Todd Lahman

Spam Free WordPress is a comment spam blocking plugin that blocks 100% of the automated spam with zero false positives. There is no other plugin, or service, available for WordPress that can claim 100% accuracy with zero false positives, not even Akismet. Manual spam is blocked with an IP address blocklist.

This plugin was born out of necessity in September of 2007 when HollywoodGrind.com was getting a lot a traffic, and with it a lot of spam that multiple plugins could not stop, but instead increased the load on the server fighting the spam. Since its birth, Spam Free WordPress has been tested successfully under real world heavy traffic, and heavy comment spam, conditions. Once Spam Free WordPress is installed, no other comment spam plugins are needed, and it is recommended that all other plugins be disabled since they will cause undesirable false positives.

It is my goal for Spam Free WordPress to help WordPress become the world’s first and only comment spam free blogging platform.

What Am I Worth?

Is a reliable spam fighting plugin worth a dollar?

Spam Free WordPress Features

1. Automatically blocks 100% of automated comment spam
2. Local manual spam and ban policy set with local IP address blocklist
3. Global manual spam and ban policy set with remote IP address blocklist
4. Significantly reduces database load compared to other spam plugins
5. Zero false positives
6. Option to strip HTML from comments
7. No CAPTCHA, cookies, or Javascript needed
8. Saves time and money by eliminating the need to empty the comment spam folder

Automatically Blocks Automated Comment Spam

Spam Free WordPress uses anonymous password authentication to block 100% of all comment spam with zero false positives. Either the password is submitted with the comment form, or it’s spam. Each post is a assigned a password. The password is generated only after it is visited for the first time, and the password only changes when a comment is left. The password is only generated and changed when necessary to eliminate unnecessary load on the database. The reader leaving a comment copies and pastes the password into the comment field to authenticate while remaining anonymous, thus eliminating the need to login to an different account on each blog. Logged in readers will not be required to use the comment form password.

CAPTCHA is not used because it is hard to read, unnecessary, easily cracked, and reduces the number of real comments substantially. There is an interesting article about CAPTCHA here.

Readers do not need to accept cookies or to have Javascript enabled for Spam Free WordPress to work. Spam Free WordPress uses anonymous password authentication the reader types into the comment form.

Automated spam bots use the wp-comments-post.php core WordPress file to submit comment spam even if the comment form doesn’t exist like when DISQUS is used to handle comments. Spam Free WordPress hooks into wp-comments-post.php to block automated spam by requiring the same password authentication used on the comment form. Spam Free WordPress eliminates the spam DISQUS users continue to experience.

Local and Remote Blocklist

Spam Free WordPress uses an IP address blocklist to block comment spam that is manually submitted by a real person. The blocklist can also be used to ban readers that leave offensive comments. The local blocklist is stored in the database, so it can be used to set policy for a local blog. The remote blocklist allows a global policy to be set for many blogs that remotely access a file that contains the IP address list.

If someone has their IP address listed in the blocklist that person can still read the blog, but will not be able to leave a comment. This approach is used for several reasons. Spam bots may spoof an IP address, or another person may have been using the IP address when they were banned. No one owns an IP address for life, so the IP address is blocked from leaving comments, but not from reading the blog.

Reduces Database Load

As mentioned above, the password is set and changed only when necessary to reduce load on the database. Other plugins filter comments in an effort to determine if they are spam.

Since it is not possible for any filter to ever identify spam accurately, their success at blocking spam is marginal. Those other plugins allow spam to be written to the database most of the time, and stored in the comment spam queue, where the blogger must manually delete the spam. Akismet will prevent some comments it believes is spam from being written to the database, and that results in complaints at times when people realize it was a real person commenting.

Spam Free WordPress knows if comments are real or not, because a password must be entered into the form manually. Anything that is submitted without the password is considered spam. Unlike a filter approach that has many variables, password authentication is 100% accurate, since the password is submitted or not.

