Spam Free WordPress
Spam Free WordPress is a comment spam blocking plugin that blocks 100% of the automated spam with zero false positives. There is no other plugin, or service, available for WordPress that can claim 100% accuracy with zero false positives, not even Akismet. Manual spam is blocked with an IP address blocklist.
This plugin was born out of necessity in September of 2007 when HollywoodGrind.com was getting a lot a traffic, and with it a lot of spam that multiple plugins could not stop, but instead increased the load on the server fighting the spam. Since its birth, Spam Free WordPress has been tested successfully under real world heavy traffic, and heavy comment spam, conditions. Once Spam Free WordPress is installed, no other comment spam plugins are needed, and it is recommended that all other plugins be disabled since they will cause undesirable false positives.
It is my goal for Spam Free WordPress to help WordPress become the world’s first and only comment spam free blogging platform.
What Am I Worth?
Is a reliable spam fighting plugin worth a dollar?
Spam Free WordPress Features
- Automatically blocks 100% of automated comment spam
- Local manual spam and ban policy set with local IP address blocklist
- Global manual spam and ban policy set with remote IP address blocklist
- Significantly reduces database load compared to other spam plugins
- Zero false positives
- Option to strip HTML from comments
- No CAPTCHA, cookies, or Javascript needed
- Saves time and money by eliminating the need to empty the comment spam folder
Automatically Blocks Automated Comment Spam
Spam Free WordPress uses anonymous password authentication to block 100% of all comment spam with zero false positives. Either the password is submitted with the comment form, or it’s spam. Each post is a assigned a password. The password is generated only after it is visited for the first time, and the password only changes when a comment is left. The password is only generated and changed when necessary to eliminate unnecessary load on the database. The reader leaving a comment copies and pastes the password into the comment field to authenticate while remaining anonymous, thus eliminating the need to login to an different account on each blog. Logged in readers will not be required to use the comment form password.
CAPTCHA is not used because it is hard to read, unnecessary, easily cracked, and reduces the number of real comments substantially. There is an interesting article about CAPTCHA here.
Readers do not need to accept cookies or to have Javascript enabled for Spam Free WordPress to work. Spam Free WordPress uses anonymous password authentication the reader types into the comment form.
Automated spam bots use the wp-comments-post.php core WordPress file to submit comment spam even if the comment form doesn’t exist like when DISQUS is used to handle comments. Spam Free WordPress hooks into wp-comments-post.php to block automated spam by requiring the same password authentication used on the comment form. Spam Free WordPress eliminates the spam DISQUS users continue to experience.
Local and Remote Blocklist
Spam Free WordPress uses an IP address blocklist to block comment spam that is manually submitted by a real person. The blocklist can also be used to ban readers that leave offensive comments. The local blocklist is stored in the database, so it can be used to set policy for a local blog. The remote blocklist allows a global policy to be set for many blogs that remotely access a file that contains the IP address list.
If someone has their IP address listed in the blocklist that person can still read the blog, but will not be able to leave a comment. This approach is used for several reasons. Spam bots may spoof an IP address, or another person may have been using the IP address when they were banned. No one owns an IP address for life, so the IP address is blocked from leaving comments, but not from reading the blog.
Reduces Database Load
As mentioned above, the password is set and changed only when necessary to reduce load on the database. Other plugins filter comments in an effort to determine if they are spam.
Since it is not possible for any filter to ever identify spam accurately, their success at blocking spam is marginal. Those other plugins allow spam to be written to the database most of the time, and stored in the comment spam queue, where the blogger must manually delete the spam. Akismet will prevent some comments it believes is spam from being written to the database, and that results in complaints at times when people realize it was a real person commenting.
Spam Free WordPress knows if comments are real or not, because a password must be entered into the form manually. Anything that is submitted without the password is considered spam. Unlike a filter approach that has many variables, password authentication is 100% accurate, since the password is submitted or not.
Comments that are blocked are never written to the database, which eliminates all the load on the database that spam creates, and other plugins allow.
Option to Strip HTML from Comments
It is very common for manual and automated comment spam to include a URL that links to a web site. Spam Free WordPress has an optional feature that will automatically strip out HTML from comments so that links will show up as plain text, and will then also remove the allowed HTML tags from below the comment text box.
