Cancel

Sarah Gooding

WordPress Zero Spam Plugin Packages David Walsh’s Anti-Spam Method

army

WordPress Zero Spam is the latest to join the ranks of anti-spam plugins fighting on the front lines of WordPress sites. The new plugin is based on a simple method created by Mozilla developer David Walsh, whose popular tech blog gets regularly hammered by 8,000+ spam comments per day.

In a recent tutorial titled How I Stopped WordPress Comment Spam, Walsh explains his method which essentially relies on inserting a key client-side via JavaScript on form submission. He then adds a server-side key check with PHP. If the check fails, the comment is rejected.

After two weeks of employing this method, Walsh claims to have brought his spam comments down to zero. “I went from over 8,000 per day to none. Better than Akismet, better than any plugin.” Inspired by Walsh’s success, web developer Ben Marshall packaged the method into a WordPress plugin with an enticing tagline: “Just install, activate and say goodbye to spam.”

WordPress Zero Spam is different from Akismet, the most often recommended spam blocking solution, in that it’s not a service dedicated to filtering spam. It simply checks for bots and discards spam comments at the door before they reach your site. The benefit here is that you are likely to have fewer spam comments and false positives to hunt through. Since it’s an open source plugin and not a service, WordPress Zero Spam is free for both personal and commercial use.

The downside of this new plugin is that anyone without support for JavaScript will have their comments rejected. However, the percentage of actual commenters with JS turned off is likely to be infinitesimal compared to the number of bots trying to comment on your site. If you don’t mind the JavaScript requirement and want a simple solution with no options to configure, then WordPress Zero Spam is a plugin that may work well for you.

Category:
Tags: ,
35

35 responses to “WordPress Zero Spam Plugin Packages David Walsh’s Anti-Spam Method”

  1. Incredibly simple and elegant. But it’s a pretty easy workaround for bots. I won’t post it here. If the plugin catches on it it can easily be cracked. However if the plugin generated a random hidden post element and matched that via php, it would be much more difficult to thwart.

    Create forum topic from comment

    • Great post with nice recommendations to avoid spam in our WordPress blogs.
      Yes stueynet, Zero Spam is piece of cake for bots. I’ve activated it and I got almost 500 spam emails in 6 hours. Yesterday I installed Goodbyecaptcha and it seems like so far is doing an excellent job

      Create forum topic from comment

  2. I’ve seen a lot of this sort of thing cropping up lately. I’m always happy to see new anti-spam measures cropping up, but most of them suffer from a fundamental problem. This plugin, and any other publicly published solution for that matter, will be cracked and exploited.

    Essentially, spam is automated software masquerading as humans. The software used to generate spam is reasonably sophisticated and it is updated very frequently. As new exploits and holes are found in popular publishing platforms like WordPress, the spam software is updated and it continues to publish garbage across the web at will.

    In order for an anti-spam tool to be effective, it also needs to be updated very frequently to keep the target moving. I’m generally a huge fan of open source, but in this case it doesn’t seem like the right answer. Spammers are relentless. They will use your code against you and in the end they will win. This issue is the reason why Google doesn’t publish how their algorithm works and why Matt Cutts is often vague in his webmaster videos. They can’t be totally open because Google would be completely overrun by spam as their methods were reverse engineered.

    Maybe it is time for a new generation of anti-spam tools, but static a approach that only lives on your server probably isn’t going to be a long-term solution. A solution based on publicly available code is almost certainly not a good solution, probably not even a short-term one. Spammers can and will exploit this and any other plugin like it if they get popular, just give them some time.

    Create forum topic from comment

  3. Simple Comments blocks 100% of all spam on the comment form and other forms, and has been used on commercials and personal WordPress sites for years. Simple Comments has never been cracked, and it can scale to any sized attack. We have customers that routinely get 10,000 hackbot or spambot attacks daily, and their sites don’t even feel the impact.

    I’ve offered to to let WP Tavern try it out before they started using Jetpack Comments, and told them about the product, but they’ve never expressed interest in it, but the writers here have written about a lot of other commercial and free solutions that pale in comparison. Maybe someday enough WordPress insiders will start using Simple Comments and one of them will finally write about it, so everyone can see the solution they’ve been looking for has been run under their noses for years. Until then, Simple Comments will remain one of the best kept secrets to fighting spambots and hackbots for WordPress.

    https://www.toddlahman.com/shop/simple-comments/

    Create forum topic from comment

  7. I have just read your review, Sarah. And I have installed the plugin.

    My problem is not as extensive as David’s. I get around 300-500/day. Still, this takes time that I could be using more productively.

    Thanks for the info!

    Be well,
    Jim

    Create forum topic from comment

  8. I’ve been using WP Spamshield for about 3-4 months now, after one of my sites started getting hammered with about 1700 spam comments per day for 2 weeks straight.

    It works so well by itself, I was able to get rid of Akismet on a couple of smaller sites. Before this, I was using a combination of Akismet and Conditional Captcha, but that massive attack overwhelmed both plugins, which sent me searching for new options.

    I may try Zero Spam on one or two of my sites, just so I can compare it and Spamshield in action.

    Create forum topic from comment

  9. The description in the post sounds exactly like how the original WP Hash cash plugin works. That sort of route is extremely effective, but won’t stop everything. Combining it with a cookie check and Akismet will block an insanely huge amount of spam though. But even with that combination, some of the smarter bots will still work their way through.

    I’m plodding away trying to implement some additional protections on top of all that into a test version of my own plugin. So far it’s working quite well, but you need to be darned careful you don’t start blocking legitimate users once you push the envelope of spam-protection too far :/

    Create forum topic from comment

    • I think including it in core would result in a lot more bots bypassing it though. Anything that becomes a default will become something the bot designers intentionally work around.

      It would help drop the amount of spam for regular folk, but I think it would increase the amount of spam those of us already using that technique would receive.

      Create forum topic from comment

    • Why would you want to stop using Akismet? The two plugins would work well in tandem.

      I would not use the Zero Spam plugin by default. I’d only use it if you have a severe spam problem which you can’t fix through less aggressive means, and if you have a severe spam problem, then using it conjunction with Akismet would be a very good idea IMO.

      Create forum topic from comment

    • There is no best approach for fighting spam. Each approach has it’s downsides and it will depend on your unique situation as to which is best.

      For most people, a simple honeypot will be more effective at blocking a higher proportion of spam than Akismet. That doesn’t mean the honeypot is “better” per se though. Akismet is awesome in it’s own way and can block things that a honeypot never could.

      Create forum topic from comment

You may also like

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.