Comments that are blocked are never written to the database, which eliminates all the load on the database that spam creates, and other plugins allow.

Option to Strip HTML from Comments

It is very common for manual and automated comment spam to include a URL that links to a web site. Spam Free WordPress has an optional feature that will automatically strip out HTML from comments so that links will show up as plain text, and will then also remove the allowed HTML tags from below the comment text box.

Cached Pages Will Work

Comment form passwords will properly refresh on cached pages, provided the cache program is set to refresh the page on changes to the page, or if a comment has been submitted. Spam Free WordPress has been tested with WP Super Cache, Batcahe, W3 Total Cache using APC, Memcache, and Xcache, with the super fast Nginx web server using its core NCache module, and PHP served with PHP-FPM, with Apache serving PHP, and with other caching programs, all of which worked properly.

Spam Free WordPress in Action

Case Study: Hacked Comment Accounts on Gawker

On Monday December 13, 2010 at 5:59 PM, Gawker sent out this email message to people who had an account on their blogs used to leave comments. It should be noted that Gawker does not use WordPress, but the security hole created by using comment accounts is the same on every blogging platform.

Gawker Comment Accounts Compromised — Important

This weekend we discovered that Gawker Media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name and password associated with your comment account were released on the internet. If you’re a commenter on any of our sites, you probably have several questions.

We understand how important trust is on the internet, and we’re deeply sorry for and embarrassed about this breach of security. Right now we are working around the clock to improve security moving forward. We’re also committed to communicating openly and frequently with you to make sure you understand what has happened, how it may or may not affect you, and what we’re doing to fix things.

This is what you should do immediately: Try to change your password in the Gawker Media Commenting System. If you used your Gawker Media password on any other web site, you should change the password on those sites as well, particularly if you used the same username or email with that site. To be safe, however, you should change the password on those accounts whether or not you were using the same username.

We’re continually updating an FAQ (http://lifehac.kr/eUBjVf) with more information and will continue to do so in the coming days and weeks.

Gawker Media

If Gawker had been using the anonymous password authentication built into Spam Free WordPress this incident would not have happened.

Case Study: Street Dogs Band

A blog run by the band Street Dogs recently started using Spam Free WordPress around 7-15-2011, and in just a few weeks they’ve blocked over 26,000 spam comments. Visit they’re site and refresh the page to see how fast the spam comments are hitting their server. As of 4-12-2012 Spam Free WordPress has blocked 690,070 spam comments from the Street Dogs blog.

Case Study: Raspberry Pi

Raspberry Pi builds tiny computers for educational purposes, but they will certainly be put to use for all kinds of purposes, especially since they are dirt cheap yet powerful enough to do a lot. As of 4-12-2012 Raspberry Pi has blocked 70,229 spam comments.

Comment Form Example

If Spam Free WordPress is installed correctly there will be a Password field on the comment form. Each time a reader leaves a comment they type in that password, or copy and paste it, to leave a comment. Below is an example. If the password field is not visible refer to the readme.txt file for specific directions.

To see the password field you must be logged out of your WordPress blog account.

Installation Instructions

Proper Installation Example

If Spam Free WordPress is installed correctly there will be a "Password:" field on the comment form. An example screenshot can be viewed above, or for a live example scroll down to the comment form at the bottom of this page.

To see the password field you must be logged out of your WordPress blog account.

NOTE: Clear the blog cache, like WP Super Cache, after installation.

WordPress 3.0 and Above

1. Upload to the /wp-content/plugins directory
2. Activate
3. If the comment_form() function is already in the comments.php file, then nothing else needs to be done. Otherwise go to step 4.
4. Save a backup copy of comments.php
5. Go to Appearance -> Editor. Edit comments.php
6. Replace the <form> and </form> tags, and all the code between the <form> and </form> tags, with the following line of code:

   <?php comment_form(); ?>

7. Click "Update File" to save changes.
8. If the file gets messed up, use the backup comments.php code to restore everything.

