Spam Free WordPress Comment Spam Plugin

By on June 23, 2011 in Todd Lahman

Spam Free WordPress comment spam plugin blocks 100% of the automated spam with zero false positives, and with no CAPTCHA.

This plugin was born out of necessity in September of 2007. A comment spam fighting plugin was needed that could handle huge visitor traffic, and huge spam attacks. Today the plugin can scale to handle any amount of comment spam on the highest traffic blogs.

Spam Free WordPress Features

  1. Automatically blocks 100% of automated comment spam
  2. Local manual spam and ban policy set with local IP address blocklist
  3. Significantly reduces database load compared to other spam plugins
  4. Zero false positives
  5. Option to strip HTML from comments
  6. No CAPTCHA
  7. Saves time and money by eliminating the need to empty the comment spam folder
  8. Option to automatically delete comments marked as spam, trackbacks/pingbacks, and unapproved.
  9. Hundreds of thousands of Spam Free Blogs and Counting!

The plugin has the option to generate a custom comment list and comment form for themes that do not work automatically with the plugin.

Comment spam damages a blog’s SEO ranking. This plugin preserves your Search Engine Optimization.

The comment form is secured in the background, so your readers just see your comment form.

Automatically Blocks Automated Comment Spam

Spam Free WordPress several security methods to block spam bots, while allowing real readers to leave a comment without any problem. All security is pass or fail, which means a real person can leave a comment, but a bot cannot. There are no filters to try to guess what is a legitimate comment, ham, or spam.

Local Blocklist

Spam Free WordPress uses an IP address blocklist to block comment spam that is manually submitted by a real person. The blocklist can also be used to ban readers that leave offensive comments. The local blocklist is stored in the database, so it can be used to set policy for a local blog. If someone has their IP address listed in the blocklist that person can still read the blog, but will not be able to leave a comment.

Reduces Database Load

Comments that are blocked are never written to the database, which eliminates all the load on the database that spam creates, and other plugins allow. Blocked comments are sent to an error page that allows the reader to return to their comment, without a loss of data, to try to correct the error. Comments that are blocked have failed security methods that only spam bots would fail.

Option to Strip HTML from Comments

It is very common for manual and automated comment spam to include a URL that links to a web site. Spam Free WordPress has an optional feature that will automatically strip out HTML from comments, so URL links show up as plain text, and will also remove the allowed HTML tags from below the comment text box.

Pingbacks and Trackbacks

The plugin will close pingbacks and trackbacks on all posts and pages automatically when the plugin is installed, and it also has an option to open pingbacks again if so desired.

JetPack Comments

JetPack has introduced a Comments module that takes over the comment form. Spam Free WordPress disables the JetPack Comments module because it doesn’t work with any other plugin that manages the comment form. Spam Free WordPress plays nice with all plugins.

Spam Free WordPress in Action

spam free wordpress nkey authentication technology anti comment spam logo Spam Free Wordpress Comment Spam Plugin

Comment Form Example

The comment form is secured in the background, so your readers just see your comment form.

spam free wordPress comment form invisible password screenshot Spam Free Wordpress Comment Spam Plugin

Spam protection is invisible to the reader.

Installation Instructions

1. Upload to the /wp-content/plugins directory
2. Activate
3. Turn on the Spam Stats, and try to leave a comment to make sure it is working.

Support

Spam Free WordPress requires a free license key for support, and to activate advanced features, that you can get here.

Requirements

Self-hosted WordPress 3.1 or above. PHP 5 or above. Works with single-site, or multi-site, versions of WordPress.

