I have had several legit comments blocked by WPSpamfreee.
It generates an error message suggesting that people need JavaScript enabled and cokkies enabled and in both case does a test on the browser of the person submitting comments and says they have both functions enabled but still won’t let them post a comment.
As best as we can tell the browser was Firefox on a PC in one case but unsure about the other one.
Thread Starter
ljmac
(@ljmac)
First of all, apologies for the spelling errors in the subject line of my post! Secondly, as it seems the author of WP-Spamfree is unavailable, I’ve decided to do my own custom contact form (fortunately I have the knowledge to do this), and switch to Cookies for Comments and WP Hashcash. Together, they largely duplicate the automated spam blocking of WP-Spamfree (and also block trackback/pingback spam), without blocking human comments (only moderation can do this without false positives IMHO). And in the unlikely event that these plug-ins generate false positives (so far they seem absolutley bullet proof), they can send them to the moderation queue instead of just blocking them as WP-Spamfree always does (so you can never know if there are false positives, unless you catch it out yourself, or your readers complain).
How do you switch to Cookies for Comments? Is that option part of WP Hashcash? Thanks.
No, they’re two seperate plugins. I did the switch too since ever i enabled the plugin (WP-Spamfree) i felt uneasy for not knowing WHAT the plugin actually blocked. That having said, i had to delete a few spams manually since then but you never know which of the legitimate comments would have been blocked.
Thanks. What’s the name of the “Cookies for Comments” plugin? I tried to search for those three words and got 34 pages of results.
It’s a shame the plugin search is not more targeted.
Thread Starter
ljmac
(@ljmac)
Cookies for Comments is here:
http://ocaoimh.ie/cookies-for-comments/
WP-HashCash is here:
http://wordpress-plugins.feifei.us/hashcash/
Together, they effectively replicate the automated spam blocking of WP-Spamfree, but WITHOUT false positives (WP-HashCash also blocks automated trackback/pingback spam). As long as a human commenter has cookies and JavaScript enabled, they will be able to comment.
They are also fully compatible with WP-SuperCache (Donncha authored all three plug-ins), and do not require any special modifications to your templates etc. They are also far more compatible with other plug-ins than WP-Spamfree (I had a lot of compatibility issues with WP-Spamfree, but have had none with these two plug-ins).
Because of this thread, I have also disabled WP-Spamfree.
Moepstar makes really a good point about not knowing what the plugin blocked.
For now, I have enabled WP-Hashcash alone, to test it.
I am strongly considering using Bad Behavior instead, because of the javascript limitation used also by WP-Hashcash.
This article about WP-Spamfree on the Bad Behavior plugin site, is quite interesting and explains that using javascript and cookies to prevent spam will block out most mobile browsers as well.
Maybe Bad Behavior + Akismet are the answer? Will do more reading on this topic before making a choice…
I’m going to try Bad Behaviour.
The issue that my user report is that even when JavaScript is enabled they still can’t get past it.
WPSPAMfree does a check and the error message will actually say cookies and JavaScript is enabled / which is supposedly the reason they are being blocked.
Not sure how it does that test / but it is either a faulty test or an ambiguous error message – either way it cause problems and most people don’t have the time or inclination follow-up.
There is a plugin called simple-trackback-validation which is also very useful here as it works with Akismet.
Best to use the
official hashcash link for downloads.
Knowing what has been blocked is very useful. I use also use super cache so that is good to know about.
Thread Starter
ljmac
(@ljmac)
The issue with WP-Spamfree is not due to its use of JavaScript as such, but due to its complexity – particularly the algorithmic layer, which is what results in false positives. WP-Hashcash is much simpler – if the user has JavaScript enabled, it will work. It also has the same functionality as simple-trackback-validation to block malicious trackbacks/pingbacks.