Cached Pages Will Work
Comment form passwords will properly refresh on cached pages, provided the cache program is set to refresh the page on changes to the page, or if a comment has been submitted. Spam Free WordPress has been tested with WP Super Cache, Batcahe, W3 Total Cache using APC, Memcache, and Xcache, with the super fast Nginx web server using its core NCache module, and PHP served with PHP-FPM, with Apache serving PHP, and with other caching programs, all of which worked properly.
Spam Free WordPress in Action
Case Study: Hacked Comment Accounts on Gawker
On Monday December 13, 2010 at 5:59 PM, Gawker sent out this email message to people who had an account on their blogs used to leave comments. It should be noted that Gawker does not use WordPress, but the security hole created by using comment accounts is the same on every blogging platform.
Gawker Comment Accounts Compromised — Important
This weekend we discovered that Gawker Media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name and password associated with your comment account were released on the internet. If you’re a commenter on any of our sites, you probably have several questions.
We understand how important trust is on the internet, and we’re deeply sorry for and embarrassed about this breach of security. Right now we are working around the clock to improve security moving forward. We’re also committed to communicating openly and frequently with you to make sure you understand what has happened, how it may or may not affect you, and what we’re doing to fix things.
This is what you should do immediately: Try to change your password in the Gawker Media Commenting System. If you used your Gawker Media password on any other web site, you should change the password on those sites as well, particularly if you used the same username or email with that site. To be safe, however, you should change the password on those accounts whether or not you were using the same username.
We’re continually updating an FAQ (http://lifehac.kr/eUBjVf) with more information and will continue to do so in the coming days and weeks.
Gawker Media
If Gawker had been using the anonymous password authentication built into Spam Free WordPress this incident would not have happened.
Case Study: Street Dogs Band
A blog run by the band Street Dogs recently started using Spam Free WordPress around 7-15-2011, and in just a few weeks they’ve blocked over 26,000 spam comments. Visit they’re site and refresh the page to see how fast the spam comments are hitting their server.
Update: As of 8-1-2011 Spam Free WordPress has blocked 91,794 from the Street Dogs blog.
Comment Form Example
If Spam Free WordPress is installed correctly there will be a Password field on the comment form. Each time a reader leaves a comment they type in that password, or copy and paste it, to leave a comment. Below is an example. If the password field is not visible refer to the readme.txt file for specific directions.
To see the password field you must be logged out of your WordPress blog account.
Installation Instructions
Proper Installation Example
If Spam Free WordPress is installed correctly there will be a "Password:" field on the comment form. An example screenshot can be viewed above, or for a live example scroll down to the comment form at the bottom of this page.
To see the password field you must be logged out of your WordPress blog account.
NOTE: Clear the blog cache, like WP Super Cache, after installation.
WordPress 3.0 and Above
- Upload to the /wp-content/plugins directory
- Activate
- If the comment_form() function is already in the comments.php file, then nothing else needs to be done. Otherwise go to step 4.
- Save a backup copy of comments.php
- Go to Appearance -> Editor. Edit comments.php
- Replace the <form> and </form> tags, and all the code between the <form> and </form> tags, with the following line of code:
<?php comment_form(); ?>
- Click "Update File" to save changes.
- If the file gets messed up, use the backup comments.php code to restore everything.
Incorrect:
<form> <?php comment_form(); ?> </form>
Correct:
<?php comment_form(); ?>
If the comments.php file is custom, and it is not desirable to use the comment_form() function, then follow the directions for WordPress 2.8 or 2.9 below.
WordPress 2.8 or 2.9
- Upload to the /wp-content/plugins directory
- Activate
- Copy and paste the following line into your comments.php file right after the last form field for either the email address or the URL (web site):
<?php if(function_exists ('tl_spam_free_wordpress_comments_form')) { tl_spam_free_wordpress_comments_form(); } ?>
Thesis Theme
- Go to Thesis -> Custom File Editor, choose custom_functions.php, then click Edit selected file. Add the following line of code to that file:
add_action('thesis_hook_comment_field', 'tl_spam_free_wordpress_comments_form');
- Save changes.
