ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

Add anti-spam feature to core

12 months ago · Viktor Nagornyy
Description

It would be very helpful to everyone if anti-spam feature was in the core and enabled by default.

There's a very effective, very simple anti-spam feature that works with comments and all other forms (registration, login, etc.) that requires no user input, that works with JS and a token.

There's a plugin we use with WP called WordPress Zero Spam that uses this method, and it does live up to it's name. Never had any spam issues on any sites.

It basically generates a random token and stores it in the database. It adds this token on the page using JS, and if token is present and matches database token form submission is validated. If JS token is not present or doesn't match database, it's marked as spam. Validation is performed in the backend.

A checkbox to disable it on Discussions page (or Security) would be helpful if for some reason someone wants spam.

https://wordpress.org/plugins/zero-spam/

Based on this method:
http://davidwalsh.name/wordpress-comment-spam

No Akismet, no captchas, no checkboxes. No external APIs. It's simple and it works.

Voters
+2 more
Discussion
KTS915

This sort of protection essentially works only if the bots you are trying to keep out do not use javascript. These day, many do, so many people aren't going to get the results you've seen.

That doesn't necessarily mean that this (or something like it) should not be implemented in core, but the implications need thinking through. For example, is it right to expect that every legitimate user will have JS turned on?

As for the actual implementation, as someone pointed out on Walsh's blog, wouldn't it be better if, instead of adding tokens to the form through JS, the Submit button itself was only loaded through JS? That way, it wouldn't just deny the submissions, but would also mean that the server wouldn't have to deal with them at all.

James Nylen

>For example, is it right to expect that every legitimate user will have JS turned on?

In my opinion, no, it isn't!

Also, I've never written a spam bot (and never will), but I have done a lot of webpage automation. I almost always use a library that drives a full browser, including JavaScript.

Viktor Nagornyy

There's always more than one way to do it. But having anti-spam built-in, something basic to reduce spam (if not eliminate), should be part of a business-focused CMS. Whatever anti-spam method is chosen.

Spam bots are getting smarter, but most are not. I've used Zero Spam plugin n dozens of websites over the years, and it aways works 100%. I've installed it on active sites that would get hundreds of spam comments per day, and it would stop them dead in their tracks.

Maybe it wouldn't eliminate 100% of spam comments, but I'm pretty sure 98% would be eliminated with a simple JS solution.

Linas

No, this is a plugin's area. Let's keep core as lean as possible!

zigpress

Less than ideal for anyone who uses a Noscript browser extension to protect themselves.

James Nylen

>Less than ideal for anyone who uses a Noscript browser extension to protect themselves.

This is one reason why any "anti-spam" solution that relies on JavaScript is unacceptable. The best way to do anti-spam protection is via a centralized service, in fact this is how WordPress.com got started (with Akismet).