Download

Download latest version of Spam Free WordPress

Troubleshooting version 1.9.3

Error Messages
Here’s what to do if the plugin displays an error message:

  • Error message:
    • “Spam Free WordPress disabled the comment form because it could not retrieve the password from the server. It may be necessary to do one, or all, of the following. Turn on the Old Password Fields option, turn off Nonce Security, or to turn on Generate Comment Form.”
  • Solution:
    • It may be necessary to do one, or all, of the following. Turn on the Old Password Fields option, turn off Nonce Security, or to turn on Generate Comment Form.
  • Error message:
    • “Spam Free WordPress nonce security check failed. Troubleshooting.”
  • Solution:
    • Uncheck the box next to Nonce Security.
  • Error message:
    • “Spam Free WordPress could not retrieve the password from the server. It may be necessary to do one, or all, of the following. Turn on the Old Password Fields option, turn off Nonce Security, or to turn on Generate Comment Form. Troubleshooting.”
  • Solution:
    • It may be necessary to do one, or all, of the following. Turn on the Old Password Fields option, turn off Nonce Security, or to turn on Generate Comment Form.
  • Error message:
    • “Comment blocked by Spam Free WordPress because your IP address is in the local blocklist, or you forgot to type a comment.”
  • Solution:
    • Either your IP address is in the plugin blocklist, which can be found under Settings >> Spam Free WordPress, or you did not type in a comment.
  • If All Else Fails
    • Switch themes.
    • Disable all plugins until the problem plugin is found.
    • Request help with the Spam Free WordPress support request form (must have a free license key, and must be logged in to use).

Comment form and Comment List Are Not Styled Properly

  • Uncheck the Generate Comment Form box. If you then get an error message when leaving a comment, turn the Generate Comment Form option back on, because your theme isn’t working properly. The Generate Comment Form option that displays the comment list and comment form has a CSS style sheet that can be found in the plugin’s css folder where you can make changes. Be aware however, that css folder will be overwritten on plugin updates.

Plugins That Cause Problems

  • Minify plugins such as WP Minify, Better WordPress Minify, W3 Total Cache etc. may need to have minification of JS files turned off, or you can have the plugin exclude the file: sfw-ipwd.js. Some minify plugins, like Better WordPress Minify, require a script handle rather than a filename, so the script handles that should be excluded are: sfw_ipwd. All of the Spam Free WordPress JavaScript files are already minified, or more correctly, compressed.
  • Minify plugins can prevent JavaScript files from loading, or from loading properly.

Incompatible Plugins

  • Disqus Comment System – Since it takes over your comments completely
  • JetPack Comments module – Since it takes over your comments completely

Languages Supported

  • English
  • German – Deutsch (de_DE)
  • Italian – Italian (it_IT)
  • French – Français (fr_FR)
  • Hebrew – עברית (he_IL)
  • Japanese – (日本語 – ja)
  • Chinese – 中文 (zh_CN)
  • Hong Kong – (香港) (zh_HK)
  • Taiwan – (台灣) (zh_TW)
  • Swedish – Svenska (sv_SE)
  • Norwegian – (norsk)

Free License Key Required

Spam Free WordPress requires a free license key for support, and to activate advanced features, that you can get here.

Buy Todd a Coffee

941 Responses to Spam Free WordPress Comment Spam Plugin

  1. Richard Wells August 19, 2012 at 6:19 am #

    Hi, the only way this seems to work is if I have:
    -comment form stats on
    -automatically generate form on
    -invisible password

    I don’t want to automatically generate the form, it doesn’t match the style of the site, but if I turn that off I can’t get comments through. peacesweets.com is the site.

    I note that you mention that I can use css to style the form with the automatic generate feature on, that sounds like something that might solve the problem, but I’d appreciate any input you may have on the issue.

    Thanks

    • Todd Lahman August 19, 2012 at 8:28 am #

      View the source of the page with a few comments on it. Then use the id and class tags you see to style the comments how you want them to look in your style.css file, or whichever CSS file you want to use. (8:28 am on August 19, 2012)

  2. mw August 18, 2012 at 11:24 am #

    Spam-free-wordpress doesn’t work on my website anymore after updating to the latest 1.7.8.2. The error message is always saying that “the comments were blocked by spam free wordpress because the password is incorrect or blank”

    There’s always a “” in front of the password (when using either click password field or button options). Could this be the reason? How do I solve this. My website is maestrochworld.com.