Incorrect:

<form> <?php comment_form(); ?> </form>

Correct:

<?php comment_form(); ?>

If the comments.php file is custom, and it is not desirable to use the comment_form() function, then follow the directions for WordPress 2.8 or 2.9 below.

WordPress 2.8 or 2.9

1. Upload to the /wp-content/plugins directory
2. Activate
3. Copy and paste the following line into your comments.php file right after the last form field for either the email address or the URL (web site):

   <?php if(function_exists ('tl_spam_free_wordpress_comments_form')) {
   	tl_spam_free_wordpress_comments_form();
   } ?>

Thesis Theme

1. Go to Thesis -> Custom File Editor, choose custom_functions.php, then click Edit selected file. Add the following line of code to that file:

   add_action('thesis_hook_comment_field', 'tl_spam_free_wordpress_comments_form');

2. Save changes.

Genesis Theme Framework by StudioPress

1. Upload to the /wp-content/plugins directory
2. Activate

Catalyst Theme Framework

1. Upload to the /wp-content/plugins directory
2. Activate
3. Backup the comments.php file
4. Replace all code in the comments.php file with the following code:

<?php
 
global $catalyst_layout_id;
 
if( !empty( $_SERVER['SCRIPT_FILENAME'] ) && 'comments.php' == basename( $_SERVER['SCRIPT_FILENAME'] ) )
{
	die( 'Please do not load this page directly. Thanks!' );
}
 
if( post_password_required() )
{
?>
	<p class="nocomments"><?php _e( 'This post is password protected. Enter the password to view comments.', 'catalyst' ); ?></p>
<?php
	return;
}
 
catalyst_hook_before_comments( $catalyst_layout_id . '_catalyst_hook_before_comments' );
catalyst_hook_comments( $catalyst_layout_id . '_catalyst_hook_comments' );
catalyst_hook_after_comments( $catalyst_layout_id . '_catalyst_hook_after_comments' );
 
catalyst_hook_before_comment_form( $catalyst_layout_id . '_catalyst_hook_before_comment_form' );
comment_form();
catalyst_hook_after_comment_form( $catalyst_layout_id . '_catalyst_hook_after_comment_form' );
 
//end comments.php

WPtouch plugin

WPtouch uses an old comments.php file format that makes it impossible to detect that plugin’s mobile theme, or to add form fields, so they must be added manually each time the plugin is upgraded. Almost all phones today can see blog posts just like a personal computer sees them, so WPtouch is not needed, but for those who use it here is how to make it work with Spam Free WordPress.

Go to the wp-conten/plugins directory then into wptouch/themes/default. Open the comments.php file in an editor. Find the following line:

<p>
	<input name="url" id="url" type="url" value="<?php echo $comment_author_url; ?>" size="22" tabindex="3" />
	<label for="url"><?php _e( 'Website', 'wptouch' ); ?></label>
</p>

Below that line add the following line:

<p><?php if( function_exists( 'tl_spam_free_wordpress_comments_form' ) ) {
	tl_spam_free_wordpress_comments_form();
} ?></p>

Support

Need help?

Plugin support can also be obtained through IRC chat on irc.freenode.net in the #toddlahman channel. Click here if you need an IRC chat program.

Requirements

Self-hosted WordPress 3.0 or above. PHP 5 or above. This plugin works in Multi-User mode.

Download

Download latest version of Spam Free WordPress

Pingbacks and Trackbacks

The plugin below will close pingbacks and trackbacks on all posts and pages.

Directions: Activate plugin, publish or edit/update one post. All posts and pages will now have pingbacks and trackbacks disabled. Deactivate plugin. Only needs to be run once.

To make sure pingbacks and trackbacks are closed on future posts and pages, go to “Settings -> Discussion” and uncheck the box next to “Allow link notifications from other blogs (pingbacks and trackbacks).”

Auto Close Pings and Trackbacks Plugin Download