30 Comments


  1. Incredibly simple and elegant. But it’s a pretty easy workaround for bots. I won’t post it here. If the plugin catches on it it can easily be cracked. However if the plugin generated a random hidden post element and matched that via php, it would be much more difficult to thwart.

    Reply
    1. Erik

      Great post with nice recommendations to avoid spam in our WordPress blogs.
      Yes stueynet, Zero Spam is piece of cake for bots. I’ve activated it and I got almost 500 spam emails in 6 hours. Yesterday I installed Goodbyecaptcha and it seems like so far is doing an excellent job

      Reply
      1. Martin

        Hi Erik,
        I came back to this article just to say thanks for letting me know about goodbyecaptcha!I gave it a try and… surprise!!!! After 2 weeks I’ve got ZERO/NONE/NADA/NULL/NIL spams. Unbelievable!!! Finally something that works! Better than any other plugin!
        In case you guys want to install it: https://wordpress.org/plugins/goodbye-captcha/
        Hope it helps,
        Cheers!

        Reply

  2. I’ve seen a lot of this sort of thing cropping up lately. I’m always happy to see new anti-spam measures cropping up, but most of them suffer from a fundamental problem. This plugin, and any other publicly published solution for that matter, will be cracked and exploited.

    Essentially, spam is automated software masquerading as humans. The software used to generate spam is reasonably sophisticated and it is updated very frequently. As new exploits and holes are found in popular publishing platforms like WordPress, the spam software is updated and it continues to publish garbage across the web at will.

    In order for an anti-spam tool to be effective, it also needs to be updated very frequently to keep the target moving. I’m generally a huge fan of open source, but in this case it doesn’t seem like the right answer. Spammers are relentless. They will use your code against you and in the end they will win. This issue is the reason why Google doesn’t publish how their algorithm works and why Matt Cutts is often vague in his webmaster videos. They can’t be totally open because Google would be completely overrun by spam as their methods were reverse engineered.

    Maybe it is time for a new generation of anti-spam tools, but static a approach that only lives on your server probably isn’t going to be a long-term solution. A solution based on publicly available code is almost certainly not a good solution, probably not even a short-term one. Spammers can and will exploit this and any other plugin like it if they get popular, just give them some time.

    Reply

  3. Simple Comments blocks 100% of all spam on the comment form and other forms, and has been used on commercials and personal WordPress sites for years. Simple Comments has never been cracked, and it can scale to any sized attack. We have customers that routinely get 10,000 hackbot or spambot attacks daily, and their sites don’t even feel the impact.

    I’ve offered to to let WP Tavern try it out before they started using Jetpack Comments, and told them about the product, but they’ve never expressed interest in it, but the writers here have written about a lot of other commercial and free solutions that pale in comparison. Maybe someday enough WordPress insiders will start using Simple Comments and one of them will finally write about it, so everyone can see the solution they’ve been looking for has been run under their noses for years. Until then, Simple Comments will remain one of the best kept secrets to fighting spambots and hackbots for WordPress.

    https://www.toddlahman.com/shop/simple-comments/

    Reply

    1. Nice sales pitch. ;-)

      Unfortunately, I don’t see a link to the source of Simple Comments, so it’s a little tricky to verify your claims of whether or not it can be cracked, or how well it scales.

      Reply

    2. I was using Simple Comments several years ago, but then free version became just a front end to pitch commercial plugin version and was not effective anymore…

      My winning combination at the moment (I use it over a year now), that I employ on all of my sites, is:

      Bad Behavior ( https://wordpress.org/plugins/bad-behavior/ ) that filters 99,99% of bots and the rest of them are sorted out by a free plugin:

      Stop Spam Comments ( https://wordpress.org/plugins/stop-spam-comments/ )

      If you will find time and register to get http:BL Access Key, then you will be also contributing to worldwide spam database.

      BTW pingbacks/trackbacks are disabled at the creation of the site – it was good idea, but became so much abused, that is not really useful any more :(

      Reply

      1. I forgot to point out that using Bad Behavior is beneficial not only to filter spam comments, but also to save server load and bandwidth – this plugin blocks bad robots from entering your site at all! :)

        Reply

        1. You cite an article back from 2008 :D

          Of course there will be specific settings where one plugin will be better than the other, I’m just sharing my experience.

          I assume (I may be wrong) Akismet accepts comments and analyses them to approve/reject, BB blocks bots before they can even touch the comment box.