    • Todd Lahman August 18, 2012 at 11:50 am #

      It appears that one of the plugins you have installed is outputting extra characters in the password field. The AJAX communication is supposed to only be between my plugin, and WordPress, but it appears another plugin is improperly interfering with that communication. To find out which one disable them one by one, while checked the password each time. I would start with the User Access Manager plugin. (11:50 am on August 18, 2012)

      • mw August 19, 2012 at 9:55 am #

        Yes, there was one other plugin that interfered with spam free. It was WP Easy Embed.

        Thanks for the advice, my problem has been solved!

  3. Samer Kurdi August 17, 2012 at 12:23 pm #

    Please disregard my previous comment. I turned off Automatically Generate Comment Form and everything is fine.

  4. Samer Kurdi August 17, 2012 at 12:17 pm #

    Installed the latest 1.7.8.2, and it broke the comments section formatting and everything that comes after (sidebar, etc.)

    My site: www.freewaregenius.com

  5. azmee August 17, 2012 at 10:24 am #

    Hi, just want to tell that the latest update ruins my CSS and AJAX….

    • Todd Lahman August 17, 2012 at 10:26 am #

      Try turning off Automatically Generate Comment Form. I’m not sure what the problem with your AJAX would be without some detail or a link to your blog. If you’re running WP Minify that could cause a problem, for which I have a solution. (10:26 am on August 17, 2012)

    • azmee August 17, 2012 at 10:35 am #

      Oops… sorry, nevermind. Thats because I activated the “automatically generate the comment form”… It works well now. Thanks

  6. SC August 17, 2012 at 9:41 am #

    Is there flexibility in how the screen looks? We have 5 different fields: Name, Email, a dropdown menu for location, comment box, How did you hear about us comment box.

    The invisible password: is this really an ip blocker?

    • Todd Lahman August 17, 2012 at 10:19 am #

      The password is a password, not an IP blocker.

      Right now the look is built-in, but you can turn off the Automatically Generate Comment Form to customize. (10:19 am on August 17, 2012)

  7. Barbara W August 17, 2012 at 8:53 am #

    When I updated to 1.7.8.2 this morning, my comments ceased to be nested. Now they’re not only all one on top of the other, the text is shoved all the way to the left of the comment box edge. I logged out as admin and the password box is there and everything looks normal except for the non-nesting of comments.

    I’m using the Genesis framework, Lifestyle theme, if that helps at all. I haven’t made any changes to the plug-in as it came installed and don’t care to.

    • Barbara W August 17, 2012 at 8:56 am #

      link to blog is basiasbookshelf.com if you want to see what it looks like.

    • Todd Lahman August 17, 2012 at 10:20 am #

      Try turning off Automatically Generate Comment Form, and see how it looks. (10:20 am on August 17, 2012)

      • Barbara W August 17, 2012 at 10:51 pm #

        It works perfectly! Thank you so much.

  8. SC August 16, 2012 at 9:04 pm #

    Does this work for customized event signup pages? What would be the coding and where would it be inserted?

    • Todd Lahman August 16, 2012 at 9:29 pm #

      If the page has a comment form, like the one used for single post pages, then yes, otherwise, no. (9:29 pm on August 16, 2012)

  9. Joe August 15, 2012 at 8:39 am #

    All ok, it seems with 1.7.8

    I have been getting a lot of comments blocked message while testing.

    I finally realized that I am getting these error messages because I am typing a few letters fast and submitting fast (just for testing). When I slowed down and gave it some time, it worked flawlessly.

    The problem here is the message is wrong. It should ask me to slow down, and not say my ip is in the ban list or I did not type any comment. And when I press “Back”, it will still give me an error even if I wait, because I guess it did not detect me typing anything (because I already typed the comment earlier earlier)

    One request, if you have time. It would be nice if the error message just pops out in the same window, without leaving the comments screen. Just a thought …

    Thanks

    • Todd Lahman August 15, 2012 at 12:56 pm #

      Some servers respond with the security information for the comment form slower than others. I will try to come up with something to cause the reader to wait to submit the comment until all the security information is loaded. (12:56 pm on August 15, 2012)

  10. Paul Flanigan August 14, 2012 at 4:20 pm #

    Hi Todd. Well, I had some issues with my site that my SP fixed. Apparently some PHP stuff. Now I have a error line right on my site. You can see it on there now: www.veryculinary.com.

