Perhaps one of the most elegant, and simplest ways to stop WordPress Comment SPAM is the Growmap Anti SpamBot Plugin.
It’s excellent and we use it on all our WordPress sites. It had been doing a stellar job until a week or so ago
Something changed and we’ve been seeing increasing amounts of comment spam getting through.
This was a bit odd and I first thought it was down to more “manual” spammers at work, but the content of the comments eventually suggested otherwise… somehow, the bots were getting past the defenses put in-place by the GASP plugin.
Today, a new version of the GASP plugin (v1.4.1) has been released in an attempt to combat this – read on to find out what’s new.
What is actually new with the GASP plugin?
After reviewing the code changes they’ve made, I believe it works by ensuring that the post/page to which you comment on must be loaded in a browser first.
That is to say, a spambot cannot directly post a comment to a page without loading that page first.
Now, the good thing about this is that it’s another layer to the spambot protection.
However, the unfortunate part is that it’s relatively easy to work around – it’s a simple matter of pre-loading the page, grabbing the unique secret key for that page, and then using it to post the comment to that page.
How to improve the GASP plugin further
At least, creating a unique key per page? At the moment the secret key is site-wide and once it is learned by the bot, it can be used on all the pages.
A visitor will probably be on your page several minutes before they decide to post a comment, and perhaps even longer until they actually finish composing one. Given this is the case, and that the secret key system forces you to load the page first, there is a way to further halt a spambot posting on your site.
We could place a unique comment timer on each page… that is to say a minimum-time-to-comment timer.
It would work as follows:
- When page/post loads that has comment capabilities, a unique ID is assigned to that page load. This ID is also given a time stamp of exactly when the page was requested.
- We state, for sake of argument, that a visitor must be active on a given page for 60 seconds before commenting.
- When a comment comes in, we exam its unique ID and ask whether it has been submitted within 60 seconds. If it has, we know it was a bot and we ignore drop the comment.
This approach has several key advantages:
- It uses server-side rule checking. Since any protection that is based in the browser is ultimately circumventable, we want as much server-side protection as possible.
- While it doesn’t prevent spambots from posting that have worked around this new secret key idea, it will serve to put the brakes on them. Since they must always load pages to get the Unique IDs and secret keys, they must wait 60 seconds before they can ever post a comment to that page… or longer if you set the timer longer. 🙂
WordPress Simple Firewall and GASP Comment Protection
We’ve already added GASP protection to the WordPress Login page but we’re thinking to take the GASP principles and using their latest approach combined with our suggested additions, add comment spam protection to our Firewall plugin.
Ideally we’d like to see it in the GASP plugin so we wouldn’t have to write this ourselves… even with not a lot of sites to manage we’re still having to clean up spam when the spambots catch up on the protection we have.
If this is something you’d like to see in the WordPress Simple Firewall, please leave any comments and suggestions below.