Easy effective control of comment spam

MacManX posted a comment spam strategy on the WordPress Beta discussion site the other day which caught my attention.

In the post he said he uses a plugin called WP-HashCash. The main advantage of this plugin is “it requires no maintenance or intervention on my part, and it’s invisible to my readers”.

He went on to explain:

WP-HashCash uses an encrypted hidden field. You must have javascript enabled to decode the encrypted field (most bots don’t use javascript) and must have entered the comment from the actual post link to generate the correct value for the field. So, if a bot either didn’t have javascript or directly visited wp-comments-post.php, the comment would simply not go through. No deleting, no moderation, it just never existed.

Intrigued at the prospect of a maintenance-free spam solution and taking him at his word on its efficacy, I have installed WP-HashCash and disabled Spam Karma.

I found I was having a couple of niggling issues with Spam Karma and since its developer, Dr. Dave, announced he has frozen development of Spam Karma, the decision to switch wasn’t a hard one.

I am combining this with the blacklist feature of WordPress 1.5 (which will require a little maintenance) and I am moderating comments until I am confident that WP-HashCash is the solution I have been looking for.

Roll on a spam-free blogging experience!

7 thoughts on “Easy effective control of comment spam”

  1. This sounds interesting, just out of curiousity 2 things: 1) Could someone navigate and comment on wordpress without javascript if this wasn’t installed and 2) Any idea what stats are for non-javascript browsers and browsing with javascript turned off?


  2. In short – no and no!

    To expand a little, it is not possible to submit comments without going through the form, and this requires JS so bots can’t submit afaik.

    And afaik, the figures for people browsing with JS off are in the region of 8%. My thinking here is if people have figured how to turn it off, they know how to turn it back on if they want to comment!

    It might be a good idea to put a note somewhere on the comment page, though, saying JS is required to comment.

  3. Mmm… And what about an spammer that just has a perl script with an md5 function that actually reads the page, gets the field value, calculates the md5 and sends the spam message?

    Just curious.

  4. Hi Diego,

    thanks for the comment.

    In the first place, the plugin requires the commenter to have Javascript enabled and then, if they get past that, I still moderate comments to ensure that no spam is published from this site.

    I don’t like having to do this – I would like people to see their comments published immediately but, to be honest, I think this is the only way to be sure I don’t publish spam.



  5. So how is WP-HashCash working out? I figure three weeks is enough to tell. Are you still having to moderate comments?

    (And where did you get the neat code buttons for comments?)

  6. Hey Diane,

    In another experiment, I decided to try turning off Hashcash last week.
    Up until then, it was working out great. I had it combined with moderation – then without moderation, now I’m flying solo. No plugins,no moderation and no spam. I put it down to a combination of my .htaccess file and my population of the blacklist.

    The code buttons is a plugin called Comment Quicktags.

  7. Interesting, Tom. I’m a little tired of comment moderation, and will probably using your tips in the next week or so. (And thanks for the Comment Quicktags link.)

Comments are closed.