How to deal with small scale comment spam on small commercial sites?

When I’ve built a few sites for small businesses in the past, I’ve historically been able to do without anti-spam measures. I now have several sites which get maybe between 5 and 20 spam comments a month each. I have it set set so all comments must be moderated, which isn’t a really a big deal. I would call it good enough, except the content of these comments is often about Viagra, other drugs, russian porn sites, etc., and I feel like it reflects badly on me having this stuff appear in my clients mailbox, moderation queue, etc..

Akismet could undoubtedly help out with a lot of this stuff – but I can’t quite justify the price tag.

Read More

I try to avoid excessive plugins or bloat, and I feel like there should be a simple solution for this – either a very lean plugin, or a code snippet somewhere.

Any ideas?

Related posts

Leave a Reply

3 comments

  1. Use Antispam Bee. It is free, doesn’t phone home, and it works surprisingly well as long as you dont change the comment form too much (you have to test it).
    Just make sure you disable the mail notification for spam comments. 🙂

  2. The plugin combo that works for me and many, many others: Akismet + Cookies for Comments + (optionally) Impostercide

    The best don’t have alternatives, so if you are looking for an alternative to Akismet, you may find none as affective against spam. But you could try one these:

    NOTE: If using Cookies for Comments plugin make sure that… (WHY?)

    • your static content is served from a different sub-domain if your website is served from www.example.com. And set www.example.com as the cookie domain by adding this to your wp-config.php:

      define('COOKIE_DOMAIN', 'www.example.com');
      
    • your static content is served from a different domain or sub-domain of a different domain, if your website is served from example.com. You could also do the same if your website is served from www.example.com.

    PS: If I were you, I would only enable Cookies for Comments and see how the plugin alone does the job. It blocks all spam-bots.

  3. I’m not sure on your setup, resources and/or knowledge. But here are some things you can try that do not require the use of a plugin.

    You could try adding a nonce, by placing one of the following in your theme’s functions.php file. I didn’t come up with these, I’d give credit to the author if I could remember where I got it. Also, for some reason it doesn’t work all the time and will prevent legitimate commentors from my experience (maybe someone else can comment). But here it is:

    // Add a nonce to the comment form for spam protection.
    function add_comment_form_nonce_field( ){
      wp_nonce_field( 'anti_spam_nonce_field' );
    }
    add_action( 'comment_form', 'add_comment_form_nonce_field' );
    
    function check_comment_form_nonce_field(){
      if( !wp_verify_nonce( $_REQUEST['_wpnonce'], 'anti_spam_nonce_field') )
        die('Security check failed');
    }
    add_action( 'pre_comment_on_post', 'check_comment_form_nonce_field');
    

    Here is another suggestion:

    // Add a nonce to the comment form for spam protection.
    function wp_comment_check_hidden_field() {
            $user = wp_get_current_user();
            if ( !isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'],   "comment_form_{$comment_post_ID}") ) {
                    do_action('comment_nonce_failed', $comment_post_ID);
                    wp_die( __('Sorry, automated comments are not accepted.') );
            }
    }
    add_action('pre_comment_on_post', 'wp_comment_check_hidden_field');
    
    function wp_comment_add_hidden_field() {
            wp_nonce_field("comment_form_{$post_id}", '_wpnonce', false);
    }
    add_action('comment_form', 'wp_comment_add_hidden_field');
    

    Recently I discovered another way to stop bots. You’d have to create a PHP session cookie, which is easy to do with php.ini or via an .htaccess variable (php_value). Most host provide one or the other.

    http://php.net/manual/en/session.configuration.php

    Once you have confirmed that your site does create the session cookie, put this or something similar in your root .htaccess file.

    RewriteCond %{HTTP_COOKIE} !^PHPSESSID=w+ [OR]
    RewriteCond %{HTTP_REFERER} !^https?://([^.]+.)?example.com/ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule ^wp-(comments-post|register).php http://example.com [R=301,L,NS]
    

    Replace exmaple.com with your domain. Also, you may not need to include wp-register.php depending on your setup/version of WordPress (I just included both the wp-login.php and wp-register.php to prevent bots from trying to hit either of those as well). This blocks two things that spambots usually don’t use, but normal visitors should (or in the case of the blank User Agent a bot would do). If you’re in Europe, than I’m not sure if you can apply this without any issues as I’m not familiar with their cookie laws so you may have to remove the HTTP_COOKIE condition.

    Also, since you’re concerned about specific words, you could also trying using WordPress’ built-in Comment Blacklist:

    http://codex.wordpress.org/Combating_Comment_Spam#Comment_Blacklist

    But you need to be careful of the words you place there.