A few days ago an update was released to the Growmap Anti Spambot Plugin for WordPress.
After reviewing it, it raised a few questions.
The new addition, while useful, is as far as we can see at best a temporary fix to solve the problem with the plugin.
Don’t get me wrong, it’s one of the first plugins I install on any new WordPress site – it’s great!
But we’ve decided to take the strengths of this plugin and add our own customizations.
Recently we developed our own simple but highly effective WordPress Firewall plugin, that actually integrates the GASP principles into the WordPress login screen.
We decided as we reviewed the updated GASP plugin that we would integrate their comment spam protection feature directly into our WordPress Firewall, and at the same time implement some of the ideas we have to further enhance it.
In this way, we’ll bring together some of the most powerful security and WordPress protection mechanisms under 1 roof – the WordPress Simple Firewall.
How the WordPress Simple Firewall SPAM Protection works
There are several key features to the SPAM protection offered by the WordPress Simple Firewall plugin.
Combined, they offer very powerful protection against Spambot WordPress comments.
1. Growmap Anti Spambot Protection
As already mentioned, we’ve taken the GASP plugin principles and integrated them into this plugin. It works in much the same way with the checkbox that asks legitimate users to confirm they’re not a spammer.
It also the includes the honeypot mechanism they use also.
Also, with their latest release (at the time of writing v1.4.1) they use a new secret key, and we have taken that idea and enhanced it to use “Unique Comment Tokens”.
2. Unique Comment Tokens
We saw how GASP used their secret key idea and while we liked it, we saw 2 problems with it:
- it works by forcing a spambot to load a page twice before commenting. It’s not really complicated to circumvent this on the part of the spambot.
- the secret key is static – a user has to manually update the key. Updating is pointless anyway because once the spambot has succeeded with the first problem (reloading the page), the rest is easy. The secret key is used throughout the site, so once the key is discovered (it isn’t hidden) it can be re-used.
So we decided to approach this slightly differently. Instead, we:
- create a unique comment token (a secret key) per-page load.
- comment tokens have a both a cooldown period, and an expiration period.
- unique comment tokens can only be used once.
A unique key per page load is means a spambot can’t load your site, or any single page, record the secret key, and then use that going forward to post unlimited spam to your site.
Instead, each time they want to spam, they must load that page once to record the unique comment token.
The comment token is always different and must be known by the bot before it can successfully post a comment.
Advantages of the WordPress Simple Firewall’s Comment Tokens
Comment Token Cooldown
The cooldown period for a comment token means this: After a spambot “knows” a unique key that it can use to post a comment, it must now wait a specified period of time before it can do so.
This effectively puts the brakes on the commenting spambots. If spambots manage to (and I’m sure they will) work around this plugin’s enhancements, they will still always face the cooldown limits.
Another advantage of the cooldown is that if a spambot attempts to post a comment before the cooldown interval has passed, that comment token is invalidated and can’t be reused.
The expiration limit means a comment token must be used within a given period of time and cannot be used far into the future.
If you contrast this with the secret key approach used in the original GASP plugin, you’ll see the benefit of dynamically generating these comment tokens and ensuring they expire.
No SPAM protection is perfect
That’s a fact.
GASP is a brilliant plugin and a solid approach to thwarting spambots – that’s why we’ve implemented it in ours.
Our enhancements, will I’m sure, be redundant in time as the spam networks adapt. We have written our code to be completely unique each time a page is loaded, just to add another level of complexity to which the spambots must adapt. I guess we’ll see in time if it works.
If you have any suggestions on how to improve this plugin, or what features you’ll like to see, please don’t hesitate to comment here, or in the WordPress.org support forums.