David’s Web Development Blog

Spam spam spam and bacon spam spam and eggs spam spam spam and sausage spam

If you’ve ever had a blog, you likely know the pain and frustration of dealing with comment spammers. Especially if you have a Wordpress blog.  All of the following is designed to help you out with that.

History

I’ve had a Wordpress blog since 2004, and I found out pretty quick that spammers flock like mad to try to post their links.  My first solution was to simply disable links entirely.  This worked at first, but then spammers came back in some shape or form and found out how to get around these measures.

So the next solution was to try to get Wordpress to block certain words in comments.  For some reason, at the time there was some loophole in the software that still enabled users to make posts with these words, so I made a bit of a hack.  The problem was that spammers would keep coming up with all sorts of crazy names of magic medical pills and the sort, and I would have to go in and update my filter list every time.

Turning on moderation was something else I tried, but spam remained a problem, since a large chunk of my time was spent looking for legit comments in the mess of spam comments.

The Solution (err, solutions)!

Akismet: saves you from the bastard spammers!

To a large degree, your comment spam woes can be solved by the positively awesome Wordpress plugin called Akismet.  There is a bit of setup involved, as you have to register over at Wordpress.com for your API key after installing.  But it’s definitely worth it.

After finding that Akismet automatically identified 35,000+ spam comments (!) on my personal blog and only let literally one or two get through unflagged, it definitely does a great job.  But I found that the spam robots don’t know when to stop.  They simply keep trying to post comments.  As a result, though your blog may be free from spam, your server is under constant strain from comment spammers.

At this point, things start to get a bit more creative…

On the assumption that most spam bots don’t have Javascript enabled, I dynamically added a hidden form field in /wp-content/themes/default/comments.php before </form>:

<?php

echo <<< HTML
<script type="text/javascript" charset="utf-8">
    document.write("<input type=\"hidden\" name=\"spamDetect\" value=\"JS\">")
</script>
<noscript>
    Due to the bastard spammers, you must now have JavaScript enabled in order to post.  Sorry!
</noscript>
HTML;

?>

Then I add the following to the very top of /wp-comments-post.php (after the <?php of course):

if (!isset($_POST['spamDetect']) ) {
    echo "You must have Javascript enabled to post comments.";
    exit;
}

I found that this pretty much eliminated spammers from showing up in my Akismet “Spam” tab, while still allowing normal people to post, and even post links!  The drawback, of course, is that people without Javascript are completely unable to post comments.

But now my server feels much better - it no longer has to receive spam comments and inserts them into MySQL.  It simply doesn’t receive them at all.

reCAPTCHA: Since one CAPTCHA is simply just not good enough.

An alternative solution, but one I always find annoying from the user’s perspective, is CAPTCHA, specifically reCAPTCHA, which has it own Wordpress plugin.  It also has audio CAPTCHA support for non-Javascript users, which is a bit more sensitive than my more drastic solution.

One more thing!  All this, save for Akismet, doesn’t stop trackback spam, which doesn’t use the traditional comment form.  So you’ll want to install the TrackBack Validator as well.

Summary

1. Akismet is awesome for identifying spam.  Install it.  Use it.
2. But spammers will still congest your server, so add more stuff to block them, like the custom code above.  And/or install reCAPTCHA.
3. Install the TrackBack Validator to prevent comment trackback spam.