WordPress Zero Spam Plugin Packages David Walsh’s Anti-Spam Method


WordPress Zero Spam is the latest to join the ranks of anti-spam plugins fighting on the front lines of WordPress sites. The new plugin is based on a simple method created by Mozilla developer David Walsh, whose popular tech blog gets regularly hammered by 8,000+ spam comments per day.

In a recent tutorial titled How I Stopped WordPress Comment Spam, Walsh explains his method which essentially relies on inserting a key client-side via JavaScript on form submission. He then adds a server-side key check with PHP. If the check fails, the comment is rejected.

After two weeks of employing this method, Walsh claims to have brought his spam comments down to zero. “I went from over 8,000 per day to none. Better than Akismet, better than any plugin.” Inspired by Walsh’s success, web developer Ben Marshall packaged the method into a WordPress plugin with an enticing tagline: “Just install, activate and say goodbye to spam.”

WordPress Zero Spam is different from Akismet, the most often recommended spam blocking solution, in that it’s not a service dedicated to filtering spam. It simply checks for bots and discards spam comments at the door before they reach your site. The benefit here is that you are likely to have fewer spam comments and false positives to hunt through. Since it’s an open source plugin and not a service, WordPress Zero Spam is free for both personal and commercial use.

The downside of this new plugin is that anyone without support for JavaScript will have their comments rejected. However, the percentage of actual commenters with JS turned off is likely to be infinitesimal compared to the number of bots trying to comment on your site. If you don’t mind the JavaScript requirement and want a simple solution with no options to configure, then WordPress Zero Spam is a plugin that may work well for you.


35 responses to “WordPress Zero Spam Plugin Packages David Walsh’s Anti-Spam Method”

  1. Incredibly simple and elegant. But it’s a pretty easy workaround for bots. I won’t post it here. If the plugin catches on it it can easily be cracked. However if the plugin generated a random hidden post element and matched that via php, it would be much more difficult to thwart.

    • Great post with nice recommendations to avoid spam in our WordPress blogs.
      Yes stueynet, Zero Spam is piece of cake for bots. I’ve activated it and I got almost 500 spam emails in 6 hours. Yesterday I installed Goodbyecaptcha and it seems like so far is doing an excellent job

      • Hi Erik,
        I came back to this article just to say thanks for letting me know about goodbyecaptcha!I gave it a try and… surprise!!!! After 2 weeks I’ve got ZERO/NONE/NADA/NULL/NIL spams. Unbelievable!!! Finally something that works! Better than any other plugin!
        In case you guys want to install it: https://wordpress.org/plugins/goodbye-captcha/
        Hope it helps,

  2. I’ve seen a lot of this sort of thing cropping up lately. I’m always happy to see new anti-spam measures cropping up, but most of them suffer from a fundamental problem. This plugin, and any other publicly published solution for that matter, will be cracked and exploited.

    Essentially, spam is automated software masquerading as humans. The software used to generate spam is reasonably sophisticated and it is updated very frequently. As new exploits and holes are found in popular publishing platforms like WordPress, the spam software is updated and it continues to publish garbage across the web at will.

    In order for an anti-spam tool to be effective, it also needs to be updated very frequently to keep the target moving. I’m generally a huge fan of open source, but in this case it doesn’t seem like the right answer. Spammers are relentless. They will use your code against you and in the end they will win. This issue is the reason why Google doesn’t publish how their algorithm works and why Matt Cutts is often vague in his webmaster videos. They can’t be totally open because Google would be completely overrun by spam as their methods were reverse engineered.

    Maybe it is time for a new generation of anti-spam tools, but static a approach that only lives on your server probably isn’t going to be a long-term solution. A solution based on publicly available code is almost certainly not a good solution, probably not even a short-term one. Spammers can and will exploit this and any other plugin like it if they get popular, just give them some time.

  3. Simple Comments blocks 100% of all spam on the comment form and other forms, and has been used on commercials and personal WordPress sites for years. Simple Comments has never been cracked, and it can scale to any sized attack. We have customers that routinely get 10,000 hackbot or spambot attacks daily, and their sites don’t even feel the impact.

    I’ve offered to to let WP Tavern try it out before they started using Jetpack Comments, and told them about the product, but they’ve never expressed interest in it, but the writers here have written about a lot of other commercial and free solutions that pale in comparison. Maybe someday enough WordPress insiders will start using Simple Comments and one of them will finally write about it, so everyone can see the solution they’ve been looking for has been run under their noses for years. Until then, Simple Comments will remain one of the best kept secrets to fighting spambots and hackbots for WordPress.


    • Nice sales pitch. ;-)

      Unfortunately, I don’t see a link to the source of Simple Comments, so it’s a little tricky to verify your claims of whether or not it can be cracked, or how well it scales.

    • I was using Simple Comments several years ago, but then free version became just a front end to pitch commercial plugin version and was not effective anymore…

      My winning combination at the moment (I use it over a year now), that I employ on all of my sites, is:

      Bad Behavior ( https://wordpress.org/plugins/bad-behavior/ ) that filters 99,99% of bots and the rest of them are sorted out by a free plugin:

      Stop Spam Comments ( https://wordpress.org/plugins/stop-spam-comments/ )

      If you will find time and register to get http:BL Access Key, then you will be also contributing to worldwide spam database.

