How the reCAPTCHA Drupal module helps you stop website spam

10 Feb 2021

In an ideal world, only real and well-behaved users access websites. Unfortunately, many “visitors” knocking on your website’s doors are malicious bots that masquerade as humans. Their goals are spam comments, spam emails, and spam forms — and these are just some relatively innocent examples. They, so websites need to learn to distinguish between real people and bots and use the blocking mechanisms.

It’s great to know there are helpful technologies in this sphere, one of which is Google reCAPTCHA. If your website is based on Drupal, you can rely on the special reCAPTCHA module for Drupal that will make it easier to install reCAPTCHA and stop website spam.

What is reCAPTCHA?

Most readers, both tech-savvy and not, must have heard the term “reCAPTCHA” and definitely met with reCAPTCHA on the Web. Still, we would like to make it clear and answer the question “What does reCAPTCHA mean?” in more detail.

ReCAPTCHA is a free service that helps websites distinguish between human and automated access. It was created by experts at Carnegie Mellon University and later purchased by Google. It is widely used for website protection from spam and abuse that can be caused by malicious software. Real users will be able to fully use the website in usual ways. To tell humans from bots, machine learning and advanced risk analysis are used.

An interesting fact is that ReCAPTCHA was initially invented for book digitization. Its original slogan was “Stop Spam, Read Books.” That’s why its text tests have never been random word combinations but excerpts from books that were going through digitization.

ReCAPTCHA is a type of CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). As its full name suggests, it is based on the Turing test — a test invented in 1950 by English mathematician Alan Turing to determine whether a machine is capable to show intelligent behavior equivalent to that of a human being.

What forms does it take? The ReCAPTCHA versions

  1. ReCAPTCHA V1. The first tests were presented as tasks to decipher hard-to-read text or distorted digits, match images, do math calculations, or answer general-knowledge questions. However, V1 was shut down by Google in 2018.
  2. ReCAPTCHA V2. V2 has three subversions:
    - The “I’m not a robot” checkbox is shown to users before they submit some form on a website. Suspicious users get extra tests to pass.
    - There is also an Invisible reCAPTCHA badge in V2 that does not require users to click on any checkbox but is just invoked when a user clicks a submit button on your site.
    - Finally, there is reCAPTCHA v2 Android for integrating the technology into native Android apps.
  3. ReCAPTCHA V3. This is the newest technology that runs automatically and checks the legitimacy of a user’s action without ever asking them to perform any actions. It is a JavaScript API that returns a probability score from 0.0 to 1.0 of a user being a human so website admins can take action.

How to install reCAPTCHA on a Drupal website

It would be surprising if Drupal didn’t have a module for integrating with some popular technology. The Drupal reCAPTCHA module easily connects your website to Google’s reCAPTCHA web service in order to make it “tough on bots and easy on humans.”

The module’s compatibility

The Drupal ReCAPTCHA module has stable versions for Drupal 7 and Drupal 8. The Drupal 8 reCAPTCHA module version supports Drupal 9 as well, so if your site uses the latest Drupal core, you can rely on this module for website spam protection.

The reCAPTCHA versions supported by the module

Given that reCAPTCHA V1 has been shut down by Google, the Drupal module currently supports only one reCAPTCHA version — the V2 checkbox. The work for the Invisible reCAPTCHA support is still in progress, so the module may start supporting it in the near future.

Tutorial to using the module

  1. Module installation
    The reCAPTCHA Drupal module needs to be installed together with the CAPTCHA Drupal module it depends on. We are using the 8.x-3.0 module version in this example.
  2. Basic module settings
    You need to go to the Configuration > People page of your Drupal admin dashboard and select the “CAPTCHA module settings.”
    Under “Form protection,” set the “Default challenge type” to “reCAPTCHA (from module reCAPTCHA).” Then scroll down to the bottom of the page and save the configuration.
    Select the “reCAPTCHA” tab.
    In “General settings,” you will see that it asks you to enter the site key and the secret key that you can obtain from Google. Just open one of the links next to these two fields (preferably, in a new tab).
  3. Getting your Google reCAPTCHA keys
    You will arrive at Google reCAPTCHA’s new site registration form where you will need to register your site by filling out a form. This includes specifying a label, the reCAPTCHA type, and your website domain. Remembering about the Drupal module’s capabilities, select V2 and the “I’m not a robot” checkbox as the reCAPTCHA type.
    You will also be asked to add your email address, check the box for accepting the Terms of Service (obligatory), and select whether or not to receive alerts (optional). With the latter option enabled, you will get alerts from Google in case it detects problems with your Drupal website like configuration issues or suspicious traffic increases.
    Once you have submitted the registration form, Google will give you the site key and the secret key that you need to copy.
  4. Adding your Google keys to Drupal
    Go back to your reCAPTCHA general settings in the Drupal admin dashboard and paste the site key and the secret key into the respective fields. Save the result.
  5. Enabling website forms to use reCAPTCHA
    Next, go to the “Form settings” tab and enable the Drupal forms you want the “I’m not a robot” checkbox to appear on. Of course, you will want to stop contact form spam, stop spam comments, stop spam emails, and so on, so look carefully through your Drupal form list.
  6. Testing the result
    Let’s test what happens if you get, for example, the user login form enabled in “Form settings.” When you go to your Drupal website’s login page, you will see the “I’m not a robot” checkbox. Success!
  7. Adding design tweaks
    If you go back to the reCAPTCHA tab and scroll down its main settings, you will be able to change the checkbox theme from light to dark, the type from image to audio, the size from normal to compact, and more.
    Here is how the dark compact checkbox looks.

Ready to stop website spam with reCAPTCHA?

Website spam protection is an important item on the list of security measures, so it cannot wait. If you need any assistance with spam prevention or more security enhancements, send a note to our team of Drupal geeks. We will make sure your Drupal website is well protected using the best modules and practices.

Eager to make the Web a safer place,

Your Golems

Useful links: