David Van Brink // Thu 2006.12.14 14:44 // {
wordpress}
Problem
I don’t know about you, but I have been getting, lately, dozens of spam WordPress comments. It was enough that it overwhelmed the occasional real comment (hopefully I havent deleted yours).
Experimental Solution
I forget where I heard of this, probably someone linked from Dan Jalkut’s Red Sweater, but they mentioned adding a simple “type this” field to the comments form. So, I finally went ahead and implemented just that. For mine, I added a required field asking that you type “hormel”.
The diff below is against dreamhost’s servers’ time-based .snapshot directory, which is here used as an incredibly weak revision control system, but adequate, sort of, for now. I’ve added it to several blogs with different versions of WordPress; the line numbers vary but the text remains the same.
[polyomino@gage] ~/subservientastronaut.com/blog: diff \
wp-content/themes/default/comments.php \
wp-content/themes/default/.snapshot/weekly.0/comments.php
90,92d90
+ <!-- the "hormel" hack is always shown, even to logged-in users -->
+ <p><input type="text" name="sekrit" id="sekrit" value="" size="22" tabindex="4" />
+ <label for="sekrit"><small>The word hormel (required)</small></label></p>
[polyomino@gage] ~/subservientastronaut.com/blog: diff \
wp-comments-post.php \
.snapshot/weekly.0
29,32d28
+ $comment_sekrit = trim($_POST['sekrit']);
+
+ if($comment_sekrit != "hormel")
+ die( __('Thank you for your hormel product, robot!') );
The result is that the comments field includes a box like so:
Experimental Results
Over four days, the number of spam-comments dropped from many many dozens to just one. How did that one get through? Are they on to this?? Arrgh! The problem with security like this is that it only works until lots of people use it, at which point it becomes noticeable enough that the robots evolve to their next stage.
Of course, this does nothing to address a far more profound and fundamental issue: I aspire to have a readership who don’t think I need Viagra!
Addendum
2006.12.15 disabled trackback.php, and spam seems to have dropped to nothing. If it returns, I’ll activate akismet…