The search for an antispam solution

With the reactivation of the comments here on FastWP, the question of what I can do against spam recently arose again. There is now a wide range of antispam plugins and services available to fight spam comments. They reliably filter out all spam and only allow legitimate comments in the blog. At my article How do I get rid of it - in 10 days? I wrote about exactly this topic and the problem that antispam plugins are often too complex for me. So I searched there for more than 10 days for a clever, smart solution, which should be as minimal as possible.

A honey trap that sticks and tastes

In the end the result was a classic honeypot. A honeytrap, which bots have to fall into when trying to fill out the comment form correctly. The idea behind it: Not just add an invisible field (as usual), but pretend that the honeypot is a required field. As if the trap was the original field of WordPress itself. Unfortunately this caused problems with WordPress, because the cookie for comments saves the entered data and fills the fields automatically.

While it is possible to work around this, to make it useful, it is rather an idea for big antispam plugins, but not for a minimal solution as I was aiming for. So I rethought and built a double trap. Two fields, one of which has to be filled out, the other one must not have any content at all. This has been working perfectly for several days now and does not let any spam through.

Antispam Snippet for WordPress

With the snippet, which you have to enter into the functions.php of your theme, you create the two necessary input fields automatically and below the comment form. It is important that both are theoretically visible and are only hidden via CSS, but not completely hidden. Bots have become clever and hidden fields are now very well recognized. In order to achieve a rate of 99 percent spam detection, both fields must be output below the form, fully visible but hidden by hand.

add_action('preprocess_comment', 'preprocess_new_comment');

function preprocess_new_comment($comment_data)
{
	if (!empty($_POST['a']) {
		the ('no spam!');
	}

	return $comment_data;
}

add_action('comment_form_after_fields', ('catcher'));

function catcher()
{
	echo '';
}

add_action('preprocess_comment', 'preprocess_new_comment_two');

function preprocess_new_comment_two($comment_data)
{
	if (empty($_POST['b']) {
		the ('no spam!');
	}

	return $comment_data;
}

add_action('comment_form_after_fields', ('catcher_two'));

function catcher_two()
{
	echo '';
}

Now both fields are available in the comment form of WordPress and marked accordingly. The first of them serves as a classic honey trap for automatically filling out spambots and must not be filled out under any circumstances. The other one on the other hand serves as a security, because it is empty, but must be filled in. No matter what the bot does, whether it fills everything or not, it falls into one of the two traps and is blocked. The highlight of the second field is a tiny line of Javascript, which automatically fills the field when the page is called up. However, spambots usually do not understand Javascript and above all do not execute it, so the field remains empty. The script, which you can insert at the bottom of your page, will look like this.


Reliable but simple spam protection

This type of anti-spam trap is not only very simply constructed, it also works very well. Because bots usually ignore all additional fields and don't fill them in (that's why the author field in the Trial as well), the spambot must inevitably fall into one of the traps. And even if spambots get smarter, or target this blog, with this antispam solution, I could still refine the whole thing. For example, by inserting randomly generated words, or using timestamps that are automatically inserted as soon as the comment is sent.

Directly as a query, within the URL. Many things are conceivable to extend this, actually extremely simple method even further and make it more secure. But what for? FastWP gets, because of the topic WordPress, since the beginning much more spam than all other of my WordPress blogs. This double anti-spam trap filters out everything reliably and since it has been finally implemented here, which has been the case for about a week now, it does its job perfectly and hasn't let a single spam comment through.

About Christian

My name is Christian and I am co-founder of the platform fastWP. Here in the magazine I am responsible for the more "technical" topics but I like to write about SEO, which has been my passion for over 10 years now.

1 thought on “Antispamfalle ohne Plugin”

  1. Hello, Christian,

    this combination of PHP and Java no longer works in this form. At least the comments will not be allowed. Here seems to have been a change, the function "break

Leave a Comment

Your email address will not be published. Required fields are marked *

en_GB