Thanks to an article from SANS ISC, I have been working for the past two weeks on a new spam-reduction technique for WordPress.
It’s really simple, only 2 lines of code, really.
The first is in the comments.php page (if your custom theme doesn’t have this file, use the one from the default theme).
Around line 80 (right before the comment author, etc. fields), I added the following line:
<input type="text" name="subject" id="subject" value="" size="22" style="display: none;" />
On wp-comments-post.php in the blog home directory, I changed the following line:
$comment_id = wp_new_comment( $commentdata );
to:
if(empty($_POST['subject'])) { $comment_id = wp_new_comment( $commentdata ); } // execute comment if "subject" field is empty
Since the “subject” field has the display:none; style, it is hidden to the regular blog reader. But, most comment spam is performed by bots, and not people. The bot will “see” this field and populate it with data.
Since this field now has data, it is not empty, and the actual commenting action will not happen.
All this from one extra line of html and a single “if” statement.
I decided to let both mine and Sonny’s blog run for a week, so see how much spam we got, then to “turn on” the new spam filter and see how much spam we accrued in a week.
I started at 12:30pm on 11.08.06, with both blogs using a plugin called Akismet which would “tag” the spam, but not delete it.
One week later (12:30pm, 11.15.06), I had accrued 201 spam comments, while Sonny on the other hand, racked up 1423 spam comments. Today, one week after the initial measurement, I had 10 spam comments, compared to Sonny’s 953.
Why were my numbers both before and after so much lower than Sony’s? I don’t know. I’m guessing it has to do with cached pages. Either way, the reduction is significant.
And down the road, as bot writers may/may not pick up this method, you can specify the hidden attributes as a CSS style (in the header or something, called “form”, for example), and class=”form” the hidden input, or maybe even apply the style to a div or span tag that wraps around the input, etc., etc.
Anyway, I’m going to start building this functionality into other web apps I write. Hopefully you’ll do something along the same lines.
Test using the new cache-buster.
Test.
WordPress Trackback Spam!!!
I have installed plugins that prevent comment spams, but this won't prevent trackback to be blocked. I've been spam by many
MFA websites that most probably is from the same network with trackback, but they are not linking me on their website. May I
know how do they do it and how do I stop it? Without disabling trackback?
Thanks, and I'm using WordPress.