          Reply

    3. Ironically, this comment itself is spammy IMO, so I wonder if your plugin would block it?

      Reply

      1. Hey Ryan,

        Keep up your negative comments when someone offers a solution that works 100% of the time. It’s people like you that make sure problems never get solved, and if they do, it’s people like you that throw as much dirt and mud as you can, so people never see the solution to their problem.

        The people that have given Simple Comments a 5 out of 5 rating, and good reviews on the product page, are customers who use Simple Comments every day, and they don’t share your uninformed negativity.

        Please keep on promoting free plugins, and the commercial Akismet service, because, you know, that’s not spammy at all.

        Reply

        1. Ryan is in the problem solving space just like you. Like all the other devs who’ve tackled spam comments he’s smart enough to know there is no such thing as 100% foolproof automated spam blocking. You won’t block manual comments that are effectively there to advertise some product using marketing speak.

          Reply

          1. Thanks :)

            I don’t believe it’s possible to block 100% of all automated spam-bots like this at all. If you can block it in an automated fashion without resorting to some sort of turing test, then it’s going to be possible to bypass it in an automated fashion. You can block dumb bots, but there are always smarter bots and bot owners willing to throw more resources at the problem to get their spam through.


          2. Seeing is believing, but you’ve never seen my solution, just like Ryan hasn’t. So you can theorize all you want about the effectiveness of Simple Comments, but it will all be just uninformed theory, not fact. How long ago was it that everyone believed the world was flat?


          3. For what it’s worth, that whole ‘people thought the earth was flat’ is a myth (I thank Terry Jones for knowing this piece of trivia). A 100% foolproof spam system is also a myth. If you were that clever, you’d be working at google and having fireside chats with Ray Kurweilz talking about your breakthroughs in AI.


          4. I have now seen your plugin. From what I can see, it is basically an AJAX’d equivalent of the Zero Spam plugin discussed in this post. If it is blocking 100% of your spam, then in my opinion that will be because your site isn’t popular enough to attract aggressive spammers, not because your plugin is any good.


    4. I missed it, what was the name of the product?

      That had to be the spammiest non-spam comment I’ve ever seen.

      Reply

  4. I was tired of trying out a number of solutions.
    This one looks good.
    But as Robert mentions, it might get reverse engineered someday. Till then, I hope it just works! :)

    Reply

  5. I have just read your review, Sarah. And I have installed the plugin.

    My problem is not as extensive as David’s. I get around 300-500/day. Still, this takes time that I could be using more productively.

    Thanks for the info!

    Be well,
    Jim

    Reply

  6. I’ve been using WP Spamshield for about 3-4 months now, after one of my sites started getting hammered with about 1700 spam comments per day for 2 weeks straight.

    It works so well by itself, I was able to get rid of Akismet on a couple of smaller sites. Before this, I was using a combination of Akismet and Conditional Captcha, but that massive attack overwhelmed both plugins, which sent me searching for new options.

    I may try Zero Spam on one or two of my sites, just so I can compare it and Spamshield in action.

    Reply

  7. The description in the post sounds exactly like how the original WP Hash cash plugin works. That sort of route is extremely effective, but won’t stop everything. Combining it with a cookie check and Akismet will block an insanely huge amount of spam though. But even with that combination, some of the smarter bots will still work their way through.

    I’m plodding away trying to implement some additional protections on top of all that into a test version of my own plugin. So far it’s working quite well, but you need to be darned careful you don’t start blocking legitimate users once you push the envelope of spam-protection too far :/

    Reply

    1. I think including it in core would result in a lot more bots bypassing it though. Anything that becomes a default will become something the bot designers intentionally work around.

      It would help drop the amount of spam for regular folk, but I think it would increase the amount of spam those of us already using that technique would receive.

      Reply

  8. On a first view looks nice :)
    BUT could someone give me 3 good reasons why should I leaver Akismet and install Zero Spam Plugin?

    Reply

    1. Why would you want to stop using Akismet? The two plugins would work well in tandem.

      I would not use the Zero Spam plugin by default. I’d only use it if you have a severe spam problem which you can’t fix through less aggressive means, and if you have a severe spam problem, then using it conjunction with Akismet would be a very good idea IMO.

      Reply

  9. Thanks for the article, I have been looking for a good antispam WordPress plugin and have found so many that are no good or cause other problems. We will add this our list of essential plugins for all of our WordPress websites with comments!

    Reply

Leave a Reply