WordPress.org

Ready to get started?Download WordPress

Forums

[closed] [Plugin: WP-SpamFree] Wp_Spamfree blocing legitimate comments (35 posts)

  1. ljmac
    Member
    Posted 5 years ago #

    A few of our readers have complained that their (legitimate) comments are being blocked by WP-Spamfree, and I've seen this myself as well. Could you please make it possible to disable the "human spam" related features? Also, would you be able to make it possible to enable ONLY the contact form? It's the only good spam free contact form, but there's other options for comments.

  2. Jason Kemp
    Member
    Posted 5 years ago #

    I have had several legit comments blocked by WPSpamfreee.

    It generates an error message suggesting that people need JavaScript enabled and cokkies enabled and in both case does a test on the browser of the person submitting comments and says they have both functions enabled but still won't let them post a comment.

    As best as we can tell the browser was Firefox on a PC in one case but unsure about the other one.

  3. ljmac
    Member
    Posted 5 years ago #

    First of all, apologies for the spelling errors in the subject line of my post! Secondly, as it seems the author of WP-Spamfree is unavailable, I've decided to do my own custom contact form (fortunately I have the knowledge to do this), and switch to Cookies for Comments and WP Hashcash. Together, they largely duplicate the automated spam blocking of WP-Spamfree (and also block trackback/pingback spam), without blocking human comments (only moderation can do this without false positives IMHO). And in the unlikely event that these plug-ins generate false positives (so far they seem absolutley bullet proof), they can send them to the moderation queue instead of just blocking them as WP-Spamfree always does (so you can never know if there are false positives, unless you catch it out yourself, or your readers complain).

  4. Jonas Grumby
    Member
    Posted 5 years ago #

    How do you switch to Cookies for Comments? Is that option part of WP Hashcash? Thanks.

  5. moepstar
    Member
    Posted 5 years ago #

    No, they're two seperate plugins. I did the switch too since ever i enabled the plugin (WP-Spamfree) i felt uneasy for not knowing WHAT the plugin actually blocked. That having said, i had to delete a few spams manually since then but you never know which of the legitimate comments would have been blocked.

  6. Jonas Grumby
    Member
    Posted 5 years ago #

    Thanks. What's the name of the "Cookies for Comments" plugin? I tried to search for those three words and got 34 pages of results.

    It's a shame the plugin search is not more targeted.

  7. ljmac
    Member
    Posted 5 years ago #

    Cookies for Comments is here:

    http://ocaoimh.ie/cookies-for-comments/

    WP-HashCash is here:

    http://wordpress-plugins.feifei.us/hashcash/

    Together, they effectively replicate the automated spam blocking of WP-Spamfree, but WITHOUT false positives (WP-HashCash also blocks automated trackback/pingback spam). As long as a human commenter has cookies and JavaScript enabled, they will be able to comment.

    They are also fully compatible with WP-SuperCache (Donncha authored all three plug-ins), and do not require any special modifications to your templates etc. They are also far more compatible with other plug-ins than WP-Spamfree (I had a lot of compatibility issues with WP-Spamfree, but have had none with these two plug-ins).

  8. buddha trance
    Member
    Posted 5 years ago #

    Because of this thread, I have also disabled WP-Spamfree.

    Moepstar makes really a good point about not knowing what the plugin blocked.
    For now, I have enabled WP-Hashcash alone, to test it.

    I am strongly considering using Bad Behavior instead, because of the javascript limitation used also by WP-Hashcash.

    This article about WP-Spamfree on the Bad Behavior plugin site, is quite interesting and explains that using javascript and cookies to prevent spam will block out most mobile browsers as well.

    Maybe Bad Behavior + Akismet are the answer? Will do more reading on this topic before making a choice...

  9. Jason Kemp
    Member
    Posted 5 years ago #

    I'm going to try Bad Behaviour.

    The issue that my user report is that even when JavaScript is enabled they still can't get past it.

    WPSPAMfree does a check and the error message will actually say cookies and JavaScript is enabled / which is supposedly the reason they are being blocked.

    Not sure how it does that test / but it is either a faulty test or an ambiguous error message - either way it cause problems and most people don't have the time or inclination follow-up.

    There is a plugin called simple-trackback-validation which is also very useful here as it works with Akismet.

  10. Jason Kemp
    Member
    Posted 5 years ago #

    Best to use the
    official hashcash link for downloads.

    Knowing what has been blocked is very useful. I use also use super cache so that is good to know about.

  11. ljmac
    Member
    Posted 5 years ago #

    The issue with WP-Spamfree is not due to its use of JavaScript as such, but due to its complexity - particularly the algorithmic layer, which is what results in false positives. WP-Hashcash is much simpler - if the user has JavaScript enabled, it will work. It also has the same functionality as simple-trackback-validation to block malicious trackbacks/pingbacks.

