Open source software security

Protecting Drupal with CAPTCHA

9 February 2011
Spam is a persistent problem online. Your Drupal site will very likely face an inundation of spam at some point in its lifetime. Most often this comes in the form of comment spam, usually designed to drive traffic away from your site to the spammer's site, or to increase the search engine rank of the spammer site by hosting links to that target. Most spam injection techniques are automated so that spammers can blast out a large number of links in comments on many different sites with minimal effort. Because of this automation, spammers can be discouraged using the Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA) protection. CAPTCHA is familiar to most web users and generally presents a fuzzy image of some text and asks the user to input the values for that text. Drupal offers two third party contributed modules that are easy to implement that allow site administrators to leverage CAPTCHA protection for their site. The first module is CAPTCHA ( and is a basic CAPTCHA implementation that uses your site's image library (such as libGD) to create CAPTCHA's, or if you don't have such capabilities or want a simpler solution, can present simple arithmetic tests to verify a human user. CAPTCHA is very simple and straightforward, but is static and so is susceptible to failing if new bypass techniques are discovered. The reCAPTCHA module ( implements the Google reCAPTCHA service on top of CAPTCHA and provides for a much more robust solution. Once both of these modules are downloaded and installed on your Drupal site CAPTCHA form protection can be enabled on a per-form basis. This is especially handy if you want to protect your user feedback forms and your comment submission forms with CAPTCHA protection but you don't want to interrupt your user registration. Once you have enabled the CAPTCHA and reCAPTCHA modules from the modules list (?q=admin/build/modules) there are a couple of steps in order to get the CAPTCHA protection working. reCAPTCHA is a web based service that allows for dynamic CAPTCHA's to be displayed on your site. It is slightly more effective than regular CAPTCHA because it offers a few additional services (such as audible CAPTCHA). Additionally, as a remotely hosted service it is able to be much more dynamic. Because reCAPTCHA service can be changed without alteration to your site, it is able to adapt to spammer CAPTCHA bypassing techniques, whereas CAPTCHA is static and locally hosted on your website (meaning it can only be updated when new module code is installed on the your server). reCAPTCHA is maintained by Google and can be found at reCAPTCHA also has the handy feature of being easily recognizable by your site users as it is utilized across many web applications. For these and other reasons you should used reCAPTCHA if possible. In order to get started with reCAPTCHA you must first register your site (for free) with the service. You register your URL with reCAPTCHA at their site, Once you have registered your site you will be given a confirmation code. You can always log into your reCAPTCHA management site at and either register more sites or manage your registrations. The registration codes are used in the reCAPTCHA's displayed on your site, so that after verification users can return to the proper location. Plug these values in to the text boxes in the Drupal management interface at ?q=admin/user/captcha/recaptcha. Once these values are filled in save the configuration. Finally you must enable the CAPTCHA protection for the forms you wish to protect on your Drupal site. You manage this configuration at ?q=admin/user/captcha. You can see in the middle of the page that there are a number of forms, each with a drop down list next to it. Change each of the drop down lists from "[none]" to the desired protection and then save the values by clicking the 'Save configuration' button at the bottom. You may want to check the 'Log wrong responses' if you suspect there may be issues with users being able to utilize the CAPTCHA protection, but this could add a lot of noise to your log files if you suspect spammers are hammering your site. Once you have enabled CAPTCHA protection for your site you should notice a marked decrease in spam messages. This protection can be fine tuned by adjusting the type of protection on each form for your site. Additionally you can modify site permissions (?q=admin/user/permissions) to allow certain roles to completely bypass your CAPTCHA protections so that if you have a trusted set of users you don't have to interrupt their workflow by forcing them to fill out CAPTCHA's.