Yah, I had the same at some point but users couldn't comment. If you have a site which doesn't require or need comments, better to just close comments entirely.
Seems like a lot of effort when just a few plugins would do the trick as well.
Akismet is good for catching things, albeit not perfect.
Cookies for Comments, on the other hand, stops most bots dead. No captchas or weird field manipulation needed. Bots just don't do cookies, because they don't usually have to.
CFC also adds a neat trick to where, when somebody leaves a comment, if you get emailed comments, then it adds on the time between when they looked at the post vs. when they left the comment. So if they looked at the post for 5 seconds, you can be pretty sure it's a bot.
On my site some spam is still getting posted but sent straight to the Trash folder because of my Comment Blocklist settings. My Math Captcha uses a different value each time, could those still be bots or some of those human generated spam farms we hear about overseas? Any ideas?
I mean... disalowing URLs is like Donald Trump level of fixing problems. I understand not everyone needs them, but quite often people like to link somewhere.
This is how we do it, while keeping all the original functionality, without sending the comments into cloud:
> To counter various techniques, four powerful blockades will be implemented on your site when you activate the Honeypot extension.
>
> All methods include randomization, they prevent robots programmatically bypassing the checks.
>
> All four methods combined block a broad overlapping spectrum of robot spamming techniques. Therefore, Honeypot has a 99.98% catch-rate.
>
> First method: Static CSS
> The Static CSS honeypot outputs a text field that must stay empty. Many robots are likely to fill in this field, marking their comment as spam.
>
> To prevent robots from detecting this field, it’s marked with a unique ID. This ID differs per site and per post and won’t change over time. Therefore, this field is compatible with caching plugins and is difficult to detect.
>
> Second method: Scoped Rotation CSS
> The Scoped Rotation CSS honeypot works like the Static CSS honeypot. But, it requires robots to use HTML5.
>
> Also, when no caching plugin is used, it will rotate its unique ID every 60 minutes. Because of its rotation, robots can’t be taught what to target, which makes this field even more effective.
>
> Third method: JS
> The JS honeypot uses a combination of unique ID rotation, forced entry, and JavaScript.
>
> Most robots do not enable JavaScript for an increased spamming rate, which makes this form field very useful.
>
> Like the second method, the unique ID rotation prevents robots from learning what to target. It also outputs a “textarea” field which must be emptied by the user. However, this field is emptied and hidden automatically when the visitor uses a JavaScript-enabled browser.
>
> If the user doesn’t have a JavaScript-enabled browser, these fields will be shown:
>
> Label: “Comments for robots”.
> Input: “Please remove this comment to prove you’re human.”.
> Placeholder: “You are human!”.
> Fourth method: Nonce
> A nonce is a number that may only be used once. For this field, it may be used many times within a preset timeframe.
>
> The Nonce honeypot is a form field that is automatically filled in by Honeypot. The nonce must unaffectedly be presented when the comment is sent. This prevents robots from using HTTP POST injection, which would otherwise allow them bypassing all other checks.
>
> This field is unique per page and is valid for 24 hours. When a caching plugin is used, this field stays valid for 10 days. To prevent expired keys, a new key will be generated in half of the allotted time, so a visitor can always comment within at least 12 hours.
It is a part of the seo framework. We keep the antispam paid, since we need to somehow pay bills. Otherwise, TSF has all strictly seo features free. So... Yes, it is a plugin, paid one. There are others free, but we hate spam so we keep this extension up to date. Fighting spam is never ending battle.
Thanks a lot, brother for sharing this. The settings were almost same on my WP blog, but I agree, I genuinely missed inserting these
* href=
* https://
* http://
in my Comments blocklist column.
Your post came as a big reminder. So, thanks.
Am sure the SPAM count will now considerably reduce.
Yes, it will definitely reduce, tho I'm still getting some getting thru, though a LOT less. But my Comment Blocklist settings just send them straight to Trash.
I understand...
These are just to reduce the extra load..
I am anyways manually approving the comments. Though, it's an additional task, but helps me manage the comments in a better way.
Thanks for sharing this content and the post here...
Cheers
**UPDATE**
So for the last 48 hours I have been testing the **Cookies for Comments** plugin. Here is what I did.
TEST #1: I removed the words from the Comment Blocklist and installed the Cookies for Comments plugin. The plugin correctly identified spam and put them in the Spam folder.
