A film as title sponsor
Now, before anyone complains that the title has been copied - it is. How do I get rid of it - in 10 days? is actually a film. A 2003 comedy starring Kate Hudson. It's a low-rated comedy, but I think it's kind of funny.
Basically, it is identical with the movie Love Vegas, in which Cameron Diaz plays the leading role, only with swapped roles. It has always fascinated me how Hollywood brings and sells the same movie twice. Well, almost. "chick flicks"I hear the first scream. Okay, maybe so, but if your brain just doesn't stop working, always rattles and you can't get down in the evening, then the only thing that helps you is "chick flicks"at least when you're not into drugs and alcohol.
But then I prefer casual comedies with which you relax and with which you slowly drift away because they are so meaningless and dull. But that's not what this is about, so why am I bothering with an introduction like that?
Ten days to get rid of spam
The title fits so well because it is a little bit appropriate to the situation being discussed. It's about spam. With the reactivation of the comment function here on FastWP, the problem with spam is back.
The fight and the search for a solution didn't last for ten days, but somehow the title sounds quite funny and it certainly felt like 10 days. When testing in live operation, it was even more. So don't take it badly that I wanted to name the mail after it.
It should explain in a relaxed way how I myself was looking for a solution, far away from the typical plugins. Well, partly, because in the end, anti-spam measures are always the same, just packed differently. But it was important to me to be effective, to waste as few resources as possible and not to have a lot of different controls running all the time.
Day 1: The usual suspects
Another movie title? Please overlook it, because it fits quite well. My usual suspects are the antispam plugins for WordPress. There are a lot of them. Paid, free, freemium and knows the vulture what else there is.
After activating the comments here on FastWP, a spam protection had to be installed immediately, because it only takes minutes until the first bots come along and leave their fake comments with nasty links. Antispam Bee is my usual suspect in this case, because the plugin has always served me well in the past. That is, since Sergei no longer self-developedIt has certainly changed, but it still filters out spam more or less reliably and works quite effectively.
The only problem with an antispam plugin is that no matter how effective and minimal it is programmed, it is still a rather complex solution for a simple problem. Spam protection eats up resources. Plugins that control and validate all sorts of things demand their performance. As a performance fanatic, I don't like that at all. Also, Antispam Bee has removed the feature that blocked all other language comments.
And even though Sergei has a GEOBlock place at the disposal that might be used in a future release, or the team could simply use a different Translate API, a comprehensive plugin is actually the opposite of what I'm looking for. So the Antispam plugin for WordPress was just a stopgap solution for day one.
Day 2: Good old Captcha
My effective solution for day two was the reCaptcha from Google. This should be known by everyone, works reliably and filters out all spam even at the lowest security level. How you integrate the reCaptcha from Google as an antispam solution in WordPress, I had already explained here.
By the way, this still works perfectly. To make the captcha as easy as possible, you have to choose the lowest security level in the settings at Google. This way many visitors are spared from the extra queries, because it is already clear in advance that they are not robots. So far so good. If it weren't for the privacy issue.
So expand Captcha again. It's Germany and I prefer to play it safe, especially since I don't like Google anyway and they shouldn't get data from my visitors. Besides, Captchas, no matter how convenient and cleverly they are solved, are always a bit annoying for the user, who has to confirm his input additionally. A bit like a classic copy protection, which assumes that all users are potential pirates.
So actually not so awesome. You know the drama. If not, the video below will tell you what's wrong with Captchas.
Day 3: Build a honey trap
We all know the classic honey traps. Too sweet when the bots could walk by and get stuck. But does the old form of the honeypot really still work? In the past, for example, with spam comments it was sufficient to integrate an invisible input field into the comment area of WordPress.
Bots then filled it out automatically and immediately the admin knew that there was no real user behind it, because he wouldn't have seen the field in the first place. But is that still enough today? Probably not, after all bots have become quite smart and spammers, too, of course. An attempt on the third day showed, however, that a lot of spam can already be filtered out by the honeypot. Not all spam, of course, but at least some.
So at the end of the day, few spam comments remained and this also meant that I had to keep looking for a solution. As expected, the normal honey trap was no longer sufficient.
Day 4: I like honey
Now I love simple solutions and honey traps are just that. They don't check IPs, they don't filter long lists, don't search for patterns, or similar elaborate stuff. Honey traps are just there. Whoever walks in is a spammer. It's as simple as that. Done and done. The honey trap from day three showed that the system still works, but not always and not as a hidden input field.
But why not? On the fourth day I wanted to find out exactly that and started playing around. For example, by simply blocking the wp-comments-post.php for direct access by adding a corresponding code to the .htaccess integrated. After all, no one could know whether this would not be enough to filter the remaining spam as well.
