HowTo Eliminate WordPress Trackback Comment And Pingback Spam


Have you ever gone to your Akismet plug-in in WordPress and NOT had spam to clear out? Even seeing it there can be depressing and a strain on your servers resources. Why even let spam bots eat up your processor with extra SQL queries! I’ve come up with a spam defense lineup where 99% of my spam stops bots before they even get logged as spam!

Defense Line 1: Number CAPTCHA
Two months ago I posted a series of 5 Spam Blocking Posts. In one of those, I introduced my Enhanced Number Equation method. I have essentially refitted that code for WordPress use! I actively use this on several of my own sites. Navigate to a comments section in a content page on one of my custom coded sites: It has worked wonders for me!

Here’s the steps on how to implement it. Note I’m using WordPress 2.6. If you’re using an earlier or later version it should work, but make sure you BAKCUP before you edit anything. Also make a note somewhere that you’ve edited this file so you can carry over the changes in the future.

  1. <?php
  2. //FILE: /wp-content/themes/YOURTHEME/comments.php - where YOURTHEME is the name of the theme you're currently using
  3. //FIND: <textarea name="comment" id="comment" rows="10" cols="35" wrap="virtual" tabindex="4"></textarea>
  4. //AFTER any closing tags for your paragraphs or label setup, add:
  5. function numbercapcha() {
  6. $firstnum = rand(5,8);
  7. $secondnum = rand(1,4);
  8. $coinflip = rand(1,2) % 2;
  9. if($coinflip == 0) {
  10. $math = $firstnum + $secondnum;
  11. $operators = array("+","Added To","Plus");
  12. $operatorschoice = rand(1,3) % 3;
  13. } else {
  14. $math = $firstnum - $secondnum;
  15. $operators = array("-","Minus");
  16. $operatorschoice = rand(1,2) % 2;
  17. }
  19. echo $firstnum . " " . $operators[$operatorschoice] . " " . $secondnum . " = <input type=\"text\" name=\"number\" maxlength=\"2\" size=\"5\" id=\"numcapcha\" style=\"width: 25px;\">";
  20. return $math;
  21. }
  22. // Contiue with your theme and use this snippit of PHP to generate the input field:
  23. // <? $_SESSION['capcha'] = numbercapcha(); ?>
  24. // Example usage shown below:
  25. ?>
  27. <p><label for="security">Security</label><? $_SESSION['capcha'] = numbercapcha(); ?></p>
  30. <?php
  31. //FILE: /wp-comments-post.php (in the root directory)
  32. //FIND: $comment_type = '';
  33. //This should be on like 63 in WordPress 2.6
  34. //AFTER ADD:
  36. if ( is_numeric($numcheck) && $sessioncapcha == $numcheck ) {
  37. //This should be left blank unless you want to do something else if the number was answered correctly
  38. } else {
  39. //Number wasnt answered correctly - Show Error
  40. wp_die( __('Error: You did not answer the security question correctly.') );
  41. }
  42. ?>

The above code may differ slightly with the HTML only. You may want to tidy it up to suit your theme. I also use CSS to modify the display which I have not provided here. That goes a bit beyond the goal for today.

Here’s a very quick howto for some CSS styling to get you started, though it doesn’t have to be all that incredibly fancy right away:
YouTube Preview Image

Also, I have intentionally placed the error code before any other error is checked. Checking that the CAPTCHA is correct first saves the effort of processing anything else until it is determined that the CAPTCHA has been entered correctly.

Defense Line 2: Akismet Or Defensio
Akismet is your second line of defense for comments. It used to be your first, and you’d have to sort through all that garbage! You should see a big time savings here but it should still exist. I also posted How Akismet And Defensio Create Another Line Of Spam Defense a while back. If you’re not already using one, try them out. Long story short, Akismet caught more spam than Defensio did… but times change, try them both.

Dowload Akismet WordPress Plug-in Or Download Defensio Anti-Spam WordPress Plug-in

Defense Line 3: Simple Trackback Validation
Blocking Trackback and Pingback spam has never been so easy. WordPress users are very susceptible to being abused to this kind of spam which is becoming much more popular for a spammers choice of attack.

This plug-in checks two things which can both be toggled on/off for customization:

  1. Checks the IP address of the webserver sending the request and checks it against the trackback URL that’s being provided.
  2. Checks that your URL is actually on the page that the referring URL is sending from.

What I love about it most, is it also marks a trackback by temporarily renaming it to “BLOCKED BY STBV” as highlighted in the example below. If you mark it as accepted, it will remove the titling and make it active.

Download Simple Trackback Validation Plug-in. You can also go to the STBV plug-in homepage and read up about it a lot more.

Other Options
That concludes the setup that I have which is safeguarding me so well that I actually had to wait a week so that I could grab that trackback picture I used above for this post. However, I find it necessary to share with you additional options that I combed through in the process of setting up the redesign of this blog. You might also have a earlier or later version of WordPress in which some of these methods may not work. Therefore you’ll have a few more options:

WP-Hardened-Trackback is a lot like STBV. When I tried it, it didn’t work with 2.6. If for whatever reason STBV doesn’t work for you because you havent upgraded yet, try this out.

Math-Comment-Spam-Protection is the exact same idea as what I presented to you in Defense Line 1. However the plug-in only works for WordPress 1.5.2, 2.0.x and 2.1. I tried it out and had a lot of problems with it which is why I modified my previous solution for another site to fit into WordPress. Again, if you’re on an old version, maybe my hack wont work for you. So try this!