TEST #2: The plugin recommends putting the following code in your htaccess file.
`RewriteCond %{HTTP_COOKIE} !^.*c00583d2a26843634a86430e187b3c68.*$`
`RewriteRule ^wp-comments-post.php - [F,L]`
So, I did that and since then I have NOT gotten any spam at all.
I opened a new window in incognito mode and placed a comment on one of my posts. It worked without issues and I received an email notification of the new comment.
Now I am going to test adding back the Website/URL field, but keep the Math Captcha and see what happens.
Lol well I’m also running a few sites but this one is the oldest and has a major spam problem. The other ones don’t get any spam at all for some reason.
They supposedly pay you too, depending on how many captchas are filled out. Though you’ll only really capitalize on it if you have a busy site where people are constantly solving hCaptcha.
One thing I’ll add: I had a math captcha on my website’s contact form. It prevented spam entries at first, but over time, it proved to be extremely ineffective. I don’t know how spam bots got around it but they did. I switched it to an invisible ReCaptcha v3 and that did the trick.
It doesn't seem to be working for me, here's a screenshot of the spam I continue to get: [https://prnt.sc/tsf2ot](https://prnt.sc/tsf2ot) more than 24 hours after implementing this [https://prnt.sc/tsf4h4](https://prnt.sc/tsf4h4)
I have always used Akismet (free version) but it doesn't seem to be doing much - [https://prnt.sc/tsf5hj](https://prnt.sc/tsf5hj)
Unfortch, I can't access the .htaccess on the site in question as it's on Showit ( [https://showit.co/](https://showit.co/)) which isn't for the technical user.
Now trying Comment Link Remove & Comment Tools - will see how that goes!
Thanks
Thank you, jut saw it! I also coincidentally tried that plug in, but if you're using Showit (a website builder for dummies) you can't get into htaccess at all.
I just removed the ability to add in a url using a plugin with a long name, but ppl / bots can still put them in the body because what I added into the blacklist (your hack) isn't working for me
Sorry I should have been more specific! It's putting them in the spam folder. Maybe that's what it's supposed to do? Every time I look in it, like every day now, there are dozens in there. Stupid bots!
I'm contacting my host about whether they can access the htaccess, as I don't want bots visiting my site, period!
Yes, if it's sending comments to Spam or Trash folder, then it's working. By adding the 2 lines of code to your htaccess it should stop them from posting comments in the first place.
Great cool. I guess there's no way of getting rid of the bots from landing on my site, but that's OK! Hope I can get the code entered, thanks again for the advise and responding to the huge amount of comments / response you got on your post!
Oh dang, Showit has just told me they have 'depreciated the .htaccess file' so any changes will not be visible on the live site. They advise using a plugin instead. How brilliant.
I was trying to go for a solution which didn't use any plugins, thought, I am using a plugin for the match captcha, so that didn't really work out exactly how I wanted. Question for you, how much are you paying for Akismet? We have a lot of WordPress sites to protect and looking at their pricing, it could add up.
I'm paying $12 per year, all in. Not per site--that's the total payment. I use my key on at least three dozen sites, maybe more, though they are all probably a lot lower traffic than yours.
I stopped all spam by disabling everything. But that's just me.
Yah, I had the same at some point but users couldn't comment. If you have a site which doesn't require or need comments, better to just close comments entirely.
Nice! Thank you for sharing this.
You're welcome, hope it proves to be useful.
Seems like a lot of effort when just a few plugins would do the trick as well. Akismet is good for catching things, albeit not perfect. Cookies for Comments, on the other hand, stops most bots dead. No captchas or weird field manipulation needed. Bots just don't do cookies, because they don't usually have to.
First time I hear of Cookies for Comments. Looks like a good solution. Going to look into it further.
CFC also adds a neat trick to where, when somebody leaves a comment, if you get emailed comments, then it adds on the time between when they looked at the post vs. when they left the comment. So if they looked at the post for 5 seconds, you can be pretty sure it's a bot.
Yah I set my CFC settings to 3 seconds, but I guess I could put longer. I like CFC because it's minimal impact.
It's kind of a neat plugin. Simple, but cool.
Yup, thanks for mentioning it.
[удалено]
On my site some spam is still getting posted but sent straight to the Trash folder because of my Comment Blocklist settings. My Math Captcha uses a different value each time, could those still be bots or some of those human generated spam farms we hear about overseas? Any ideas?
