WP Hashcash Plugin for Spam
What is WP Hashcash?
WP Hashcash is an antispam plugin that eradicates comment spam on Wordpress blogs. It works because your visitors must use obfuscated javascript to submit a proof-of-work that indicates they opened your website in a web browser, not a robot. If the javascript check fails, WP Hashcash now gives you three options; it can either put the comment into moderation (default), put the comment in the akismet queue, or delete it.
WP Hashcash also protects the signup forms of WordPress Multi-User (WPMU) and BuddyPress (BP) blogs.
Features:
- Blocks all comment spam, but not real comments
- Also prevents most trackback / pingback spam
- Also protects signup pages for Wordpress (WP), BuddyPress (BP), and Wordpress Multi-User (WPMU)
- Widget support to display spam statistics and edit the configuration
- Works with IE, Firefox, and Safari
- 100% standards compliant XHTML 1.1, works with jQuery and Prototype
- Tested with Wordpres 2, Firefox, Safari, IE, and Chrome
- Akismet compatibility
Limitations:
- Javascript is required to submit a comment
WP Hashcash relies on the presence of two hooks in your theme, wp_head and comment_form. If your theme doesn’t include these actions, you will need to add them immediately before the </head> and </form> tags respectively.
Download:
You can download the latest version of WP Hashcash from Wordpress Extend: wp-hashcash.zip.
To install WP Hashcash, please download the plugin and unzip it, then copy the wp-hashcash.php file to wp-content/plugins. Activate the plugin and drag into your Widgetized sidebar for public statistics, or visit Options, WP Hashcash from the admin panel to configure options:
Questions & Answers:
I’m having issues with it working.
If you’re installing it over an older version, please disabled then re-enable the plugin. This will reset the preferences.
Do I need widgets to use this?
No, WP Hashcash ships with reasonable defaults, and lets you change them via the standard Wordpress options panel.
How does it prevent comment spam?
By forcing clients submitting comments to additional compute a value from javascript and submit it along with the comment.
How does it prevent trackback spam?
By comparing the IP of the trackback’s url with the senders IP, and by looking in the trackback’s url for a link back to your post.
Testimonials:
- “One of my favorites” (src)
- “this is a clever idea that I think might work well” (src)
- “I haven’t had a single comment spam in my comment moderation queue for over a week now. I’m feeling the love!” (src)
- “The least annoying one I have found” (src)
- “this thing was a trivial install” (src)
- “a fancier technique” (src)
- “Comment Spam is a thing of the past, and I owe it to Spam Stopgap Extreme. If you use WordPress, I highly recommend installing this plugin. It has completely eliminated the comment spam problem I was having. I no longer need the spammer Tarpit plugin, or anything.” (src)
- “Why am I not worried about comment spam anymore? Because of my awesome new blog plugin, Spam Stopgap Extreme. This baby blocks any bot trying to post to my blog. No blacklists, no moderation, no “spam points”, no nothing. You won’t even know that it’s working.” (src)
- “I haven’t had anything to “deal” with in several weeks. That’s a nice thing. I’ve also had a bunch of folks leave legitimate comments that have gotten through. It’s all good.” (src)
Changelog:
WP Hashcash 4.5
- Support onload via jQuery / Prototype if they happen to be loaded
- Protect BuddyPress (BP) signup pages
WP Hashcash 4.4
- Admin users can now comment from Dashboard
- Tested on WP 2.9.2 in Chrome, IE, and FF
- Fix a potential JS error
WP Hashcash 4.1
- Added a new options page under Options, Wordpress Hashcash
- Fixed XHTML standards compliance
- Added validation options for pingbacks and trackbacks (stolen from here)
- Added a logging option for moderated comments
WP Hashcash 4.0.5:
- Added an option for handling comments via moderation, the akismet queue, or deletion
- Removed database dependencies
- Removed error message for hash fail
- Added the noscript tag for users without javascript
- Corrected the widget formatting
- Changed zip file format from winrar to 7zip, hopefully it will be more compatible
WP Hashcash 4.0.4:
- Removed version checking
- Removed an unnecessary <link> element in the head section
WP Hashcash 4.0.3:
- Suppress errors on loading remote version by any method
- Fix typo-bugs everywhere affecting the widget reporting, date checking, etc
- Strip tags from remote version
- Try various methods to get remote version, ignore if we can’t open sockets
- Fix a bug with one of the javascripts
Should you encounter any issues using this widget, please leave a comment. Likewise for improvements, outcry, and other commentary you might have.
