Recommended releases

Download Released


Protected Forms is a light-weight, non-intrusive spam protection module that enables rejection of all non-admin form
submissions which triggered honeypot trap, failed the minimum threshold or contained undesired language scripts or
preset patterns.

alt Protected Forms

How it works

If a user attempts to add a content that triggers a honeypot field, or of length that is less than set minimum
threshold, or that contains a trigger pattern in the name, subject, body or any other textarea or textfield type
field, then the submission is rejected giving the preset error message.

Roles can be configured to bypass the Protected Forms validation.

The number of rejected submissions is shown on the Reports > Status report (admin/reports/status) page.

The rejected messages are logged and can be viewed on the Reports > Recent log messages (admin/reports/dblog)

If IP address blocking module is enabled, then threshold can be set for
spammers to automatically get banned.


Download and place the recommended version of the module in your website's modules directory, go to the
Functionality page (/admin/modules) and enable the Protected Forms module.

Alternatively, if you have Brush installed, then just run on CLI:

brush -y en protected_forms


Go to the Protected Forms configuration page (/admin/config/content/protected_forms), set the allowed language
scripts, reject message text, and the trigger patterns for rejection.

If you want to protect only anonymous submissions, then make sure to go to Permissions page
(/admin/people/permissions#module-protected_forms) and put a check mark for authenticated user role next to the
Bypass Protected Forms validation option.


Report all the issues on


The Protected Forms module had initially been created for Drupal, then ported to Backdrop by AltaGrade team.