    I’m pretty lost as to what to do here. Wondering if you can help? We have used SFW for a while with great success, so I’d love to keep it going.

    • Todd Lahman August 15, 2012 at 12:49 am #

      A function was removed in 1.7.7, and a legacy reference to it was not added to prevent this sort of error. This will be fixed in 1.7.8 that will hopefully be out later tonight. (12:49 am on August 15, 2012)

      • Paul Flanigan August 15, 2012 at 7:38 am #

        Got the update. Looks good! Question: Does SFW remember IPs so that frequent commenters do not have to enter passwords? The password field is missing, but the comments seem to stick. Screenshot: http://screencast.com/t/ZhQdg2macQDV

        • Todd Lahman August 15, 2012 at 12:53 pm #

          The default setting is now for the password to be invisible to the reader. Turn on your spam stats to make sure it is working. (12:53 pm on August 15, 2012)

  11. Samer Kurdi August 14, 2012 at 11:29 am #

    My site is www.freewaregenius.com. I use a customized Thesis theme, WordPress 3.4.1, and Spam Free WordPress 1.7.7.. The comment form no longer shows the password field, and comments fail ‘an important security check’.

    Hoping there is a fix soon!

    • Sarah August 14, 2012 at 1:17 pm #

      My site is snixykitchen.com and does the same thing since the update! I have it deactivated right now because I don’t want to block comments to my blog.

      • Todd Lahman August 15, 2012 at 12:48 am #

        If you are using Spam Free WordPress 1.7.7 go to Settings > Spam Free WordPress, then under Use Old jQuery Scripts turn it to On. If this doesn’t fix it try version 1.7.8 coming out hopefully later tonight, and let me know if that fixes it. (12:48 am on August 15, 2012)

    • Todd Lahman August 15, 2012 at 12:47 am #

      If you are using Spam Free WordPress 1.7.7 go to Settings > Spam Free WordPress, then under Use Old jQuery Scripts turn it to On. If this doesn’t fix it try version 1.7.8 coming out hopefully later tonight, and let me know if that fixes it. (12:47 am on August 15, 2012)

  12. SP12 August 14, 2012 at 8:49 am #

    After upgrading today I got these errors in my log (posted at the end)

    I was also unable to get to any of the sites on my network- including the network admin page. It was the only upgrade I did yesterday. It was the only thing I did yesterday. When I deleted the plugin. Everything came back up.

    I then reninstalled it and everything works. The errors in my logs stopped too.

    Over 20 of this message-
    [13-Aug-2012 19:35:36] PHP Fatal error: Call to undefined function sfw_add_default_pwd_style() in /home2/xxxx/public_html/xxxx/wp-content/plugins/spam-free-wordpress/tl-spam-free-wordpress.php on line 130

    I have two multisites and the same thing happened to both sites.

    • Todd Lahman August 14, 2012 at 10:09 am #

      Is the plugin working for you now? (10:09 am on August 14, 2012)

      • SP12 August 14, 2012 at 11:37 am #

        Ya. It was weird. I think that maybe something happened during the upgrade and it got corrupted somehow. It said everything went well, but that is the only thing that makes sense.

  13. Jeff Porter August 14, 2012 at 6:54 am #

    Further to earlier comment, I have noticed, since the plugin has been updated, that the theme is picking up the comments template from the parent theme, not the customised version in my child theme. With SFW switched off, it reverts to picking up the child theme comments template.

    • Todd Lahman August 14, 2012 at 10:10 am #

      Go to Settings >> Spam Free WordPress, and turn off Automatically Generate Comment Form.

      Can you provide a link to your blog with the plugin turned on so I can take a look? (10:10 am on August 14, 2012)

      • Jeff Porter August 15, 2012 at 12:15 am #

        Thanks, Todd.

        I’ve reactivated SFW and turned off automatically generate comment form.

        But the following message appears when anyone tries to leave a comment:
        Spam Free WordPress rejected your comment because you failed a critical security check.

        I tried it myself, and the password field does not display using any of the options provided.