Unfortunately not enough, but for day five I already had a new idea, because I had already expected it. But if you don't test, you can never be sure.
Day 5: More honey may help
So on the fifth day we had to think about how to make the honey trap more clever. If spam still gets through, how do I get the darn bots to fill in the stupid field and still fall into the trap? First I moved the field to the top.
Directly via the name field. Maybe they just ignore it because it is an additional field below the form. Bots have become smart, so it was worth a try. But it didn't work. Still the remaining spam came through. Okay, hidden fields are full 90s, let's just make it visible. Do the bots fill it in and then walk into the trap when it's visible?
The fifth day went by, the spam came. Sure, generally far less than at the beginning, but spam was still there. So keep thinking, brooding, just do it better. How do I get the damn bots to actually use the field? How do I trick them without using crazy parameters or checks?
Day 6: I have an idea
On the morning of the sixth day I had the idea. If the bots think it's the official field of WordPress, they have to fill it out, otherwise they can't leave a comment.
Totally logical, actually. So I tweaked the snippet so that the created field resembled exactly the author field of WordPress, i.e. the field where the name must be entered. The only problem is that if it is exactly the same field, the original WordPress field is blocked as spam, because it uses the same parameters. So the original had to be rewritten.
The best way to do this is also automatically via a snippet. So the Author field has been renamed, but the honey trap has been disguised as an official Author field. To make sure it fit, I copied the complete field from WordPress, as I could see on the page in the source code.
So the honey trap was exactly like the original, but the original simply got a different name. Let's wait and see what happens now, I thought in the evening of the sixth day.
Day 7: Unbelievable but true
Well, and that's actually it. Because the honey trap was disguised as an original WordPress field, it was no longer ignored or skipped by the bots, but filled in accordingly.
Since the option "Users must leave name and e-mail address for commenting" was activated in the admin under "Settings -> Discussion", the new field also had to be filled in correctly. A very simple spam protection that seemed to work and didn't let any more spam slip through the filter. Very minimal, but also very effective.
Day 8: No spam for three days
Day eight also showed that my honey trap was quite effective. On day eight there was no spam and that without any IP-checks, pattern recognition, or checking for links or BB-code.
In the further course I played a little bit with the parameters and noticed that the autocomplete function of browsers should be deactivated in the field, because otherwise possibly already existing entries would be inserted automatically into the field, which was camouflaged as official author field, which activated the honey trap and blocked the comment.
In general, it seemed clever to either rewrite the cookie for comments or to disable it completely so that no form data is stored at all. Disabling is easy with Snippet, rewriting would be more suitable for a plugin solution.
This would allow you to continue using the cookie with stored form data, despite the anti-spam trap. After thinking about it, I wanted to know if there are other parameters that make bots recognize the honey trap.
Day 9: All clean on the blog
On the ninth day, it became clear that it is indeed for the most part the "name="author". No matter how much of the original field was copied, without the "name="author" there were always spam comments. Conversely, of course, this also means that all other parameters can be omitted to make the code even leaner and more effective.
After some adjustments, I had the final test version, which should now run for a few days or even weeks to make sure that everything works as desired. Only then I wanted to report here.
Day 10: No special incidents
The honey trap works perfectly. The problem remains that the author field cannot be used in this way. The cookie of WordPress, which fills name, e-mail and URL automatically, only fills e-mail and URL, the name remains empty. For all those who have already commented, this causes confusion.
Turning off the cookie helps, but does not solve the problem. If this would be a plugin, I would have to rewrite the whole thing so that the author field remains the spam trap and WordPress automatically registers that the author field got a new name. Then it would work without problems.
But then it eats up more resources, which is not what I wanted. So on day 10 I changed everything once again and created two visible, but through CSS more or less invisible input fields. One was not allowed to be filled out, the other had to be filled out.
Two fields, as double security against comment spam. I will test all this extensively and present the finished version in a separate article.
How do I get rid of him - in 10 days?
How do I get rid of him - in 10 days? That was the title of this article. Day ten is now over and I have got rid of the spam, it seems at the moment, actually very reliably. With the good old honey trap and a little new-fangled camouflage.
That means only a few lines of code at the end, instead of a fat antispam plugin. But maybe this is also a method that should take the one or other antispam plugin for WordPress to heart. Why not integrate such a filter, why not make it even more extensive or build it more individual?
For a plugin this would be conceivable and more effective than many current mechanisms, especially the idea of using the author field as a camouflage. A few lines of code instead of constant, unnecessary checks should be the big goal for antispam plugins, too. Few lines of code, without any privacy issues or IP addresses and without much detour. And to stick with movie titles and quotes: "I love it when a plan works."