Prevent WordPress SPAM Comments & Registrations With JavaScript
The battle against SPAM continues, so I have another hurdle you can implement to help prevent bots from submitting comments and registering accounts. Although this tip is aimed at WordPress, the basic idea can be applied to any application.
What we’re going to do is encase (or hide) the submit buttons on the comment form and account registration page in JavaScript. That way, bots (which don’t use JavaScript well) won’t be able to submit data to your website because they won’t see the submit button.
Comment Form
Open /wp-includes/comment-template.php
and find the <input>
field on line 1578. Encase that line in a JavaScript write statement:
<script>document.write(' ');</script>
Now it looks like this:
<script>document.write('<input name="submit" type="submit" id="<?php echo esc_attr( $args['id_submit'] ); ?>" value="<?php echo esc_attr( $args['label_submit'] ); ?>" />');</script>
Registration Form
Open /wp-login.php
within the root directory and find the do_action
call to register_form on line 547. Four lines afterward is the submit input tag nested within a paragraph tag. Encase that whole paragraph in a JavaScript write statement:
<script>document.write('<p class="submit"><input type="submit" name="wp-submit" id="wp-submit" class="button-primary" value="<?php esc_attr_e('Register'); ?>" tabindex="100" /></p>');</script>
Core File! Since this tip is an adjustment to the WordPress core, you will need to adjust it after each update. Make a note of it with a link back here so you don’t forget.
Does It Work?
While it works as it’s intended, it unfortunately won’t stop all spammers, but it may stop a few.
Measures to prevent spammers, such as CAPTCHA, are actually rather successful in stopping bots, but human spammers are an increasing problem. If a legitimate person can do it, a human spammer can too.
During the five months that I required user registration, I got 200+ registrations, but zero comments from spammers or legitimate users. That was unacceptable because people generally dislike registrations and logging in to post a quick remark, so I was alienating legitimate users. As for the spammers, I was just moving them from comments to registrations.
The other issue with requiring JavaScript is the legitimate users who have either disabled JavaScript (likely for security reasons), or are using a hand-held device that doesn’t natively support it. At this point, I’m undesirably telling them not to comment. If I gave them a non-JavaScript alternative, a bot would try that method too.
So, it’s a constant battle. You want real comments, not SPAM comments, but you don’t want to put up so many hurdles to block spammers that you end up losing out on legitimate ones. Just food for thought as we all battle spammers, bot or human.
Recent Comments