Preventing WordPress comments spam

There seem to be an easy way to prevent a significant number of WordPress comment spam.

The majority of spam comments nowadays come with either a bunch of URLs, or with a generic message such as:

Hi there! Just discovered your site while i was browsing and i must say that i found it quite interesting! I hope you don’t mind if i return here from time to time and check your content.

Those messages usually do not have any URLs. The spammer attempts to achieve their goal by setting up the “Website” comment field, pointing it to their spam site.

The easiest solution seem to be just to remove this field from the comment form. This could be achieved in one of the following ways, and none of them reduces the spam:

  • Remove the Website field from the comment form. This doesn’t change anything since most spammers use the software which doesn’t even look at the comment form and just sets the fields which “should be there”. And since the WordPress code still handles the “url” field, the spam comment gets through same way as before.
  • Remove the url field from the comment form altogether, in hope the spammers would see their added comments come with no website so they’re useless for the purpose, and will leave you alone. Again, this is not how spammers work, they do not track posted comments (most of which got removed in seconds anyway), so it does not reduce spam. If you’re using Akismet it also comes with the major disadvantage – the website field is a major source for spam detection, so the comments with the same content but without this field set are not detected as spam anymore.

So the idea is to turn the spammer logic against them.

First we disable – but not hide – the Website comment field by adding the disabled attribute into the field value. This could be done by changing the wp-includes/comment-template.php the following way:

                'url'    => '<p class="comment-form-url"><label for="url">' . __( 'Website' ) . '</label>' .
                            '<input id="url" name="url" type="text" disabled value="' . esc_attr( $commenter['comment_author_url'] ) . '" size="30" /></p>',

The disabled field is added between “text” and value fields.

Second, we refuse any comments which still contain the Website field. Since the regular users cannot enter the website anyway (the field’s disabled) but the spam bots ignore this restriction, the only entities who would be able to pass a non-empty Website field would be the spam bots. So we check if a new comment comes with the non-empty website field and block it. This could be achieved by hooking into the WordPress system to intercept a new comment being posted.

To do so, add the following code into wp-content/<your theme name>/functions.php:

function must_have_no_url_field($fields)
{
        if ( !empty( $_POST['url'] ) )
        {
              wp_die( "Spammers not welcome here" );
        }
}

add_action( 'pre_comment_on_post', 'must_have_no_url_field' );

This function is being called each time a new comment is posted, and prevents the comments with non-empty Website field from appearing. At the same time it keeps the value of this field intact when submitting the comments to Akismet, therefore keeping the spam detection rate high while preventing the comments which slipped through from being posted.

This entry was posted in Uncategorized.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.