    Of course, the greater simplicity in theory means it could let more spam through than WP-Spamfree, but in combination with Cookies for Comments, you have two layers of protection, which no bot will get through. And there really don't seem to be ANY false positives (and even if there were, you can set it to moderate anyway). Even better, if the user has JavaScript disabled, Hashcash gives them a warning BEFORE they post.

    Regarding Bad Behaviour, it requires modifications to WP-SuperCache (which makes me uncomfortable) and it does have the occasional false positive (which makes me even more uncomfortable). It is algorithmic, so in theory it has the same succeptibility to false postives as WP-Spamfree does (if not more so).

  12. buddha trance
    Member
    Posted 5 years ago #

    I have tested having both WP-Hashcash and Bad Behavior enabled.

    While I don't know what Bad Behavior has been doing in the background, I have to say that I really like WP-Hashcash, and the fact that is sends potential spam in moderation. At least, I had a sign of life from this plugin, it works!

    In theory, I like the idea that Bad Behavior stops most bots at the gate, so you save on bandwidth (which you are paying for). This is not just preventing bots from posting a comment, but from reading your site in the first place.

    Now, one has to trust that this plugin is extremely reliable with the "good" bots, or else goodbye site ranking.. Because it acts in the background, how does one know for sure?

    The issue of the mobile browsers is there, but it's not the deal breaker at this stage. Mobile browsers may change the way they handle javascript and cookies in the future (which is what analytics and stats use anyway...)

    With that said, ljmac has a point, so I will now try enabling Cookies for Comments, in combination with WP-Hashcash.

    Edit: In all fairness to Bad Behavior, there are logs that can be accessed through phpMyAdmin.

  13. ljmac
    Member
    Posted 5 years ago #

    I think the best way to block bad bots at the door without blocking good ones is AskApache Password Protect, which I also use. It uses tried and tested mod_rewrite rules to block bad bots, without blocking legitimate users (some modules have the potential to do this, but you can switch them on and off as you see fit). Indeed, it is so effective that so far no spam has gotten past it on my site at all (Cookies for Comments and WP Hashcash are actually just backup measures, which haven't been required so far).

    HOWEVER, this plug-in does some serious stuff that could completely break your site - if you don't know your way around .htaccess on your server, then it's best to stear clear of it I think.

  14. buddha trance
    Member
    Posted 5 years ago #

    I have tried AskApache Password Protect first thing, and when it ran the tests, it said I couldn't use the plugin at this time. Some tests failed. I will look into it further, and see if there are settings I can change, or if the server won't allow this plugin to work.

    So far, Cookies for Comments and WP Hashcash are doing a great job at sending spam comments into moderation, at least. But it would be nice to stop the bad bots at the door.

  15. ljmac
    Member
    Posted 5 years ago #

    The reasons the tests are failing are probably due to permissions and such - as I said, using Ask Apache requires a fair bit of technical knowledge (and server access) unfortunately. If you do get it working, do NOT enable the following modules:

    Protect WP-Content (breaks many plug-ins)

    Specify Characters (this will break your site depending on what permalinks you use, such as the most popular date based format)

    I also recommend not enabling the Forbid Proxies module, as it will prevent a small percentage of legitimate users from posting. The rest appear to be safe to use in my testing.

    Also, if you use permalinks and/or WP-SuperCache (or any custom .htaccess rules), I recommend re-setting their .htaccess rules AFTER setting up Ask Apache, as it may erase other directives in your .htaccess file during installation. As I said, this plug-in is pretty dangerous, so you really need to know what you're doing!

  16. ljmac
    Member
    Posted 5 years ago #

    Oh yes - one other way to block spam at the door is to use Donncha's .htaccess rules for Cookies for Comments:

    For the adventurous, add these lines to your .htaccess and it will block spam attempts before they ever get to WordPress. Replace the Xs with the cookie that was set in your browser after viewing your blog. Make sure the lines go above the standard WordPress rules.

    RewriteCond %{HTTP_COOKIE} !^.*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.*$
    RewriteRule ^wp-comments-post.php - [F,L]

    However, this means that any users without cookies enabled will get their comments deleted without any warning whatsoever. Also, I personally have not been able to get this working on my server, and I still don't know why (perhaps it is a conflict with Ask Apache's .htaccess rules).

  17. buddha trance
    Member
    Posted 5 years ago #

    @ljmac

    Thank you for all the advice!

    I do have full server access, so it's just a matter of knowing what I am doing with AskApache and server settings. I will keep what you say in mind.

    I could also try to see if it works on my local copy of wordpress (installed for backup and testing purposes), though I'd imagine that a local server is different than a regular host.