        Here is a link with the plugin reactivated: http://since1964.co/i-will-remember-london-2012/

        Hope that helps.

        • Todd Lahman August 15, 2012 at 12:59 am #

          If you are using Spam Free WordPress 1.7.7 go to Settings > Spam Free WordPress, then under Use Old jQuery Scripts turn it to On. If this doesn’t fix it try version 1.7.8 coming out hopefully later tonight, and let me know if that fixes it. (12:59 am on August 15, 2012)

          • Jeff Porter August 15, 2012 at 4:43 am #

            The first suggestion using 1.7.7 didn’t change anything. But 1.7.8 fixed it.

            Many thanks,

            Jeff

          • Todd Lahman August 15, 2012 at 4:50 am #

            I’m happy to hear it is working now. (4:50 am on August 15, 2012)

  14. Jeff Porter August 14, 2012 at 6:33 am #

    Guess my theme’s broken too. Comments were working fine before the recent updates, but haven’t done since, not even with V. 1.7.7.

    Switching off till I can find a fix.

    since1964.co/i-will-remember-london-2012/

  15. Tracy Ridge August 14, 2012 at 5:47 am #

    The latest versions do not work for me either using a custom child theme of TwentyEleven. I have noticed that when I type into the comment textarea it comes up with request for username and password. I have got my wp-admin folder protected by htaccess. Don’t know if it is anything to do with that. I have tested it on the same theme in a development environment and haven’t had any trouble.

    • Todd Lahman August 14, 2012 at 10:05 am #

      The wp-admin folder should not have any restrictions in the htaccess file, since there is a file in that folder that is used by JavaScript to talk securely to WordPress using AJAX. (10:05 am on August 14, 2012)

  16. Kelly August 13, 2012 at 10:36 pm #

    FYI to the above comments, the upgrade to 1.7.6 broken my theme also. Stopped scripts from working and broken my navigation and slideshow and so I have had to deactivate. I did not have this problem with the previous version.

    • Todd Lahman August 14, 2012 at 12:51 am #

      Try version 1.7.7, and let me know if it works for you. I didn’t see a comment form when I viewed your blog. (12:51 am on August 14, 2012)

  17. B.E.Johnson August 13, 2012 at 12:16 pm #

    Same thing here. Invisible PW throws and error, saying it’s blank. Click for PW shows nothing, button for PW shows nothing. And now, I’m told my theme is “broken” and to fix it. : I’m invoking the standard comment form in WP v3.4.1 with . What could be more compatible than that?

    • B.E.Johnson August 13, 2012 at 12:40 pm #

      Are you kidding me!? Only one version available in SVN? People can’t rollback if you keep deleting all previous versions.

      Further info on 1.7.6 and 1.7.5: the PW field won’t accept input; even if you knew what the PW was – because it no longer displays anywhere. This used to work flawlessly.

    • Todd Lahman August 13, 2012 at 1:15 pm #

      There’s obviously a problem with your theme’s ability to either load the comment form properly, or to load JavaScript properly. The problem can be fixed, but it takes some work. It’s not the plugin, it’s the theme. There are a lot of poorly written themes, unfortunately. http://www.toddlahman.com/spam-free-wordpress-support/

      If you want to test to confirm that your theme is the problem, try switching to Twenty Eleven. If your problem goes away then you know it’s your theme that is causing the problem.

      Previous versions of the plugin are not available prior to 1.7, because spam bot scripts had learned to bypass the plugin security. (1:15 pm on August 13, 2012)

  18. Joe August 13, 2012 at 11:02 am #

    I like the invisible password, as it is 1 less work for commenters …

    Works fine …we will see if it will block spam effectively … it should, I guess :)

  19. Jimmy August 13, 2012 at 8:43 am #

    Testing Plugin – I don’t see a Password box?

