Hey there! I'm currently working on a CLI tool to deploy WordPress apps to DigitalOcean. Check it out! It's free and open source.
Yet another WordPress experiment, this time, it’s all about fighting spam! We all know and love Akismet but most of you will agree with me that some of those spammish comments still pass through. So how do we get rid of them? We can’t block all comments with links, they might be useful. We can’t block all comments containing spammish words, those spammish words might be the topic of your blog.
What we can do though is get a clearer picture of who’s submitting the comment — human or robot? Captchas work, but we hate them, and our visitors hate them even more. E-mail verification works, but it’s a pain having to go back and forth only to write a “thank you” message. So I was thinking last week..
What’s do spam comments have in common? Well most of the time they contain links, they have a junky e-mail address, sometimes a spammish name and most of the time with no avatar. But exploring all the spam that was stopped and the spam that came through on my blog, I also noticed that spam comments tend to fill in all fields and never miss one. They sometimes even subscribe to the comments by e-mail, which of course they will never receive.
So having that in mind, and looking from the spambot perspective, what do we see? We see a form with a bunch of fields and a submit button. We don’t see the visual side of it, we only see the HTML that’s behind it. So what’s the typical logic of a spam bot? Fill in all the fields and hit the submit button. There might be more intelligent bots out there, but it basically comes down to this.
Now, what if there was another field which is fake. A field that you don’t have to fill in, but the field name is rather tempting, say “website” and labeled “Website URL”, I don’t think that any spambot would want to miss that, right? But the secret sauce is that the field is wrapped into a parent element, which is invisible. Can spambots render CSS and determine if a field is visible or not? I doubt it, but they could. So give them an extra tempting field to fill in with their spammish URLs, and on the back side of it check whether the field was filled in or not.
Thinking forward, this could be done with multiple fields, some with a default value perhaps, a checkbox maybe? Just make sure that your checking on the backend is correct. And once you encounter a comment that touched the field invisible to the users, spam!
I wrote a code snippet for WordPress which adds an extra website field that’s invisible with some simple checking upon comment submission, let’s see how it goes. I’m planning to run this for a week along side with Akismet, and then perhaps a week with Akismet turned off. I’ll publish the results and share the code snippets if I get anything positive, otherwise.. Oh well ;)
Thanks for reading, and let me know if you have any further thoughts on this topic. Cheers!
Update: While the mentioned above method worked to some point, it didn’t stop quite a lot of spam comments so I decided to go the “close comments on entries older than 14 days” route which seems to be working fine for the moment.