picture home | pixelblog | qt_tools

omino code blog

We need code. Lots of code.
David Van Brink // Thu 2006.12.14 14:44 // {wordpress}

Cheap Captcha for WordPress

I don’t know about you, but I have been getting, lately, dozens of spam WordPress comments. It was enough that it overwhelmed the occasional real comment (hopefully I havent deleted yours).

Experimental Solution
I forget where I heard of this, probably someone linked from Dan Jalkut’s Red Sweater, but they mentioned adding a simple “type this” field to the comments form. So, I finally went ahead and implemented just that. For mine, I added a required field asking that you type “hormel”.

The diff below is against dreamhost’s servers’ time-based .snapshot directory, which is here used as an incredibly weak revision control system, but adequate, sort of, for now. I’ve added it to several blogs with different versions of WordPress; the line numbers vary but the text remains the same.

[polyomino@gage] ~/subservientastronaut.com/blog: diff \
	wp-content/themes/default/comments.php \

+ <!-- the "hormel" hack is always shown, even to logged-in users -->
+ <p><input type="text" name="sekrit" id="sekrit" value="" size="22" tabindex="4" />
+ <label for="sekrit"><small>The word hormel (required)</small></label></p>

[polyomino@gage] ~/subservientastronaut.com/blog: diff \
	wp-comments-post.php \

+ $comment_sekrit       = trim($_POST['sekrit']);
+ if($comment_sekrit != "hormel")
+               die( __('Thank you for your hormel product, robot!') );

The result is that the comments field includes a box like so:

Leave a Reply

Experimental Results

Over four days, the number of spam-comments dropped from many many dozens to just one. How did that one get through? Are they on to this?? Arrgh! The problem with security like this is that it only works until lots of people use it, at which point it becomes noticeable enough that the robots evolve to their next stage.

Of course, this does nothing to address a far more profound and fundamental issue: I aspire to have a readership who don’t think I need Viagra!

2006.12.15 disabled trackback.php, and spam seems to have dropped to nothing. If it returns, I’ll activate akismet…

Kent // Thu 2006.12.14 15:313:31 pm

Have you enabled Akismet, usually comes default with WordPress, you just need a WordPress.com API key? It’s catching all spam on my own blog.


Daniel Jalkut // Thu 2006.12.14 22:3510:35 pm

Definitely agree that Akismet is worth a shot. It catches literally thousands of spam on my blog.

David Van Brink // Thu 2006.12.14 23:3211:32 pm

Kent! Great to hear from you! I found your music-ish blog too. I’ll be ’round.

Thanks for the recommendations for akismet; it is indeed one of the available plugins listed and I have my new WordPress API key ready and waiting. Perhaps I’ll activate it…

But I made the one further step of disabling trackback (apparently a fairly-used back-door for WordPress spam) and the rate seems to have dropped to *zero*. Maybe that will do the trick. Maybe not. Meanwhile, making you type a funny word amuses me.

I am guilty hubris & NIH, galore. No question of it.

Douglas // Sun 2006.12.17 23:0811:08 pm

Dude, just do Akismet.

Kent Sandvik // Sat 2006.12.30 21:319:31 pm

Trackbacks are actually nice. I still remember the day when I commented something in my blog based on a snippet in Thomas Dolby’s blog, and it showed up there, and Mr. Dolby himself commented on my entry. The power of trackbacks! Kind of usenet, but with a modern twist.

But yes, having a required word is just fine. With phpbb it does not work any longer, the phpbb spam systems are semi-smart and could go around it. One way is to have variations, type in words backwards, or every second word, or upper-case… –Kent

oh, i dont know. what do you think?

(c) 2003-2011 omino.com / contact poly@omino.com