CAPTCHA
The most widely used method is called a “CAPTCHA”. A CAPTCHA is a program or system intended to distinguish human from machine input. We typically use https://www.drupal.org/project/recaptcha to prevent spam on Drupal sites (available for Drupal 8 and 7). It requires https://www.drupal.org/project/captcha as well. The CAPTCHA module offers math and image captchas, but those are pretty easily solved by spambots, while Google’s ReCaptcha is not nearly as easily solved by spambots. Note that as of this writing the Drupal ReCaptcha module does not yet support “NoCaptcha” or version 3 of the API. It uses v2, which shows a checkbox like this;
Install this Drupal 8 module the way you normally would, then enable it. You will also need to get ReCaptcha API credentials over at https://www.google.com/recaptcha. You enter those at /admin/config/people/captcha/recaptcha. After that you can start enabling captcha on select forms. The modules comes with a few Drupal core forms available. These are listed under the “Captcha Points” tab:
You can add support for other forms by clicking “Add captcha point”, where you enter the relevant form ID. This is handy for custom forms.
Using the CAPTCHA and Webform modules together
If you’re using the Webform module, don’t bother adding captcha points this way though, because Webform has built-in support for the Captcha module. I am speaking here of version 8.x-5 specifically, which has a great UI and lots of robust features. You would just go to “Build” to manage the components / form elements, and add a Captcha element there. If you have configured the CAPTCHA module to use ReCaptcha as the default method, you can have the Webform captcha elements also just use the default method. This is our usual approach, because this way we could switch the method later on site-wide with minimal effort. You can also use Webform/Captcha in Drupal 7, though it works a bit differently.
Honeypot
A honeypot is usually a form element that the spambot is tricked into filling in. These are normally hidden form fields, and should be left blank if the form is filled in by a human. A spambot may not be able to tell that it’s hidden, and will fill it in, thus getting blocked.
There is a handy Drupal module for this: https://www.drupal.org/project/honeypot, available for both Drupal 8 and 7.
Other Approaches
We have found https://www.drupal.org/project/antibot (for Drupal 8 and 7) to be effective. This one is interesting because it uses an algorithm to determine whether the user is a bot or a human, based on user behaviors. There is no checkbox or code for a human to interact with, which is great for your visitors. This approach may work fine on its own, but could be paired with the Honeypot module above for a more effective strategy.
Another contender is a paid SaaS called CleanTalk (for Drupal 8 and 7). We have tested this briefly and although it did look promising, we have had enough success with the ReCaptcha and Antibot/Honeypot approaches that we wound up not using it. A similar but free alternative is https://www.drupal.org/project/httpbl (Drupal 8 dev version, Drupal 7 release version), which aggregates spam data in Project Honeypot, pooling data on spambots to proactively block them. We have tested this in the past but found it a bit difficult to use, plus it has no release version yet (only a dev version).
Finally, https://www.drupal.org/project/spammaster is a relative newcomer and one we have not tested, though it looks robust. We’ll update this post when we have had a chance to test it out.
Conclusion
I would recommend starting with a combination of the Honeypot and Antibot modules. If that still does not stop enough spam, try the ReCaptcha module instead. If that is still not satisfactory, you could try a combination of ReCaptcha+Honeypot or ReCaptcha+Antibot, but it likely won’t come to that. Drop us a line if you’d like help with any of this!