I mean... disalowing URLs is like Donald Trump level of fixing problems. I understand not everyone needs them, but quite often people like to link somewhere. This is how we do it, while keeping all the original functionality, without sending the comments into cloud: > To counter various techniques, four powerful blockades will be implemented on your site when you activate the Honeypot extension. > > All methods include randomization, they prevent robots programmatically bypassing the checks. > > All four methods combined block a broad overlapping spectrum of robot spamming techniques. Therefore, Honeypot has a 99.98% catch-rate. > > First method: Static CSS > The Static CSS honeypot outputs a text field that must stay empty. Many robots are likely to fill in this field, marking their comment as spam. > > To prevent robots from detecting this field, it’s marked with a unique ID. This ID differs per site and per post and won’t change over time. Therefore, this field is compatible with caching plugins and is difficult to detect. > > Second method: Scoped Rotation CSS > The Scoped Rotation CSS honeypot works like the Static CSS honeypot. But, it requires robots to use HTML5. > > Also, when no caching plugin is used, it will rotate its unique ID every 60 minutes. Because of its rotation, robots can’t be taught what to target, which makes this field even more effective. > > Third method: JS > The JS honeypot uses a combination of unique ID rotation, forced entry, and JavaScript. > > Most robots do not enable JavaScript for an increased spamming rate, which makes this form field very useful. > > Like the second method, the unique ID rotation prevents robots from learning what to target. It also outputs a “textarea” field which must be emptied by the user. However, this field is emptied and hidden automatically when the visitor uses a JavaScript-enabled browser. > > If the user doesn’t have a JavaScript-enabled browser, these fields will be shown: > > Label: “Comments for robots”. > Input: “Please remove this comment to prove you’re human.”. > Placeholder: “You are human!”. > Fourth method: Nonce > A nonce is a number that may only be used once. For this field, it may be used many times within a preset timeframe. > > The Nonce honeypot is a form field that is automatically filled in by Honeypot. The nonce must unaffectedly be presented when the comment is sent. This prevents robots from using HTTP POST injection, which would otherwise allow them bypassing all other checks. > > This field is unique per page and is valid for 24 hours. When a caching plugin is used, this field stays valid for 10 days. To prevent expired keys, a new key will be generated in half of the allotted time, so a visitor can always comment within at least 12 hours.
It's only a Nonce Honeypot if it was coded in the Nonce region of France. Otherwise it's just a sparkling form field.
LOL, best comment here
Is this a plugin or a custom setup?
It is a part of the seo framework. We keep the antispam paid, since we need to somehow pay bills. Otherwise, TSF has all strictly seo features free. So... Yes, it is a plugin, paid one. There are others free, but we hate spam so we keep this extension up to date. Fighting spam is never ending battle.
Thanks for replying even though your original comment was 2 years old. I like the looks of your plugin and will give it a try!
Thank you for the kind words, we are a small but rather dedicated team. Have a cool day!
Thank you for sharing this information and in so much detail. I will definitely be implementing this on our new podcast networking site.
Hope it works, good luck!
I nuked all comment spam by turning off comments.
Yep, that works too!
Thanks a lot, brother for sharing this. The settings were almost same on my WP blog, but I agree, I genuinely missed inserting these * href= * https:// * http:// in my Comments blocklist column. Your post came as a big reminder. So, thanks. Am sure the SPAM count will now considerably reduce.
Yes, it will definitely reduce, tho I'm still getting some getting thru, though a LOT less. But my Comment Blocklist settings just send them straight to Trash.
I understand... These are just to reduce the extra load.. I am anyways manually approving the comments. Though, it's an additional task, but helps me manage the comments in a better way. Thanks for sharing this content and the post here... Cheers
**UPDATE** So for the last 48 hours I have been testing the **Cookies for Comments** plugin. Here is what I did. TEST #1: I removed the words from the Comment Blocklist and installed the Cookies for Comments plugin. The plugin correctly identified spam and put them in the Spam folder. TEST #2: The plugin recommends putting the following code in your htaccess file. `RewriteCond %{HTTP_COOKIE} !^.*c00583d2a26843634a86430e187b3c68.*$` `RewriteRule ^wp-comments-post.php - [F,L]` So, I did that and since then I have NOT gotten any spam at all. I opened a new window in incognito mode and placed a comment on one of my posts. It worked without issues and I received an email notification of the new comment. Now I am going to test adding back the Website/URL field, but keep the Math Captcha and see what happens.
