Security on registration form

Request Type: 
General Assistance
Forums: 
Basic Site Setup
Author: 
Thomas Breen
Issue/Request: 

Hello,

I work at Yale University Press, and my team oversees a few different Drupal websites. We have recently experienced quite a spate of spam attacks on the user registration form on these other sites, which are not YaleSites. We’ve tried implementing a CAPTCHA, but the spammers just keep getting through. Since we have not experienced any spam attacks on the Encounters YaleSite (http://encounterschinese.com/) as far as I’m aware of, I wanted to reach out and see if you all have any recommendations on how best to protect the registration form on these other sites. Here is an example of one of our other Drupal sites, which is constantly under attack: http://www.posenlibrary.com/frontend/user/register. Thanks so much for your help, and please let me know if you have any questions!

Best,

Tom

Zachary Schwartz on October 6, 2016:

Hi Tom,

I’m sorry to hear about your spam issues; it’s unusual to me that spambots would be able to thwart a standard CAPTCHA.

Keep in mind that these support forums are in place for issues concerning sites on the YaleSites network, so the amount of resources I can dedicate to this issue is unfortunately limited. I did look into the issues and came up with some general findings which might be of use!

Firstly, though this is just my hypothesis, the encounters site’s status as a YaleSite might afford it additional protections from spam and malicious content, compared to a standard drupal site. The D7 development platform might also be inherently more secure, compared to the D6 platform the other sites exist in. The Drupal6 environment is also no longer being supported, meaning modules may not be supported or updated for use in this environment.

However, there are several spam prevention modules that can be installed as an extra layer of security against spambots, which I found listed here. The most promising of these, based on some brief additional research, is a module called Honeypot. Honeypot, as I understand it, places an additional entry field in forms that is invisible to the end user, but is detected as a valid field by spambots. When a spambot makes an entry in this invisible field, the form submission is aborted. As an additional layer of security, it uses a timestamp-based deterrent that ensures a certain, small amount of time has passed between page-load and form submission. Honeypot seems to be a favorite of the official drupal website, so I’d take that as a strong endorsement.

I wish you the best of luck with implementing these security measures, and I hope you’ll update me here if any of them prove effective!

Best,

-Zach