Genesis Theme Framework by StudioPress
- Upload to the /wp-content/plugins directory
- Activate
WPtouch plugin
WPtouch uses an old comments.php file format that makes it impossible to detect that plugin’s mobile theme, or to add form fields, so they must be added manually each time the plugin is upgraded. Almost all phones today can see blog posts just like a personal computer sees them, so WPtouch is not needed, but for those who use it here is how to make it work with Spam Free WordPress.
Go to the wp-conten/plugins directory then into wptouch/themes/default. Open the comments.php file in an editor. Find the following line:
<p> <input name="url" id="url" type="url" value="<?php echo $comment_author_url; ?>" size="22" tabindex="3" /> <label for="url"><?php _e( 'Website', 'wptouch' ); ?></label> </p>
Below that line add the following line:
<p><?php if( function_exists( 'tl_spam_free_wordpress_comments_form' ) ) { tl_spam_free_wordpress_comments_form(); } ?></p>
Support
Plugin support can also be obtained through IRC chat on irc.freenode.net in the #toddlahman channel. Click here if you need an IRC chat program.
Requirements
Self-hosted WordPress 3.0 or above. PHP 5 or above. This plugin works in Multi-User mode.
Download
Download latest version of Spam Free WordPress
| Plugin | Last Update | Rating | # Ratings | Downloads |
|---|---|---|---|---|
| Spam Free WordPress | 2011-07-27 | 100.00 | 16 | 33117 |
| Averages | 100.00 | 16.00 | 33117 | |
| Totals | 16 | 33117 |
Pingbacks and Trackbacks
The plugin below will close pingbacks and trackbacks on all posts and pages.
Directions: Activate plugin, publish or edit/update one post. All posts and pages will now have pingbacks and trackbacks disabled. Deactivate plugin. Only needs to be run once.
To make sure pingbacks and trackbacks are closed on future posts and pages, go to “Settings -> Discussion” and uncheck the box next to “Allow link notifications from other blogs (pingbacks and trackbacks).”
Auto Close Pings and Trackbacks Plugin Download
Can you help me find where in my comments.php file I need to make changes?
I am using a “relatively” new Wootheme called Sealife and have the latest version of WP installed. No copy/paste password field is appearing.
Here is a post w/ comment section… http://bit.ly/py8qSH
Many thanks!
Cara
Hi is there a place where i can see each feature explained. i am not able to understand the use of Password Form Customization. where can i get more detail son this.
I have been using this plugin successfully for several weeks, but recently the password box disappeared so no one is able to leave a comment. I have not changed anything, so I’m not sure what happened. any ideas?
The only way for the password field to not display is if your theme comments.php file changed in some way. Try adding the following line of code just below the URL or Website comment form field to force display of the comment form password if it is not displaying automatically with your theme.
Hello:
Thank you for your work. Thought you should know that there is a problem with your zip file for the auto close ping plugin.
Regards,
Sumeros
I appreciate you letting me know. The problem is now fixed.
Hi,
I works fine but I wonder how I can get away the field with the html and also it’s one text field for webplace that I don’t want.
I have switch off the html in the settings.
Thanks for a nice plugin
Can you provide a link to the comment form? I’m not sure I understand what you are describing in your first sentence.
Turning off html means the comment will have no html markup. This does not apply to the comment form fields.
Hi.
I wonder if this can be used for other forms, like a contact form.
I handle all forms in my site with FormidablePro and I am not sure if I will be able to
integrate it. I don’t know if I can replace that , perhaps with one of the available hooks.
I have no “comments” per se, I do have contact forms that need some spam blocking or moderating if necessary, which I would like to avoid using your plugin.
http://formidablepro.com/knowledgebase/formidable-hooks/
An upcoming version of Spam Free WordPress will offer a contact form as part of the plugin modules.
Re, comments.php in Photocrati theme
Thank you Tod that worked and was easy to do!
And thanks for pointing out the problem with pingbacks and trackbacks – I ran the plugin and disabled them for future posts and all seems well.
Hi Tod, referring to the post about Photocrati theme comments.php my email is.
Thank you for helping me!
Kind Regards,
Tiina Erameri
In the comments.php file, and after this block of code:
Insert this block of code:
Also be sure to read the Pingbacks and Trackbacks section at the bottom of this page, and download and install the Auto Close Pings and Trackbacks plugin in that section, because you are also getting Pingback and Trackback spam that looks exactly like comment spam.
