How to use the Drupal 8 & 9 honeypot module efficiently

The Honeypot module is a great captcha alternative, as it keeps spam bots from submitting content while also saving your site visitors from having to type in mundane character combinations.
Configured properly it will prevent the majority of bots from submitting forms on your site including registration forms, contact forms, comment forms, content forms... any drupal forms.
It works differently from Captcha: it lures the bot into filling out a form field invisible to regular users. By doing so, the system recognizes the bot for what it is and denies the submission.

While being very user friendly, this reversed bot detection system comes at the cost of some bot submissions getting through anyway. This is why I would advise against using this module on large sites, where it is difficult to track every piece of submitted content. It should work well for smaller and medium sites however, it has been working well in many of my projects including this very site.

Honeypot configuration

Correct configuration of the module is extremely important, as wrong settings might make the module inefficient or worse, prevent real users from submitting forms. After configuring the module, make sure to double check it works by submitting a protected form as an anonymous user.

Once installed and enabled, go to admin/config/content/honeypot to configure the module.

First of all careful with the "protect all forms" option, as caching will be disabled on every page that includes a form. This can be problematic in cases where e.g. a login block is embedded in the sidebar. In addition to ticking what forms to protect, there are two important settings to keep in mind.

"Honeypot time limit" sets an additional non-honeypot protection method which will assume, that a form submitted within the set amount of seconds after page load is submitted by a bot. Even though this option disables page caching, we found disabling it takes away from the module's effectiveness. Five seconds is a safe number for most cases, as human users will need more time to submit a form.

The other option is the "Honeypot element name" where the name of the honeypot form field can be set. Now some important advise: Do not use the default field name. Change it to something else. You can be creative and use age, sex, www, attractiveness and so on. We found using a different honeypot field name greatly improves bot detection. This is probably due to certain bots being preprogrammed to pass the drupal honeypots' "are you a bot" test.

At the beginning it also makes sense to check the logging checkbox lean back to learn how many submissions are being blocked by the module and possibly lock the ip addresses.

Honeypot in Drupal 8 & 9

The D8 branch of honeypot is very usable, however I recommend the development version (> 8.x-1.x-dev) for now. The stable version has some caching problems breaking the "time limit" function. The development version works very well though.

If you develop with Drupal 8, make sure to check out the article What to keep in mind when creating Drupal 8 projects - for developers.

It's been a while since this article was written and since then the module as well as the Drupal 8 & 9 platform have become stable tools.

Link to honeypot module page.