Tagged with: widget support, spam statistics, public statistics, signup forms, javascript check, admin panel, wor, widgets, hashcash, moderation, hooks, bp, queue, firefox, safari, prototype, robot, sidebar, lt, amp
I think this will not work, the web evolved
The only working plugin out of about 7 I tried.
Hi, I’m running BuddyPress 1.5.6 and default theme.
I’ve installed WP Hashcash Extended. How do I know that the plugin is working?
You say:
“WP Hashcash relies on the presence of two hooks in your theme, wp_head and comment_form. If your theme doesn’t include these actions, you will need to add them immediately before the and tags respectively.”
In what file do I need to check for these hooks?
Thanks.
Hi!
I like Hashcash, but it’s acting incompatible with the Firewall 2 plugin…
Any fix?
Thanks!
Don’t use this. Keep the web open and accessible! This will make your comment form inoperable for many mobile users, and people with handicaps that are using Braille browsers and so on. Javascript should NEVER be a requirement to USE your web site, and the spammer will find a way around garbage methods like this anyway.
I have to disagree with you here — this isn’t ‘abuse’ of JavaScript at all. People with handicaps and Braille browsers may still submit comments, and yes, they are very likely to be flagged as spam, but that shouldn’t be considered ‘abuse.’ This program simply takes the key commonalities of spammer submissions and flags these submissions as likely spam. That seems like a very intelligent thing to do.
You have JavaScript disabled? Good luck on most websites today. This comment offers no alternative or solution either. This is not a ‘garbage method’ but a highly successful one for stopping 1,000s of spam messages on my website each year. I welcome it whole-heartedly.
Sadly, it breaks the ability to post comments via the Wordpress APP (on mobile devices) – yet, it *is* incredibly useful for what it does. It would be even nicer if it (particularly the Wordpress Plugin) would be more actively supported – i.e. no updates for around 3 years is kinda lame, IMO, for something as vital as this presents itself as.
It probably wouldn’t be difficult to provide a specific case scenario for mobile apps, if the dev were to more update this more frequently. I say this with both sadness and frustration, not scorn, as this is a very useful utility, yet I fear abandonment issues will eventually resign it to the trashheap, where it shouldn’t be. (cue the usual: “It’s open source, you can update it yourself, yadda yadda, ad nauseam freetard chatter….”)
Have there been any attempts at better mobile support?
做的很好!
How about making a contact form plugin with Hash-Cash? I want a contact form plugin, but I don’t want spam or captchas ??
Great Plugin, its will block all SPAM comment, that a real point for me to download this plugin.
Just trying out the comment hash system before implementing on my site.
I’ve been using HashCash on my wordpress sites for about 6 months. Definitely has cut down on spam by probably 60%
[...] Hashcash — block most spam without making users deal with a CAPTCHA. This can also be used in conjunction with a CAPTCHA or with Akismet (which should be on every WordPress site). [...]
[...] [...]
Hello,
thanks for your great plugin!
I get the impression that spam bots have managed to execute Javascript by now – during the last week I had around 6 spams that came through hashcash without any warning, but when I looked them up on Google they showed like 20k hits (so I would not believe that anyone is writing them manually)…
Did you make any similar observations lately?
Cheers from Germany
You seem to mention desktop browsers, but at a glance I saw no mention of compatibility with mobile phone browsers…. So posting a comment from an android (SGS with Froyo) phone.
FYI, per http://wordpress.org/extend/plugins/about/
The powered by slug should be removed OR moved to a checkbox in order to remain in plugin compliance.
