Spam Comment Cache-busting.

So, one of the issues I’ve seen with comment spam is the bots’ use of cached versions of blog/etc pages. While my new spam reduction method was pretty effective, it did nothing whatsoever to stop spamming via cached-pages.

Since the older cached pages didn’t have the baited field, it didn’t submit a value for said field, and therefore the comment was posted.

This could be an issue. So I created a new, “hidden” field on the comments page. Looks something like this:

<input name=”cache” value=”442588497e34d3313cdc493a9ae0963c” type=”hidden” />

Initially, I had the cache value set to “1”, but I realized that would itself get cached, and that was pointless against future cached versions. So I needed to create a value daily, automagically.

So, in the wp-config.php file, I added the following lines:

// ‘Cache Buster’ extra data to make sure the md5 checksum it generates in the
// comment form is not reverse engineer-able. In the installation process, it would auto-fill
// with a rand() echo;
define(‘COMMENTCACHE’, ‘This is where the extra data goes.’);

So, the value that you see above, 442588497e34d3313cdc493a9ae0963c, is a md5 hash of the current date plus the COMMENTCACHE variable: 20061206This is where the extra data goes.

And on the backend, I modified the wp-comments-post.php file from:

if(!$_POST[‘subject’]) { // execute comment
$comment_id = wp_new_comment( $commentdata );
}

to:

if( !$_POST[‘subject’] && $_POST[‘cache’] == md5(date(Ymd).COMMENTCACHE) ) { // execute comment
$comment_id = wp_new_comment( $commentdata );
}

So now we have a unique value, automatically generated daily that can’t be generated by bots (because they don’t know the extra data), that completely stops spam from cached content sources.

So here’s the numbers of the spam tests, from no method, to hidden method, to hidden + cache method:
Sonny: 1423 -> 953 -> 190
Me: 201 -> 10 -> 4

Looks to be pretty effective overall to be submitted to WordPress for inclusion in their next revision. And yes, I have changed my ‘extra data’. ;)

3 comments

Leave a comment

Your email address will not be published. Required fields are marked *