Self Sustaining Spam Stopper

I’ve been poking at a plugin on this site for a while that stops spam without sending the contents of comments to an external service for processing.

It’s not that using an external service is the wrong approach—it’s obviously a more powerful approach and likely to be more effective in many cases—I’ve just always found it annoying that spam has had that much control over us for so long.

Things have been working well enough for quite a while. It’s blocked somewhere around 4000 spam comments in the 6 months, blocked 0 false positives, and allowed a small handful (~5) through. I’m confident enough in it now for this site that I may now add a filter to auto-delete spam comments.

What’s really funny to me is that this is a simple honeypot with a couple lines of JavaScript that wait a second before clearing one of the prefilled form values.

If a bot is using wp-comment-post.php to submit the comment without checking form field names first, which most are, it fails.

If a bot grabs the HTML, looks for a form, and submits it in under 1.5 seconds, which most others seem to do, it fails.

If a bot actually loads a full browser session and waits for JavaScript to load, it passes. Luckily, not many bots do that!

I’ve also hacked in some support for Contact Form 7. A similar honeypot can be added to any form with the custom [ssss] field. That’s only been up on the Happy Prime contact form for a couple days, but our stream of spam email has gone to zero. This is very pleasant.

All of this is to say that you too can easily try Self Sustaining Spam Stopper! It’s been so long since I’ve submitted a plugin to the WP plugin repo and I’ve kind of missed the fun. It’s also such a great way to deploy open source plugins to many sites across multiple hosts at once, especially now that WordPress supports auto updates for plugins.

Check it out if you’re looking for an alternative. Let me know what I’ve missed. Open up an issue if you have suggestions!

What WordPress plugins are Excellent++?

I can be no good at plugins. My default answer is an easy “no” when a request is made at WSU to add one to our setup. Each plugin we install adds overhead as the immediate responsibility for maintaining security, performance, and support lies on the web team, not the plugin author.

This is okay and is actually a really great relationship when the plugin is done right. For an Excellent++ plugin, we’ll likely never need support, though we may submit well written bug reports and/or code to resolve issues.

My (current) criteria:

  1. Does one thing very well.
  2. Follows WordPress code standards. Bonus for documentation standards.
  3. Standard core notifications for available updates if hosted elsewhere. Number in a bubble, just like any plugin from wordpress.org.
  4. No extra admin notifications of any kind not related to actual relevant admin tasks, except on a settings screen specific to the plugin.
  5. A documented process to contribute code and open issues for bugs via GitHub or another sensible public repository.
  6. If a premium plugin, a single, unlimited license is available for a multi-network, multi-site installation of WordPress. Charge a bunch, but consider that we aren’t likely to use support resources.

I’m sure there are many, many plugins out there that meet this criteria and I’d like to have a list. If you know of one, please add a comment!

Next, I’ll need to make a list of plugins that meet all these criteria and should also have a landing page where it’s easy to contribute dollars. 😉