    • Todd Lahman August 13, 2012 at 9:29 am #

      The 1.7.6 version installs with an invisible password box, so you’ll need to leave yourself a test comment to be sure it is working. I would try it myself, but you didn’t provide a link to your blog. (9:29 am on August 13, 2012)

  20. Jennifer August 13, 2012 at 6:36 am #

    Also tried making password invisible but error message still coming up when try to send comment

    • Todd Lahman August 13, 2012 at 9:28 am #

      When I visited your blog the plugin was not active. Please activate the plugin so I can try a test comment to see what the error message is. Let me know when I can run the test. (9:28 am on August 13, 2012)

      • jennifer August 13, 2012 at 3:17 pm #

        Thank you for your reply. I re-activated the plugin. I had temporarily turned it off so I would not miss any comments that were not spam.

        • Todd Lahman August 13, 2012 at 5:16 pm #

          It appears your theme is loading an older version of jQuery after WordPress loads the latest version. This is causing a jQuery function the plugin uses to generate the password to stop working because that function was introduced in jQuery 1.7. WordPress uses jQuery 1.72 right now, but your theme is loading jQuery 1.3.2.

          If you would like me to fix your theme please visit http://www.toddlahman.com/spam-free-wordpress-support/

          Your other option would be to install plugin version 1.7.7, which I will be releasing later tonight, that will load different JavaScripts if someone is using an older version of WordPress, or if that person’s theme loads an older version of jQuery as is the case in your situation. (5:16 pm on August 13, 2012)

        • Todd Lahman August 14, 2012 at 1:39 am #

          Try version 1.7.7, and let me know if it works for you. (1:39 am on August 14, 2012)

          • Jennifer August 14, 2012 at 7:10 am #

            I updated to version 1.7.7 and still getting no password or error message when try to send comment.

            If you have another suggestion, please give it to me in layman’s terms as I am only maintaining my site and have little knowledge of set-up. If it is something I can not do, I may be able to get my website designer to help me. Thank you, Todd!

          • Jennifer August 14, 2012 at 10:36 am #

            I deleted the plug-in and reinstalled it. It is working now. Thank you.

          • Todd Lahman August 15, 2012 at 12:40 am #

            I am very happy the plugin is working for you now. (12:40 am on August 15, 2012)

  21. Jennifer August 13, 2012 at 6:26 am #

    Updated plugin and password field still not working. Tried both the clicking button option and field option.

  22. Walter Jeffries August 12, 2012 at 6:26 pm #

    It no longer works. Click password and vanishes text but no password appears. Javascript is on. Cookies are on. Worked fine before upgrades. Turning off.

    • Todd Lahman August 12, 2012 at 7:41 pm #

      It is your theme that is causing the problem. I didn’t realize how many poorly written themes were available until I made this change to the plugin. I will be releasing version 1.7.6 later tonight that will provide the option to have an invisible password, which means no password field has to be clicked. This should eliminate the issues with poorly written themes.

      I appreciate your follow-up Walter, and your patience. (7:41 pm on August 12, 2012)

  23. kathy@katswebdesigns.com August 12, 2012 at 5:19 pm #

    No password area on the leave comment page. I have paid for support.

  24. Barbara August 12, 2012 at 5:17 pm #

    I have the exact same problem – latest version of plugin, WP 3.4.1

    Was working (click showed the password) prior to this upgrade.

    • Sarah August 12, 2012 at 6:23 pm #

      I have the exact same problem. When I just updated the plugin, the “click for password” link doesn’t do anything! Was working before I updated the plugin…

      • Todd Lahman August 12, 2012 at 7:44 pm #

        I will be releasing version 1.7.6 later tonight that will provide the option to have an invisible password, which means no password field has to be clicked. Let me know if the new version fixes your issue. (7:44 pm on August 12, 2012)

    • Todd Lahman August 12, 2012 at 7:43 pm #

      I will be releasing version 1.7.6 later tonight that will provide the option to have an invisible password, which means no password field has to be clicked. Let me know if the new version fixes your issue. (7:43 pm on August 12, 2012)

  25. Jennifer August 12, 2012 at 11:59 am #

    I have installed and activated the plugin. When I am logged out of my admin page and try to leave comment on my blog page, the password field is there but when I click on it, it does not insert a password. If proceed without password, I get error message that need one. Any ideas on how to correct this?

Older Comments
Newer Comments