Spam Free WordPress does not stop Pingback and Trackback spam.
Hey, it’d be perfect if it didn’t allow logged in users to bypass the PW entry. I’m currently experiencing a lot of weird registrations, obviously fake/spammers, with Turkish or Chinese IPs (although they never leave comments, very odd). Is there a way to block spammy user registrations as well as comments? Or is it even worth continuously deleting them? I do, but maybe it’s not necessary since a “subscriber” doesn’t have a lot of rights. Still, I cranked up LimitLoginAttempts to some pretty high lockout times (months), just to be sure.
If I understand you correctly, then here is how to stop unauthorized user registrations completely. Go to Settings -> General, and uncheck the box that says “Anyone can register.”
Spam Free WordPress already has a feature built into the upcoming release to help deal with this issue, even though it is not comment spam related.
To make sure you’ve got all your bases covered also be sure to read the directions in the Pingbacks and Trackbacks section on this page.
I am available to do some custom work if you need it.
Todd:
Loving the plug-in for my sites for my church and preschool. Do you have a recommended “Remote Comment Blocklist”? Reminds me of the AdBlock-Plus concept. I would love to have this so I can just end all this spam. Thanks!
The remote comment blocklist is an extra feature that is usually not needed, but it is there for the few manual spams that squeak through. The remote comment block list is something you create yourself to meet your own needs for multiple blogs to share.
If you’re still getting some spam then download and install the Auto Close Pings and Trackbacks located at: http://www.toddlahman.com/download/2/
Then follow the directions in the Pingbacks and Trackbacks section on this page.
Spam Free WordPress blocks only comment spam, and not Pingback and Trackback that look exactly like comments. WordPress should have made it easier to identify which is a comment, and which is a Pingback and Trackback.
Thank you Todd! This is by far one of the best plugins not to mention this is the best spam plugin available Bar None! The moment we installed your plugin the spam stopped! I mean it all just stopped! We were getting hundreds of automated spam a day between all our blogs and now NONE! That’s right NONE! 100% GONE! We add your plugin to our blog and will be helping you to promote it. This is our way of saying thanks a million! Getting rid of that awful CAPTCHA is so great! Thanks again!
Best antispam ever!! thanks guys!!
Hi Todd,
I am trying to downoad Auto Close Pings and Trackbacks but an error comes up
on the page.
Would you be able to fix it?
Thanks.
Norbert
Hi Norbert,
I have been testing the Google Content Delivery Page Speed Service on toddlahman.com, and it appears to have broken the download link, so I had to switch back to my other CDN service. It is fixed now. If your DNS for toddlahman.com doesn’t update right away then it will later today or tomorrow.
Thank you for letting me know. There are probably a few people that didn’t get the help they needed from this plugin thanks to a broken link. :( This plugin has been integrated into the next version of Spam Free WordPress.
Thank you and God bless
I have installed Spam Free Wrodpress few days ago. Hundreds of spams are blocked however, still get in the range of 30-50 a day. any suggestions what I need to do stop them 100%? I have the password setting is as follows:
Password Field Size. Default is 30. Tab Index
thanks
The spam you are seeing is Pingback and Trackback spam that looks like comment spam, but is completely different. At the bottom of this page, and just above the comments, is a section called Pingbacks and Trackbacks that offers a plugin called Auto Close Pings and Trackbacks that can be downloaded to close Pingbacks and Trackbacks on existing posts and pages, as well as instructions on closing Pingbacks and Trackbacks on future posts and pages.
Thank you for this efficient tool.
Is there a widget command, to show how many spam comments have been blocked?
Would it be possible, to have in the dashboard “right now” a line 999 Spam comments blocked?
Would be nice to have a link in the comment saying: put IP-Address in local file and mark comment as spam.
- Martin
Under Settings -> Spam Free WordPress turning on the option Comment Form Spam Stats will display the number of blocked spam comments on the comment form. On the same settings page the spam blocked stats are also shown.
A widget, or some other option, to show spam stats somewhere other than the comment form will be added to the next version.
There are no plans to add a dashboard spam stat, since it seems like too much clutter on the dashboard already.
The feature I believe you are suggesting is to be able to add a comment IP address to the local blocklist from the comment moderation page. There are plans to add this feature in the next version.
