Having using WordPress for almost a year, I do find that lots of spams are  coming every day. The good news is that there are lots of developers who contribute their knowledge and time in making some great plugins for WordPress, like Akismet and SI Captcha Anti-Spam.  Normally if you use these two plugins, the spam comments on your WordPress will be greatly reduced or completely eliminated. However, if you use plugins like SI Captcha Anti-Spam, your user experience is going to drop a little bit. Why is that?

Why I don’t use Captcha code for comment form

The way SI Captcha Anti-Spam works is to generate random combination of letters and numbers that only human will be “smart” enough to read:

When your comment form includes such a code, those comment spamming robots can’t read this captcha code and thus the form won’t be submitted. However, it will usually take 5 or more seconds for visitors to look at the picture, understand the code, and then key it into the CAPTCHA Code field before hitting the “Submit” button. What’s worse is that sometimes the code generated is not even readable by human and that will only result in worse user experience.

And that’s why I don’t think Captcha code is a great way to stop spams even thought it’s very effective.

Understanding how comment-spamming robots work

Before we get ourselves started with the coding, we need to first understand why those comment-spamming robots are able to leave so many junk messages on your blog within a day.

Now let’s take a look at what a regular comment form for post on WordPress is like:

Take the one on rockia.com for example, a regular comment form will include the following 4 fields:

• Name
• Email
• Websites
• Content

Which one do you think it’s the most important field for those spammers? They obviously don’t care what’s the name and email address; they just want to insert as many links as possible so that they could get more backlinks through out such practices. It’s extremely easy to be detected as spam if they put too many links in the content and thus most of the spammers will only put the target link into the field of “websites”.

The spamming robots won’t be able to see what the site layout is like; they only see the source code of the post. In the comment form, the four id to those fiels are author, email, url, and comment. Whenever the robots see these field, they will just automatically insert the prepared date into the fields and then submit the form.

If they can’t find the appropriate id, they shouldn’t be able to send out the spam because they can’t complete the form.

And we are going to work on the code to trick those spamming robots.

Basic step to accomplish the job

Yes, we are going to modify a couple lines of coding of WordPress. Don’t be freak out, it’s actually very simple.

In your root folder of the WordPress, you will see a file call wp-comments-post.php. Use text editing software to open this file and scroll to line 45, you should be able to see the code is as following:

$comment_author_url   = ( isset($_POST['url']) )     ? trim($_POST['url']) : null;

This is when the form is submitted and WordPress to verify whether the field “author” is been filled, if the field is not completed, the form is considered t be invalid to be submitted. We can change it to this:

$comment_author_url   = ( isset($_POST['thetrueurl']) )     ? trim($_POST['thetrueurl']) : null;

But if you just change wp-comment-post.php, your WordPress will never receive any comments because there is one more thing you will need to change — the theme. Each theme will include a file called comments.php; you can find it in the theme folder.

<p><label for="author">Name <?php if ($req) echo "(required)"; ?></label><br />
<input type="text" name="author" id="author" value="<?php echo $comment_author; ?>" size="40" tabindex="1" <?php if ($req) echo "aria-required='true'"; ?> /></p>

<p><label for="email">Email <?php if ($req) echo "(required)"; ?> (will not be published)</label><br />
<input type="text" name="email" id="email" value="<?php echo $comment_author_email; ?>" size="40" tabindex="2" <?php if ($req) echo "aria-required='true'"; ?> /></p>

<p><label for="url">Website</label><br />4
<input type="text" name="url" id="url" value="<?php echo $comment_author_url; ?>" size="40" /></p>

The 8th line above (the highlighted line) is the one we need to change the “url” to “thetrueurl”, like this:

<pre><input type="text" name="thetrueurl" id="thetrueurl" value="<?php echo $comment_author_url; ?>" size="40" /></pre>

Now the spamming-robot should not be able to leave comment on your blog, because they simply can’t find the field with id called “url”. Yet the change will not make any difference to human visitors because people will only see the same box that to put in their names; they don’t need to know what’s the id value for that box.

Advanced step to fool spamming-robots

I actually want to fool those spamming robots a little bit, so I keep working on the code. The idea is that, I want those robots to find the filed name “url”, but if this field is filled out, error message will be displayed.

I add one more line to the theme file comments.php just right after the line of the “thetrueurl” field, now my line looks like this:

<pre><input type="text" name="thetrueurl" id="thetrueurl" value="<?php echo $comment_author_url; ?>" size="40" tabindex="3" />
<input style="visibility:hidden;" type="text" name="url" id="url" value="<?php echo $comment_author_url; ?>" size="40" /></pre>

Note that I added in CSS style to make the second filed hidden from visitors but robots could still read the code. So when a spamming-robot is going to leave message on your site, they will fill in the “author”, “email”, “url” and “comment” box but not “thetrueurl” box. And normal visitors will see be able to see the same fields.

Here comes with the fun part, we are going to add some code to let WordPress see if the “visitor” actually fill in the field called “url”, if yes, they you can throw some error messages to them.

In my example, I just add the following lines to line 66 in wp-comments-post.php:

if ( !$user->ID ) {
$spam_url = trim($_POST[url]);
if($spam_url <> ""){
wp_die( __('Error!!! Spammers go away!!') );
}
}

This is only the minimum warning to the spammers, if you like, you can even use JavaScript to give them some pop-up windows or alert.

Here is the what the visitors will see and what those spamming robots will see:

Note:

With modification to the code, most of the spams sent from sapmming-robots will not be able to post onto your WordPress. While protecting your site, the user experience stays the same because no extra field needs to be filled out by visitors. However, this method requires you to have basic understanding of HTML code and PHP scripts. If you are not very comfortable with the coding, maybe it’s not a bad idea to stay with SI Cpatcha Anti-Spam. If you have any questions, please let me know. Or if you have a better solution, please also share with me so that I can improve it.