WP-SpamFree is a plug-in that claims to do it all. It weeds out bots by assuming they cant use JavaScript and Cookies. While this will reduce a lot of spam, I feel there is a small enough user base not using JavaScript or cookies, that this might cause a problem for users that want to comment on your form. The point in using this would be so that a user doesn’t have to enter an extra CAPTCHA field. But at the end of the day, if a user cannot add or subtract single digit numbers, I don’t know if their comment would be of much use to anyone anyways. Another reason you might use this is it would be somewhat less technical then copying/pasting the code I have for the CAPTCHA above. There is also ton of documentation on their WP-SpamFree’s website.

I recent read a post on Shoemoney.Com about his 60,000 comments mark. He commented it with this:

“Its hard to imagine 60k comments.   Especially when about 80% of them are manually approved with all the spam filters we have.”

Maybe Shoemoney should implement some of these things to save some time. :twisted: If you’re in the same spot, then dont let spam waste your time!

This post is part of a series of posts in which I’m telling you how to modify your WordPress theme the way I have! If you’d like to see anything in particular, comment on the RobMalon.Com Redesign post and I’ll make it part of the series!

Respond: Leave A Comment | Trackback URL

Entrupeners, Subscribe for the lastest tools, tips, and tutorials.

13 Responses to HowTo Eliminate WordPress Trackback Comment And Pingback Spam

  1. Maybe I shouldn’t, but these days I just rely on my spam filter (Akismet) to catch it all. I used to use Simple Trackback Validation on a several of the blogs I have, but it stopped stuff from going directly to the spam filter and actually caused me more work when I had to delete the trackbacks.

    I’ve finally set Akismet to delete anything older than 30 days automatically, and I almost never check the spam section of my blogs anymore.

    I’m sure I’m running a risk of missing a good comment, but the time savings has been worth it. Not to mention, I’ve quit burning my eyes with some of the filth that I used to have to skim through before deleting the spam comments and trackbacks manually.

  2. In that case, it still would be good to have both, but just reverse the order in which the code executes. So far, I haven’t run into the problem you’ve mentioned, but I might write a howto/plugin and post on how to do what you’re asking for sometime :) .

  3. Hi-

    I have another successful method that I’ve employed on a couple of site. This is not so much for pingback spammers, but is useful for your standard form spam-bots; those are the bots that run around the internet and submit garbage into your forms. I never quite understood why someone would do that… but anyway. My current blog doesn’t have this installed yet, but it’s my next order of business.

    The effect is that you basically place hidden fields into your form that a bot will fill out. The hidden fields are named to trick the bot with names like “email” or “url.” When you process the form, if these hidden fields have a value, then you know the form was filled out by a bot, as a human would not have seen them, and would not have filled them out.

    The method is pretty simple. Add an additional input field into your form. Give this the id and name of something like email, url or comment. Then take one of the fields that is normally part of the form, and rename it to something else, like “favorite_color.” The id of favorite_color is actually going to be their url, for example, so in the form processor, you will also need to change the id from url to favorite_color. Next you will need to hide the “url” form field with CSS. Lastly, you will need to create an exception check in the form processor to see if the hidden field has a value. If it does, then we know it’s spam, because a normal person wouldn’t see the field, and thus, would not fill it out, while a bot would see it and fill it out, thinking it’s the url field.

    It sounds complicated, but once it’s completed, you won’t have to inconvenience your real readers with math questions or captcha boxes.

  4. That kind of reminds me of the honeypot plugin for wordpress:

    I think it would be easy for a bot to detect a “hidden” string in the input tag. They want to act like users so I dont think that strategy would trip up most bots. Its all about bettering your odds though. Good idea.

  5. Right, it’s a honeypot. Didn’t know there was a wordpress plugin. I may not have explained the hidden thing clearly.

    The input type would not be “hidden” but a regular text box. In order to trick the bot, you hide it with CSS or ASP, PHP or what-have-you. So it’s a normal text field, just hidden from human eyes.

  6. So you’re thinking of wrapping the input tag with a div that has its style set to display:none?

    That would work too however I’ve never used any form bot software to tell how many of them it would catch up. Bots defiantly have issues with javascript, but I dont know about CSS. It would help if the CSS style specifying the display:none was in an external CSS sheet. Then they’d have to use/emulate a browser to find out that its hidden.

  7. Bingo.

    So long as the bots aren’t reading and understanding the CSS commands, you should be fine.

  8. Great tips, Rob. I wasn’t aware of the trackback validation plugin and I’m going to test it out thanks to you. Much appreciated!

  9. Try #2
    Your solution makes a hell of a lot of sense, except that after answering your math question your script said I was wrong and then lost my comment. Lets try this again and seee how it works… Maybe a javascript that won’t allow you to submit would work better

  10. Indeed, there is a sessions bug with the commenting on here which is what you experienced. I have 2 solutions for it, but no time to implement right now while in the middle of my current project. I was kind of hoping one of those solutions would manifest itself as a full blown wordpress plugin that I would release since most are not technical enough to implement this themselves in some cases.

  11. Hi Rob, Have you had a chance to do the sessions bug fixes yet or to create a plugin for wordpress?

    Seems like a good idea though. Lets see if this gets thru with the correct sum addition.

  12. Hey Rob I have a quick question. Recently it has started to happen in my site that every time, I do a new post, a bunch of sites pingback my post right away. I know my site has a few visitors but to be pingback from several sites right away after I publish my post, it looks very scammy, besides the websites that pingback to me are not related niche websites.

    What do you think is that, and what I can do to solve this problem?

    What do you think overall?

Leave a Reply

Custom Theme by Rob Malon | Content & Design © 2010 - RobMalon.Com - Chicago, Illinois