Akismet now costs $60/year, I’ll try your solution instead.
I just installed your plugin and was wondering if there is anyway to have it check previously approved comments and check them for spam. Is there a tab that I am missing that I need to click on the check for spam like other plugins?
If a visitor provides the wrong password when leaving a comment they are presented with an error message that tells them to click the back button and enter the correct password. The comment form information and comment are saved in the browser so all that has to be done is to enter the password again. When a person or bot never enter the correct password, the comment is blocked, which means you will never see it as waiting for approval or marked as spam. The comment is blocked, not filtered into a spam folder.
Wow, just installed this and it’s blocked a spam already. Spam, spam, spam! Nice one centurion!
Dear Sir,
I have installed the plugin but at the end of post the password line is not appearing. I could not find comments.php file. Please let me know where it might be? I have searched whole folder of my site but I could not find comments.php
Waiting for your quick answer.
Regards,
Tanveer Sultan
comments.php is a file in the Theme folder. In the dashboard go to Appearance -> Editor -> Comments (which is the comments.php file).
Thanks a lot sir, the file was not there but I have copied it from wordpress and placed it there. Now spam free plugin is installed properly. But I have checked when a comment comes to dashboard, I approve it, but it doesn’t appear in the post why? Please guide me. If use it more then I’ll lose all the genuine comments too.
Regards,
Tanveer Sultan
I am not familiar with how you have WordPress setup. It doesn’t not sound like any setup I have ever heard of before, especially if comments.php was not in the theme folder. I am not able to offer any further assistance.
Sorry, I think I’m confusing Comment Spam with spam that we are getting through our Contact Form. Does this plugin work to stop both? In any case, I am not seeing the password field in either the comment section of the blog or the contact form. Please advise. Thanks, Andy
In testing with Atahualpa 3.6.7, Spam Free WordPress worked automatically. For a custom theme you can use the instructions at http://wordpress.org/extend/plugins/spam-free-wordpress/installation/ for WordPress 2.8 or 2.9. I would recommend using the current version of both Atahualpa and WordPress.
There are no good hooks in Fast Secure Contact Form that Spam Free WordPress can use to work with those forms, and although FSCF has built-in CAPTCHA it also supports Akismet because the CAPTCHAS are easily bypassed by Spam. I have plans to add a feature in the next version of Spam Free WordPress to secure contact forms, whether they have a plugin hook or not.
If you can’t get Spam Free WordPress working on your comment form let me know, and I will email you, then you can attach the comments.php file from your theme, and I will return it with any necessary modifications.
Hi, I am using the Atahualpa Theme on WordPress 3.0.3 and I don’t know how to get your plugin to work. I have also installed the “Fast Secure Contact Form” plugin. Sorry I’m not very code savvy. I can find the tag but I can’t find the tag so I don’t know where to insert the code. Any help would be greatly appreciated. I would LOVE to get rid of the spam comments that we are receiving. Thanks, Andy
Hi Todd,
Just finished installing your plug-in on our not for profit website.
Its working a treat and already blocking bloody spam!
All going welll I will ask the board to allow a small donation
Thanks!!
Thank you Angel. :)
Oh Todd. How I love this plug in. I was getting so much spam for over a year, I started neglecting my blog because deleting it was getting so time consuming. A few months ago I found this plug in, tried it out and am absolutely in LOVE with it. It has seriously eliminated ALL the spam on my site, and there was hundreds a day before now.
Sadly, today I had to deactivate it. It was sixth time I have been told lately that smartphone users cannot comment on my blog. Apparently I have a lot. It makes me wonder how many comments I have missed because they couldn’t leave one. Mostly what I am being told (since I have not tried from my own phone but probably will just to see tomorrow) – is that they can’t see the field and that it doesn’t “work”. I don’t know what that means.
I don’t want to not use this, but many of my readers seem to use phones to access my blog, so I want their comments too. But I don’t know what solution to use. LOL I looked and looked and looked for a solution, but I can’t figure out what to do except to stop using it and I don’t reeeeeally want to do that. You made the spam go away. LOL Help! Please?!
