obviously you cannot see (unless you have a browser that can remove the CSS... but watch out, the whole page will look... pretty bad!)

Other similar modules

If you have a module that's similar to this, don't hesitate to let me know and I'll add a link here.

  • honeypot is very similar to Hidden CAPTCHA and works for Drupal 7.x and 8.x.
  • Spamicide Add a hidden input field to all your forms.
  • BOTCHA is a highly configurable spam protection framework.

Known conflicts

Boost (cached pages)

The CAPTCHA module deletes CAPTCHA sessions after 24h. There is no way to control this timing from the interface. So, in other words, a session lives a maximum of 24h. This means that any page that carries a CAPTCHA must be refreshed within that time. In general, such pages need to be setup so boost reset the page once every 12h or less so it works properly with CAPTCHA.

Note that this is a CAPTCHA problem, not the Hidden CAPTCHA itself.


The sponsor of this module extension is Made to Order Software Corp.

Supporting organizations: 

Project information