Fighting Wordpress Spam: HashCash modifications
After getting far too much comment spam during the last few days, I decided to introduce hopefully effective spam countermeasures to my blog. But at the same time, I wanted the users to lose as little comfort as possible. So I tried to avoid “captchas” as they terrificly infringe accessibility.
Therefore, I tried to find a script being totally out of the visitor’s sight, and I did:
Today, I patched the original wordpress hashcash plugin which introduces a really effective way of spam protection: Once someone opens a blog entry, the plugin creates an individual comment key. After pressing the “submit” key, the visitor’s browser computes a new value out of the initial key (through a javascript function) and submits this value back to the server.
So far so good: As spambots usually don’t support javascript, the spam check fails and the comment is not allowed.
But I was forced to modify the original script in some points (if you don’t want to read about the modifications but only download the patch, see below):
1. Comment moderation
Usually, the script simply die()s when the spam check fails. I don’t liked this behaviour as I don’t expect everyone to have JavaScript enabled. Generally spoken, I also want to have comments from Lynx users!
So I introduced the possibility to have the comments moderated that don’t pass the spam test and made this the default.
2. Remote IP vs. session ID
When testing, I realized that any of my comments failed the spam test whereas my brother Jean Pierre didn’t have any problems at all.
The problem seemed to lie in my computer setup. I found out that the proxy server structure I use to access the internet impacts the IP address seen by the spam script – and thus, a different IP was used for the initial generation of the spam key and the later spam check. Oops.
So I made it possible to choose between the remote IP and the session ID as the “key seed” and made the latter the default. Everything works flawlessly now.
(Unfortunately, people are supposed to have cookies enabled in their browser, then. If they have not, the comments are moderated automagically (see above), so don’t worry 
).
I made the modifications to the wp hashcash trunk from Jan 15th, 2005.
If you’ve already installed the plugin and want to patch it, get the diff file here.
Or download the modified version of wp hashcash 1.5 and follow the installation instructions with my PHP file instead.
Happy spam fighting!
P.S.: I will submit my patch to the original development branch. Let’s see if it’s included soon.
Hi there!
I just saw your ticket in the WP Plugins Repository. Your ideas are mostly good–I like the idea of optional comment moderation. I disagree on the default, but that doesn’t really matter, since your patch is going in anyway! I choose to have it eat “bad” comments by default because the purpose of this plugin is to eliminate all spam. I believe an antispam solution should be totally transparent to the end-user, and the admin user as well.
As for the session_id, it’s the same, except that I check to see if the session_id exists before using it–otherwise back to good old IP.
Thanks for the patch–I’m testing it now, and will update the plugins repository, my page, and wp-plugins.net with the new files–including attribution to you.
Ah that sounds good
Thanks for including my ideas in the source code 