The problem is with the WPtouch plugin installed on your blog. WPtouch causes a lot of issues, and makes many parts of blogs invisible to smartphones. Phones used to have trouble viewing blog posts, because the phone web browser was very poor. Today most mobile devices are using IOS, like the IPhone, IPod Touch, and IPad, or the Android OS, and those devices and phones come with a fully capable web browser. Today’s phone can see your posts exactly like a personal computer can, so WPtouch is completely unnecessary.
WPtouch has a lot of incompatibility issues with many plugins, and Spam Free WordPress should not be one of them, because the password field is generated the same way the name and email address fields are generated. I am now looking at the WPtouch source code to find a way to solve this problem for my next version release since some people will insist on using this plugin despite the fact it is not needed by today’s phones.
I would suggest deactivating WPtouch until I’ve released the next version of Spam Free WordPress, and you might even consider not using WPtouch at all, since WPtouch is known to conflict with a great many plugins.
Thank you very much for all the nice things you said about Spam Free WordPress. I am very happy to know it helped you.
I do have a fix if you want to continue using WPtouch. Go to the wp-conten/plugins directory then into wptouch/themes/default. Open the comments.php file in an editor. Find the following line:
Below that line add the following line:
After you’ve made the changes to the WPtouch comments.php file let me know, and I will view your web site with an IPhone, IPod Touch, and an IPad to confirm the password field is showing up properly.
Keep in mind that these modifications to the comments.php file will be erased when you upgrade WPtouch.
Truth be told, I forgot I even had that plug in installed – it was all the way at the bottom of all my plugins. I just deactivated it and will wait to see if others have problems still.
I don’t need it, I think it was a suggestion from someone else as a way to make my blog more mobile friendly. If it isn’t making it mobile friendly, I don’t want it. If you didn’t notice, I reactivated spam free wordpress. I’m not sure I can live without it. lol I love it. Thank you so much Todd!
Good morning Nicole,
I viewed a few of your blog posts with an IPhone, IPad Touch, and an IPad. The password field is showing up now. I also found the Zucchini Mozzarella Medley recipe, and I’m going to try it out. Sure looks tasty.
Hiya – I cannot seem to get this working with my WooTheme
http://ngurl.me/q-
Any ideas?
Your Woo Theme is Mainstream, which was available for WordPress version 2.8. Your theme is using old WordPress functions that are out-of-date, which means you are probably still stuck using with WordPress 2.8.
The directions for you to upgrade is in the WordPress 2.8 or 2.9 section located here: http://wordpress.org/extend/plugins/spam-free-wordpress/installation/
Open the theme file called comments.php and locate this line:
After the line above, insert the line below:
Spam Free WordPress will require WordPress 3.0 and above in the upcoming version, so you should upgrade soon.
Spam Free WordPress works automatically with the newer Woo Themes themes, so if you got a new theme, and upgraded WordPress at the same time you’d be ready.
This plugin is the Best spam blocker plugin available, Thank you Todd!
You’re welcome Rafael, and thank you for the compliment.
I have tried just about spam catcher plugin out there. Am hoping this works. Going to try it out with fingers crossed. LOL :-)
I meant “just about every spam catcher plugin out there” darn typos
Hi, done a great job removing lots of spam, this is one I keep getting even though I put the ip addresses in the manual list.
Any thoughts??
Website : RAY (IP: 188.168.140.13 , 13.140.168.188.retail.ttk.ru)
URL : http://%/zzfnlia2
Trackback excerpt:
.…
Buygeneric drugs zfk…
At the bottom of this page, just above the form to leave a comment, is a section titled “Pingbacks and Trackbacks.” Follow the directions to close pingbacks and trackbacks on future posts, and download the plugin linked in that section, to close pingbacks and trackbacks on past posts.
The spam you are getting is a pingback/trackback spam, which Spam Free WordPress does not block. Spam Free WordPress only blocks comment spam at this time.
HI, GREAT product, all works perfectly, just ads text under comment page now saying
You may use these HTML tags and attributes:
could you tell which file to get rid of it
regards
richard
Go to Settings -> Spam Free WordPress, and turn off Remove HTML from Comments. This feature only works with WordPress 3.0 and above, and it depends on which theme you are using. If the comments.php file is using the comment_form() function, then Remove HTML from Comments will work. If it isn’t working with your theme you can set it up to use the comment_form() function using the directions on this page.