Self Sustaining Spam Stopper

I’ve been poking at a plugin on this site for a while that stops spam without sending the contents of comments to an external service for processing.

It’s not that using an external service is the wrong approach—it’s obviously a more powerful approach and likely to be more effective in many cases—I’ve just always found it annoying that spam has had that much control over us for so long.

Things have been working well enough for quite a while. It’s blocked somewhere around 4000 spam comments in the 6 months, blocked 0 false positives, and allowed a small handful (~5) through. I’m confident enough in it now for this site that I may now add a filter to auto-delete spam comments.

What’s really funny to me is that this is a simple honeypot with a couple lines of JavaScript that wait a second before clearing one of the prefilled form values.

If a bot is using wp-comment-post.php to submit the comment without checking form field names first, which most are, it fails.

If a bot grabs the HTML, looks for a form, and submits it in under 1.5 seconds, which most others seem to do, it fails.

If a bot actually loads a full browser session and waits for JavaScript to load, it passes. Luckily, not many bots do that!

I’ve also hacked in some support for Contact Form 7. A similar honeypot can be added to any form with the custom [ssss] field. That’s only been up on the Happy Prime contact form for a couple days, but our stream of spam email has gone to zero. This is very pleasant.

All of this is to say that you too can easily try Self Sustaining Spam Stopper! It’s been so long since I’ve submitted a plugin to the WP plugin repo and I’ve kind of missed the fun. It’s also such a great way to deploy open source plugins to many sites across multiple hosts at once, especially now that WordPress supports auto updates for plugins.

Check it out if you’re looking for an alternative. Let me know what I’ve missed. Open up an issue if you have suggestions!