[wp-hackers] Simple comment spam experiment

Otto otto at ottodestruct.com
Wed Apr 16 14:20:22 GMT 2008

I got curious about the WP-Spamfree plugin a while back, so decided to do a
little experiment of my own.

WP-Spamfree basically blocks spam by doing the following:
1. Inserts a javascript into the comment space that, when run, sets a
2. Checks the cookie when a comment is submitted, and kills the comment if
no cookie is found.

Simple solution, albeit not really a way of checking "spam". Still, I was
curious, so I implemented my own little version in a much simpler way:

In my theme's comments.php
<input type="hidden" name="some_random_name" value="1" />

Near the top of wp-comments-post.php
$nospam = (int) $_POST['some_random_name'];
if (!$nospam) {
    header('HTTP/1.1 403 Forbidden');

Easy, yeah? Simple check for an extra form field, quick death if it's not

I also disabled Bad Behavior, to let the deluge in and see what happened.

Results after a month or so:
- Instant drop in comment spam. I mean *instant*. It went from several
hundred a day to zero.
- Large drop in CPU load, since I put this before any of the other PHP code
- Regular comments have continued with no issues or complaints or any
noticeable decline in quantity.
- Akismet still catches lots of trackback spam (since I'm not doing anything
about that), but the number of comment spam I've had since putting this in
is in the single digits.

Spammers, for the most part, are not loading the comments form and using it.
They're merely hitting a list of sites and the wp-comments-post.php file
directly. Renaming this file and adjusting accordingly has much the same
effect as using a hidden field, of course.

Question: Could nonces be used for this sort of thing? Or something similar
that would be a bit more secure than a simple field like this?

More information about the wp-hackers mailing list