    I remember reading about Donncha's access rules, and decided not to implement it for the reason you state above. I'd rather moderate spam, then having legitimate users blocked out.

  18. ljmac
    Member
    Posted 5 years ago #

    I have to add a crucial new piece of information here: I am now using Bad Behavior as well! I did this because some hacker hit my database so hard that it got knocked out. Looking at my logs, it appears as though they had some kind of exploit specifically tuned to WordPress blogs - I must have gotten over a hundred queries per second, which naturally sent MySQL haywire. So far, since installing Bad Behavior it hasn't happened again. Also, it keeps very good logs of everything it does, and there don't appear to be any false positives either. Having to modify WP-SuperCache is annoying, but not too difficult - I wish Donncha would add it to his code!

  19. error
    Member
    Posted 5 years ago #

    Bad Behavior doesn't strictly require the modification to WP-Super Cache in order to operate. However, without the modification, email harvesters and content scrapers cannot be blocked from cached pages. Since cached pages (different from super cached pages) are usually generated only for HTTP clients which have cookies, and most bots don't, this has minimal impact, especially in light of the following: Bad Behavior cannot protect super cached pages regardless, since they are delivered to the HTTP client by web server rewrite rules, bypassing WordPress completely.

    In any case, it could be added to WP-Super Cache; the modification is designed to do nothing if Bad Behavior is not installed.

  20. monkeyfight
    Member
    Posted 5 years ago #

    This plug-in unfortunately blocked all comments, including my own, from my blog. IT in fact broke the whole comment functionality. It's a shame as it's a great idea and I'll keep checking it if it's upgraded to see if ti works because it definitely blocks spammers - it just blocks everyone else too. Try it though, it might work for you.

  21. ismycraft
    Member
    Posted 5 years ago #

    I had this problem after editing header.php. I had removed the following line:
    <?php wp_head(); ?>

    When I put this line back WP-SpamFree worked correctly again.

  22. erick_paper
    Member
    Posted 5 years ago #

    Wp-SpamFree although its developer is unreachable still remains the best of all the drivel mentioned here. Why should all my commenters have JS enabled? Useless. And no, WP-SpamFree does not block mobile phones. I also use MobilePress. All phones can see my website just fine.

    BadBehavior and others like Defensio etc are server based. Not kosher.

  23. ljmac
    Member
    Posted 5 years ago #

    All your commenters DO need to have JS enabled for WP-Spamfree to work!

    And none of these other solutions create any more problems for mobile phones than WP-Spamfree either, as they basically use the same methods (apart from Bad Behavior, which is actually MORE mobile compatible!).

  24. ljmac
    Member
    Posted 5 years ago #

    [EDIT] Apologies for double post.

  25. WebGeek
    Member
    Posted 5 years ago #

    If you are having a malfunction, please review the Troubleshooting Guide or submit a Support Request as noted in the plugin documentation.

  26. Jonas Grumby
    Member
    Posted 5 years ago #

    I have found that WP Hashcash creates false positives. But, since I have it set to move the comments to my Akismet queue, they automatically are moved to Spam, from whence I can rescue them.

    Today someone I've known practically my whole life posted a comment and WP Hashcash said it "returned a value of zero, which is not a WP Hashcash value". I know that she does not have JavaScript turned off because I developed her web site, which uses JavaScript for rollovers. So, something's not quite right there...

  27. WebGeek
    Member
    Posted 5 years ago #

    @SS_Minnow:

    This thread is thread is for WP-SpamFree, not WP Hashcash. Please look at your plugin's documentation and post a support request in the appropriate location.

    If you are having an issue with WP-SpamFree, please review the Troubleshooting Guide or submit a Support Request as noted in the plugin documentation.

  28. Jonas Grumby
    Member
    Posted 5 years ago #

    So far WP Hashcash has blocked EVERY comment that has been made, including two from people I know, and one from ME (and I know I have JavaScript enabled). Good thing I have it set to move the posts to my Akismet queue rather than just deleting them.

    I'm starting to think that this plugin doesn't really work. I may have to ditch it and try Cookies for Comments or one of the CAPTCHA plugins instead.

  29. WebGeek
    Member
    Posted 5 years ago #

    @SS_Minnow:

    Again, this is not the thread for WP Hashcash.

    Please post your concerns on the appropriate thread. The plugins page for WP Hashcash is: http://wordpress.org/extend/plugins/wp-hashcash/

  30. Jonas Grumby
    Member
    Posted 5 years ago #

    Yeah well, it sure seems like people are discussing WP Hashcash within this thread. So, maybe you are wrong. I'm not looking for the WP Hashcash plugins page, but thanks.

Topic Closed

This topic has been closed to new replies.

About this Topic