Plugin Reviews

Stop Spammers Spam Prevention

Aggressive anti-spam plugin that eliminates comment spam, trackback spam, contact form spam and registration spam. Protects against malicious attacks.

140 reviews
Average Rating
4.7 out of 5 stars
questions about threat scan
By , for WP 4.4.2


I have had spammer registrations on our blog and think I have blocked them thanks to Wordfence

In the scan below I have xxxd my database name
and in the threat scan some of the scan is in red

It says please investigate these errors...how do I do this?

thank you


Zerif lite wordpress theme

Scanning Themes and Plugins for eval

    1931: * define('LOGGED_IN_KEY', '|i|Ux
9<p-h$aFf(qnT:sDO:D1P^wZ$$/Ra@miTJi9G;ddp_<q}6H1)o|a +&JCM');
368: $value = base64_decode($this->_currentTagContents);
58: if ( false !== ( $decompressed = @gzinflate( $compressed ) ) )
61: if ( false !== ( $decompressed = self::compatible_gzinflate( $compressed ) ) )
64: if ( false !== ( $decompressed = @gzuncompress( $compressed ) ) )
80: * Certain Servers will return deflated data with headers which PHP's gzinflate()
82: * various snippets on the gzinflate() PHP documentation.
91: * @link http://au2.php.net/manual/en/function.gzinflate.php#70875
92: * @link http://au2.php.net/manual/en/function.gzinflate.php#77336
99: public static function compatible_gzinflate($gzData) {
101: // Compressed data might contain a full header, if so strip it for gzinflate().
117: $decompressed = @gzinflate( substr($gzData, $i, -8) );
123: $decompressed = @gzinflate( substr($gzData, 2) );
153: if ( function_exists( 'gzinflate' ) )
156: if ( function_exists( 'gzuncompress' ) )
168: * @param array $type Encoding types allowed. Accepts 'gzinflate',
169: * 'gzuncompress', 'gzdecode'.
226: return ( function_exists('gzuncompress') || function_exists('gzdeflate') || function_exists('gzinflate') );
226: return ( function_exists('gzuncompress') || function_exists('gzdeflate') || function_exists('gzinflate') );
170: $key = pack($pack, $algo($key));
177: $hmac = $algo($opad . pack($pack, $algo($ipad . $data)));
267: if ( doubleval( $bytes ) >= $mag ) {
309: $quote_pattern = "/$needle(?=\\Z|[.,:;!?)}\\-\\]]|>|" . $spaces . ")/";
446: $challenge = base64_decode(substr($this->last_reply, 4));
62: $buf .= base64_decode($util->GetRandom($bytes, 0));
678: $flac->setStringMode(base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']));
685: $data = base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']);
3232: $data = base64_decode($data);
5663: $data = json_decode( base64_decode( stripslashes( $_GET['data'] ) ) );
43: $js_embed = '<script type="text/javascript">var host = (("https:" == document.location.protocol) ? "https://secure." : "http://");document.write(unescape("%3Cscript src=\'" + host + "wufoo.com/scripts/embed/form.js\' type=\'text/javascript\'%3E%3C/script%3E"));</script>';
1651: $out = $this->$fname($op, $left, $right);
83: return $f( $number );
408: $class=new $file();
238: 'longMsg' => "This file is a PHP executable file and contains the word 'eval' (without quotes) and the word '" . esc_html($badStringFound) . "' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.",
82: $this->queryWrite("alter table $table add KEY $keyName($col)");
144: return $this->$key();
137: $object = new $clazz();
395: return base64_decode(str_replace(array('-', '_'), array('+', '/'), $s));

Possible problems found!

These are warnings, only. Some content and plugins might not be malicious, but still contain one or more of these indicators. Please investigate all indications of problems. The plugin may err on the side of caution.

Although there are legitimate reasons for using the eval function, and javascript uses it frequently, finding eval in PHP code is in the very least bad practice, and the worst is used to hide malicious code. If eval() comes up in a scan, try to get rid of it.

Your code could contain 'eval', or 'document.write(unescape(' or 'try{window.onload' or setAttribute('src'. These are markers for problems such as sql injection or cross-browser javascript. <script> tags should might occur in your posts, if you added them, but should not be found anywhere else, except options. Options often have scripts for displaying facebook, twitter, etc. Be careful, though, if one appears in an option. Most of the time it is OK, but make sure.

the Best
By , for WP 4.4.2

This is by far, the best anti-spammers / fake registration plugin I have found. I run a buddypress community at https://systemwi.de/ and it got heavily spammed before installing this plugin. In the few days I have used it, I have had one fake registration per day, and this plugin have, in that time, stopped "Stop Spammers has prevented 350 spammers from registering or leaving comments."... Saving lots of time. I run the site on a zero-budget but will for sure try to find some donation money to keep the plugin dev on line. Thanks a lot!/John

Great plugin, must have spam proventor.
By , for WP 4.4.1

Just two words.

It Works!

A spam stopper that does more than just filter comments.

Just love it. Highly recommend!

Doesn't block spam registrations
By , for WP 4.4.1

I've had this plugin running for a week now and every day I'm emailed about more spam registrations. This is exactly what this plugin was supposed to stop, but somehow obvious spammers with mail.ru addresses are signing up.

While I can block those TLD's from being used (theoretically, we'll see if that actually works or not), I'm disappointed that such an obvious source of spam isn't being blocked as a default setting.

This plugin cause user registration email not sending
By ,

I don't know what's going on.
Today I spent 2 hours to figure why new user registration email not sending while admin notification is sent.
Mail server checked, external SMTP server used. All are same problem.
Once I disable this plugin, everything work like charm.

* WordPress version: 4.4
* I tried several times activate and deactivate this plugin. And quite confirmed it cause the problem I mentioned.

By , for WP 4.4

Hi Graham,

Just so you know, so far, it works fine in 4.4 :-)

I have pretty much worked through and using all the features.

However, although I have added my IP in the 'Allow' section, when I try to login as Admin I get a loop message > denied.

Challenge & Deny > Send spammer to another web page

I am using a custom url/page message to spammers and not sure if this is what is causing the problem?


Plugin has issues
By ,

This plugin is very hyperactive and only half works. I ran it for about 2 weeks and I had so many issues. Made SURE I had it set up the way I wanted it to work and it refused to allow people to register to my site. It locked out users and admins with prejudice.

It behaves violently and unholy to legitimate users while spammers got through the registrations just fine.

It is worthless. Hey if you don't want users this is the plugin in for you.

Works Great With Membership 2
By , for WP 4.3.1

Thanks, went from lots of spam registrations daily to none in the first week I've been using the plugin.

Outstanding Plugin, A Must Have
By , for WP 4.3

This plugin is a real time saver. I was getting about 50 bogus sign ups a week. This plugin filtered them all out and allowed the legitimate users sign up.

Works Awesomely
By ,

my new site was getting a ton of spam and this instantaneously killed it all

You must log in to submit a review. You can also log in or register using the form near the top of this page.