      BTW pingbacks/trackbacks are disabled at the creation of the site – it was good idea, but became so much abused, that is not really useful any more :(

      • Hey Ryan,

        Keep up your negative comments when someone offers a solution that works 100% of the time. It’s people like you that make sure problems never get solved, and if they do, it’s people like you that throw as much dirt and mud as you can, so people never see the solution to their problem.

        The people that have given Simple Comments a 5 out of 5 rating, and good reviews on the product page, are customers who use Simple Comments every day, and they don’t share your uninformed negativity.

        Please keep on promoting free plugins, and the commercial Akismet service, because, you know, that’s not spammy at all.

        • Ryan is in the problem solving space just like you. Like all the other devs who’ve tackled spam comments he’s smart enough to know there is no such thing as 100% foolproof automated spam blocking. You won’t block manual comments that are effectively there to advertise some product using marketing speak.

          • Thanks :)

            I don’t believe it’s possible to block 100% of all automated spam-bots like this at all. If you can block it in an automated fashion without resorting to some sort of turing test, then it’s going to be possible to bypass it in an automated fashion. You can block dumb bots, but there are always smarter bots and bot owners willing to throw more resources at the problem to get their spam through.

          • Seeing is believing, but you’ve never seen my solution, just like Ryan hasn’t. So you can theorize all you want about the effectiveness of Simple Comments, but it will all be just uninformed theory, not fact. How long ago was it that everyone believed the world was flat?

          • For what it’s worth, that whole ‘people thought the earth was flat’ is a myth (I thank Terry Jones for knowing this piece of trivia). A 100% foolproof spam system is also a myth. If you were that clever, you’d be working at google and having fireside chats with Ray Kurweilz talking about your breakthroughs in AI.

          • I have now seen your plugin. From what I can see, it is basically an AJAX’d equivalent of the Zero Spam plugin discussed in this post. If it is blocking 100% of your spam, then in my opinion that will be because your site isn’t popular enough to attract aggressive spammers, not because your plugin is any good.

  4. I was tired of trying out a number of solutions.
    This one looks good.
    But as Robert mentions, it might get reverse engineered someday. Till then, I hope it just works! :)

  5. I have just read your review, Sarah. And I have installed the plugin.

    My problem is not as extensive as David’s. I get around 300-500/day. Still, this takes time that I could be using more productively.

    Thanks for the info!

    Be well,

  6. I’ve been using WP Spamshield for about 3-4 months now, after one of my sites started getting hammered with about 1700 spam comments per day for 2 weeks straight.

    It works so well by itself, I was able to get rid of Akismet on a couple of smaller sites. Before this, I was using a combination of Akismet and Conditional Captcha, but that massive attack overwhelmed both plugins, which sent me searching for new options.

    I may try Zero Spam on one or two of my sites, just so I can compare it and Spamshield in action.

  7. The description in the post sounds exactly like how the original WP Hash cash plugin works. That sort of route is extremely effective, but won’t stop everything. Combining it with a cookie check and Akismet will block an insanely huge amount of spam though. But even with that combination, some of the smarter bots will still work their way through.

    I’m plodding away trying to implement some additional protections on top of all that into a test version of my own plugin. So far it’s working quite well, but you need to be darned careful you don’t start blocking legitimate users once you push the envelope of spam-protection too far :/

    • I think including it in core would result in a lot more bots bypassing it though. Anything that becomes a default will become something the bot designers intentionally work around.

      It would help drop the amount of spam for regular folk, but I think it would increase the amount of spam those of us already using that technique would receive.

  8. On a first view looks nice :)
    BUT could someone give me 3 good reasons why should I leaver Akismet and install Zero Spam Plugin?

    • Why would you want to stop using Akismet? The two plugins would work well in tandem.

      I would not use the Zero Spam plugin by default. I’d only use it if you have a severe spam problem which you can’t fix through less aggressive means, and if you have a severe spam problem, then using it conjunction with Akismet would be a very good idea IMO.

  9. Thanks for the article, I have been looking for a good antispam WordPress plugin and have found so many that are no good or cause other problems. We will add this our list of essential plugins for all of our WordPress websites with comments!

  10. I was on the hunt a wile ago trying to find something that would perhaps beat Akismet, but I ended up stick with Akismet.

    I wonder if there’s a case study out there somewhere that proves what the best anti-spam plugin is?

    • There is no best approach for fighting spam. Each approach has it’s downsides and it will depend on your unique situation as to which is best.

      For most people, a simple honeypot will be more effective at blocking a higher proportion of spam than Akismet. That doesn’t mean the honeypot is “better” per se though. Akismet is awesome in it’s own way and can block things that a honeypot never could.

    • I find that unless you have evergreen content that still gets commented on, turning off comments for posts older than 90 days is a way to greatly reduce spam attempts. This is a general setting under “discussion” in your dashboard.

  11. I’ve just encountered an issue where this plugin blocked the admin’s home IP address. I was contacted to correct the issue and I was able to remove the block, but I wanted to point out that this is not a flawless plugin.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: