WordPress.org

Forums

Suggestion for addressing comment spam: randomize comment input names (7 posts)

  1. anupshah
    Member
    Posted 7 years ago #

    Hi, I am a bit new to WordPress and just started a blog, but even then I have received a lot of spam (moderated so they never show up).

    I know I can use anti-spam plugins etc, but I imagine that spam robots know about Word Press and therefore know what HTTP Posts to construct because they know the name of the input fields.

    How about randomizing the input names somewhat? Of course, you can't use anything predictable like the domain name or the time because robots can pick that up.

    However, what if

    • You provided a configuration option for blog owners to enter some special key name, maybe encourage special characters like $, etc.
    • Then, your code uses this to somehow create random names for form controls, such that the HTML generates those

    (WordPress would need some new tags so that theme files can get those names in their comments HTML.)

    When comments are posted, the WordPress PHP code can then recalculate the expected field names and request their content.

    This would make it a LOT harder for spam robots to automatically create tons of spam posts for so many word press users. They would have to visit and understand each particular blog. (So the problem doesn't go away, but does get minimized.)

    I have done this for another site that gets about 15 million page views a year (not Word Press; custom code), and not had an instance of spam comments.

  2. whooami
    Member
    Posted 7 years ago #

    Its a nifty idea, but not unique.

    I can tell you from experience that it doesn't work.. not forever, at least. I don't use ANY of the default fields, and never have, and while I don't change them often enough, I do see hits to those fields -- 99.999999% of spam to my site is stopped by mod_security though (i just read the logs, so I know whats getting caught)

    A similar plugin was written for b2volution a while back, and while it helped (for a bit), it didnt alleviate everything.

    A much better solution, if you want to go that route, is to use a javascript solution, whether within that context or another. The reason is simple: verrry few bots read js.

  3. mrmist
    Forum Janitor
    Posted 7 years ago #

    I got halfway through writing a one-time-key script for comments/feedback when my blog was on Movable type. Didn't finish it because I switched over and Akismet / bad behaviour kills most of my spam now.

    Anyway the premis of that one was to generate a key for each form page, based on reader IP + time. The end (processing) form then destroys that key after it is used (or if it has expired). The reason this is a benefit is because a lot of spambots just directly submit the post output, either without reading the calling page or only reading it once. The one-time key prevents multiple submissions with the same / similar info.

    Again, though, not flawless by any means, and possibly overkill for stuff that can be done much more simply in WP.

  4. whooami
    Member
    Posted 7 years ago #

    yes, sounds very similar to the hardened trackback plugin that a pivot guy wrote for WP -- thats a wonderful plugin btw.. you click a link, and it generates a random key that can only be used once, and expires if not used.

    I used that plugin for quite a while

  5. anupshah
    Member
    Posted 7 years ago #

    whoomai, thanks for your input. Interesting you have not found it work for you; I have found it has worked for me quite well, for a site that gets 15 million page views a year. Maybe there are other factors I have not considered (the type of validation done on the forms -- maybe my site has more than a typical blog). That site has been around 9 years, whereas a site I have started using WordPress for has only been around 9 weeks and I have already got more spam to it than the other site!

    The JS solution is something I have considered, but from an accessibility perspective (W3C's WAI Priority 1 guidelines require features not be dependent on JS) that is not really acceptable for me. There are other approaches (captachs, with some accessibility hooks etc), but these all pose barriers to the user (some are very simple barriers, to be fair, though).

  6. whooami
    Member
    Posted 7 years ago #

    15 million page views a year

    yah, you said that before.

  7. anupshah
    Member
    Posted 7 years ago #

    Whomai: Sorry -- not trying to boast or whatever; don't get me wrong! Just making the point that I do have a popular site and this technique seems to have worked.

    Anyway, I probably have other circumstances that are different... I am a bit hesitant to edit my copy of wordpress because the next time an upgrade occurs, I will lose those changes, likely... Maybe I will run with it for a few days, see what happens and report back here...

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags