Simple but Effective WordPress Spam Protection without Plugins

If you don’t use an antispam plugin, you probably have thousands of spam comments. Most of them left by spambots. This screenshot from one of my blogs: All this comments have appeared on the blog within only one month! But finally I found a great solution, which completely blocks all comments, left by spambots. Some […]

  /  April 12  /   2

If you don’t use an antispam plugin, you probably have thousands of spam comments. Most of them left by spambots. This screenshot from one of my blogs:

Spam comments by spambots

All this comments have appeared on the blog within only one month! But finally I found a great solution, which completely blocks all comments, left by spambots. Some benefits:

  • you don’t need antispam plugins anymore
  • no more captcha
  • easy to install, just three simple steps

Step 1. Fake textarea in the comment form

At first, you should find out the way, how comment form is inserting to the page. Actually, there are two ways, first – HTML of the form is in the comments.php, the second way – the form is inserted by the comment_form() WordPress function.

If the comment form is in comments.php

All you need to do is to add another textarea input field after default comment textarea like this:

<textarea name="comment" id="comment"></textarea><!-- default textarea (it will be fake for bots) -->
<textarea name="just_another_id" id="just_another_id"></textarea><!-- you should add something like this -->

That’s all.

If the comment form is inserted by the comment_form() function

In this case you should use this action hook:

function add_non_fake_textarea_field( $default ) {
	$commenter = wp_get_current_commenter();
	$default['comment_notes_after'] .= 
	'<p class="comment-form-just_another_id">
	<label for="just_another_id">Comment:</label>
	<textarea id="just_another_id" name="just_another_id" cols="45" rows="8" aria-required="true"></textarea>
	</p>';
	return $default;
}
 
add_filter('comment_form_defaults', 'add_non_fake_textarea_field');

Insert this code into your functions.php located in the current theme directory.

Step 2. Hiding fake field via CSS

Open any post with the comment form in it. You will see two textarea fields. So, let’s hide one of them (it must be default textarea, because it will be «fake input» for spambots).

You can hide it any way you want. For example:

#comment{
	position:absolute;
	left:-9000px;
}

If you are not sure where to insert it – just add this code to your current theme style.css file.

Step 3. Blocking spam comments

Finally, the last step. This code will block any comment with filled default comment textarea. Spambots don’t know about «fake field» so they always fill default textarea with name="comment" or id="comment". And humans never fill it because it is invisible for them. Pretty simple, yes?

Add the following code to the functions.php file.

function block_spam_comments($commentdata) {
	$fake_textarea = trim($_POST['comment']);
	if(!empty($fake_textarea)) wp_die('Error!');
	$comment_content = trim($_POST['just_another_id']);
	$_POST['comment'] = $comment_content;	
	return $commentdata;
}
 
add_filter('pre_comment_on_post', 'block_spam_comments');

Why antispam stop working in WordPress 4.4 and how to fix it?

In WP 4.4 wp-comments-post.php that lays in your site directory has been changed, after that hook pre_comment_on_post fires too late and it can not replace fake comment field. There is another decision.

  1. In you site folder create a file, you can name it stopspam.php for example. This is the code for this file:
    <?php
    $fake = trim($_POST['comment']);
    if(!empty($fake))
    	exit;
    $_POST['comment'] = trim($_POST['just_another_id']);
     
    require( dirname(__FILE__) . '/wp-comments-post.php' );
  2. Change form action attribute to this file (stopspam.php). If you are using comment_form(), it will be simpler to do with JavaScript.

Only the best of WordPress

Subscribe to this weekly newsletter to receive the latest blog posts by email.I respect your privacy. Your email is safe with me.

Comments 2

Leave your question or feedback

phpjsHTMLCSSSQLCode
Please, enter a comment
Please, enter a name
Incorrect email