WordPress Comment Spam
Sometimes at Christmas we receive an unwanted gift. Usually this takes the form of a garish sweater, pungent bath salts or socks with a reindeer on them. This year I got a hundred comment spams in my blog.
To combat comment spam before this mindless attack, I had simply renamed my wp-comments-post.php
file as described in Molly’s blog. This worked for a while but as predicted the spammers were quick to beat it.
This is a real comment spam that I received:
fahtol ayyjeigol.
A spammer’s test run?
A quick and dirty hack is what’s required. So I added the following code to the WordPress file wp-comments-post.php
:
if ( '' == $comment ) die( __('Error: please type a comment.') ); // begin: anti-spam hack $safe_referrer = 'http://'.$_SERVER['HTTP_HOST'].'/weblog/'; $referrer = $_SERVER['HTTP_REFERER']; if (strncasecmp($safe_referrer, $referrer, strlen($safe_referrer))) { die( __('Error: Please use the comment form to post comments.') ); } // end: anti-spam hack $now = current_time('mysql'); $now_gmt = current_time('mysql', 1);
I intend to install a comment preview plugin to cure this problem for good.
Comments (12)
Leave a comment
Comment: #1
I’m almost afraid to even allow comments on my blog from fear of spam. Those bastards will pay.
I’ve had trouble implementing Simon’s blacklist, but I do have a different feature: I examined some comment spams and looked for common phrases, and banned those phrases. The RegEx looks like this:
Not sure how well it will work, though.
Comment: #2
Maybe a required preview can stop them some more? I do not have any spam at all. (Admitted, I have a markup validator as well.)
Comment: #3
I had no spam at all on WordPress until a few weeks ago when some spammer managed to get through. I started using the Three strikes plugin and haven’t had a single piece of spam since.
Comment: #4
I think modern day spambots only post and don’t look at what they’re getting back… that could explain why Anne and me don’t get spam, as we use a preview which requires valid markup.
(We’re using a slighty different version of the preview script you linked to.)
Comment: #5
Note that the $_SERVER[‘HTTP_REFERER’] doesn’t give any guarantees. Spammers mostly use webservers to run their script from, and for example a php-script can easely send a HTTP-HEADER with a fixed HTTP_REFERER to fool your spam-shield.
And on the other hand, sometimes browsers just don’t send the referer header, thus make it impossible to place a comment on your blog.
Comment: #6
I have to second Willem. Many personal firewalls offer the option to not send any referrers in order to improve privacy.
Comment: #7
There’s an error in the code above. You’re missing a close parentheses after ‘
strlen($safereferrer)
‘.Comment: #8
OK. In light of the comments above, I’m going to implement the comment preview plugin mentioned in my original post.
Comment: #9
Have you tested Exchange’s New Spam Filter?
Comment: #10
I just got a very similar one. In this case though, it was trackback spam. Oh joy, andother form of crap to deal with :o(
Comment: #11
I’m using blogger and they have a way where they punch in a turnkey code…has anyone seed something simiallar to it for WP?
Comment: #12
Hi, I use a think called Bad Behaviour that seems to work great on my WordPress blogs. Has anyone else used this?
Comments are closed.