Of course, the greater simplicity in theory means it could let more spam through than WP-Spamfree, but in combination with Cookies for Comments, you have two layers of protection, which no bot will get through. And there really don’t seem to be ANY false positives (and even if there were, you can set it to moderate anyway). Even better, if the user has JavaScript disabled, Hashcash gives them a warning BEFORE they post.
Regarding Bad Behaviour, it requires modifications to WP-SuperCache (which makes me uncomfortable) and it does have the occasional false positive (which makes me even more uncomfortable). It is algorithmic, so in theory it has the same succeptibility to false postives as WP-Spamfree does (if not more so).
I have tested having both WP-Hashcash and Bad Behavior enabled.
While I don’t know what Bad Behavior has been doing in the background, I have to say that I really like WP-Hashcash, and the fact that is sends potential spam in moderation. At least, I had a sign of life from this plugin, it works!
In theory, I like the idea that Bad Behavior stops most bots at the gate, so you save on bandwidth (which you are paying for). This is not just preventing bots from posting a comment, but from reading your site in the first place.
Now, one has to trust that this plugin is extremely reliable with the “good” bots, or else goodbye site ranking.. Because it acts in the background, how does one know for sure?
The issue of the mobile browsers is there, but it’s not the deal breaker at this stage. Mobile browsers may change the way they handle javascript and cookies in the future (which is what analytics and stats use anyway…)
With that said, ljmac has a point, so I will now try enabling Cookies for Comments, in combination with WP-Hashcash.
Edit: In all fairness to Bad Behavior, there are logs that can be accessed through phpMyAdmin.
Thread Starter
ljmac
(@ljmac)
I think the best way to block bad bots at the door without blocking good ones is AskApache Password Protect, which I also use. It uses tried and tested mod_rewrite rules to block bad bots, without blocking legitimate users (some modules have the potential to do this, but you can switch them on and off as you see fit). Indeed, it is so effective that so far no spam has gotten past it on my site at all (Cookies for Comments and WP Hashcash are actually just backup measures, which haven’t been required so far).
HOWEVER, this plug-in does some serious stuff that could completely break your site – if you don’t know your way around .htaccess on your server, then it’s best to stear clear of it I think.
I have tried AskApache Password Protect first thing, and when it ran the tests, it said I couldn’t use the plugin at this time. Some tests failed. I will look into it further, and see if there are settings I can change, or if the server won’t allow this plugin to work.
So far, Cookies for Comments and WP Hashcash are doing a great job at sending spam comments into moderation, at least. But it would be nice to stop the bad bots at the door.
Thread Starter
ljmac
(@ljmac)
The reasons the tests are failing are probably due to permissions and such – as I said, using Ask Apache requires a fair bit of technical knowledge (and server access) unfortunately. If you do get it working, do NOT enable the following modules:
Protect WP-Content (breaks many plug-ins)
Specify Characters (this will break your site depending on what permalinks you use, such as the most popular date based format)
I also recommend not enabling the Forbid Proxies module, as it will prevent a small percentage of legitimate users from posting. The rest appear to be safe to use in my testing.
Also, if you use permalinks and/or WP-SuperCache (or any custom .htaccess rules), I recommend re-setting their .htaccess rules AFTER setting up Ask Apache, as it may erase other directives in your .htaccess file during installation. As I said, this plug-in is pretty dangerous, so you really need to know what you’re doing!
Thread Starter
ljmac
(@ljmac)
Oh yes – one other way to block spam at the door is to use Donncha’s .htaccess rules for Cookies for Comments:
For the adventurous, add these lines to your .htaccess and it will block spam attempts before they ever get to WordPress. Replace the Xs with the cookie that was set in your browser after viewing your blog. Make sure the lines go above the standard WordPress rules.
RewriteCond %{HTTP_COOKIE} !^.*XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.*$
RewriteRule ^wp-comments-post.php - [F,L]
However, this means that any users without cookies enabled will get their comments deleted without any warning whatsoever. Also, I personally have not been able to get this working on my server, and I still don’t know why (perhaps it is a conflict with Ask Apache’s .htaccess rules).