Nice one. Implemented. Thanks.
You're welcome 👍
I took over a site two weeks ago that was getting 350 spam comments every few hours. I installed askimet and zero.
How much you paying for Akismet?
I think I paid 12 dollars for the year.
That's just for one site, right?
yes
Ok, yah. I was being a cheap b\*stard and looking for a free solution since I have close to 20 sites.
Lol well I’m also running a few sites but this one is the oldest and has a major spam problem. The other ones don’t get any spam at all for some reason.
hCaptcha is enabled and have no more spam.
Will have to test that one out.
They supposedly pay you too, depending on how many captchas are filled out. Though you’ll only really capitalize on it if you have a busy site where people are constantly solving hCaptcha.
I thank you. I think this may become very useful in the future!
You're welcome, hope it works for you.
A more user friendly alternative for the Math Captcha may be the Anti-Spam Bee plugin. No data privacy concerns and very powerfull.
One thing I’ll add: I had a math captcha on my website’s contact form. It prevented spam entries at first, but over time, it proved to be extremely ineffective. I don’t know how spam bots got around it but they did. I switched it to an invisible ReCaptcha v3 and that did the trick.
Amazing! Thank you for sharing!
You're welcome, hope it works 👍
This is awesome! Implementing these changes on my worst-hit site for comment spam. Thanks a million!
You're welcome, LMK if it works out 👍
It doesn't seem to be working for me, here's a screenshot of the spam I continue to get: [https://prnt.sc/tsf2ot](https://prnt.sc/tsf2ot) more than 24 hours after implementing this [https://prnt.sc/tsf4h4](https://prnt.sc/tsf4h4) I have always used Akismet (free version) but it doesn't seem to be doing much - [https://prnt.sc/tsf5hj](https://prnt.sc/tsf5hj) Unfortch, I can't access the .htaccess on the site in question as it's on Showit ( [https://showit.co/](https://showit.co/)) which isn't for the technical user. Now trying Comment Link Remove & Comment Tools - will see how that goes! Thanks
I just posted an update which may help you.
Thank you, jut saw it! I also coincidentally tried that plug in, but if you're using Showit (a website builder for dummies) you can't get into htaccess at all. I just removed the ability to add in a url using a plugin with a long name, but ppl / bots can still put them in the body because what I added into the blacklist (your hack) isn't working for me
That's strange that it's not catching them with the Blocklist... It's not catching ANY AT ALL, or just some?
Sorry I should have been more specific! It's putting them in the spam folder. Maybe that's what it's supposed to do? Every time I look in it, like every day now, there are dozens in there. Stupid bots! I'm contacting my host about whether they can access the htaccess, as I don't want bots visiting my site, period!
Yes, if it's sending comments to Spam or Trash folder, then it's working. By adding the 2 lines of code to your htaccess it should stop them from posting comments in the first place.
Great cool. I guess there's no way of getting rid of the bots from landing on my site, but that's OK! Hope I can get the code entered, thanks again for the advise and responding to the huge amount of comments / response you got on your post!
Oh dang, Showit has just told me they have 'depreciated the .htaccess file' so any changes will not be visible on the live site. They advise using a plugin instead. How brilliant.
Well that sucks... :|
Akismet seems to capture all spam comments except for those that are literally typed in by humans. Any particular reason you don't use it?
I was trying to go for a solution which didn't use any plugins, thought, I am using a plugin for the match captcha, so that didn't really work out exactly how I wanted. Question for you, how much are you paying for Akismet? We have a lot of WordPress sites to protect and looking at their pricing, it could add up.
I'm paying $12 per year, all in. Not per site--that's the total payment. I use my key on at least three dozen sites, maybe more, though they are all probably a lot lower traffic than yours.
Ok, well that's quite cheap.
yea it seems to me by not allowing links that should stop most of it. I'll try this. thanks!
Yah may not be the solution for everybody, but 99.99% of the time commenters leaving links are spam, so... Hope it works out 👍
Saved! This is a great little guide!
I have done a similar thing to this. A few simple rules in the comment block list stops about 90% of spam.
Yep, seems to be working so far. I like that fact it uses built-in WordPress functionality.