I agree in spirit and I will be updating for WP 3.1+ soon with this in mind! I’ve been busy recently and no time to update plugins or my Wordpresses.
[...] なんだか、WordPressへのスパムコメントが日に50個とか届くので「WP-HashCash」(WordPressのPluginページ)なるものを導入してみた。 [...]
This used to be my most beloved plugin…now it just dun work anymore. Wut happened Hashcash?
Has this plugin been updated for 3.0.1?
You mention the ‘hooks’: “WP Hashcash relies on the presence of two hooks in your theme, wp_head and comment_form. If your theme doesn’t include these actions, you will need to add them immediately before the and tags respectively.”
I do not see these “hooks” either in my theme (Thematic) nor in the html source for this very page.
Can you give an example of the syntax and placement?
Hi, i’ve installed the latest version with wp 2.9.2 and bp 1.2.4.1 but i don’t see any administration panel, any new version for this problem?
thank you
I do not want it to say powered by WP Hashcash at the bottom of all my blog entries. How can i take this away?
thanks for the great plug-in. i have one question i’ve installed the latest version with wp 2.9.2 and bp 1.2.4.1 but i don’t see any administration panel, any new version for this problem?
(`´)
I was editing some plugins on my blog and when I refreshed the page I got this error message:
Fatal error: Cannot redeclare widget_wphc() (previously declared in /home/slojoy/studentdevelopmentblog.com/wp-content/plugins/wp-hashcash/wp-hashcash.php:143) in /home/slojoy/studentdevelopmentblog.com/wp-content/plugins/wp-hashcash/wp-hashcash.php on line 143
I cannot even log in to my admin on this account to access the plugins! HELP!!!!
thanks for all
(‘_’)
This looks like a good spam fighting plugin and I might install it. But will it work with wp3 in multi site mode?
Anyone installed this plugin with a classipress v3.04 website without problems ?
thanks for the great plug-in. i have one question i’ve installed the latest version with wp 2.9.2 and bp 1.2.4.1 but i don’t see any administration panel, any new version for this problem?
Is this plugin WPMS 3.01 compatible? If yes, will it also work if activated in Site-wide mode?
I have this plugin installed in the super admin site ‘network activated’- but its not available in all the child blogs… I wonder if I am alone with this problem? Or if there are plans to make it available site-wide? Or am i just missing something?!
Has this plugin been updated for 3.0.1?
I know it says that this plugin is ready with Firefox, Safari, and IE, but what about Chrome? Chrome is slowly becoming a big dog in the browser business so everything should come compatible with it.
I’m glad to see people putting up defenses against spam. I hate going to a blog and when I read the comments it is full of “Good post! I like blog of urs.” and other spam messages that were obviously automated.
If I had a blog, I would definitely use this plugin.
I want a contact form plugin, but I don’t want spam or captchas thanks.
[...] avoided using them on Codexon, opting to use JavaScript based anti-spam like WP-SpamFree or WP-HashCash instead. Unfortunately, JavaScript anti-spam is defeated the moment spammers decide to add [...]
What have I done to get a comment like this? How can I rectify it?
“Your comment has been blocked because the blog owner has set their spam filter to not allow comments from users behind proxies.
If you are a regular commenter or you feel that your comment should not have been blocked, please contact the blog owner and ask them to modify this setting.”
You’re using a proxy. According to your IP, cache-mtc-ab04.proxy.aol.com.
I was editing some plugins on my blog and when I refreshed the page I got this error message:
Fatal error: Cannot redeclare widget_wphc() (previously declared in /home/slojoy/studentdevelopmentblog.com/wp-content/plugins/wp-hashcash/wp-hashcash.php:143) in /home/slojoy/studentdevelopmentblog.com/wp-content/plugins/wp-hashcash/wp-hashcash.php on line 143
I cannot even log in to my admin on this account to access the plugins! HELP!!!!
Hi, i’ve installed the latest version with wp 2.9.2 and bp 1.2.4.1 but i don’t see any administration panel, any new version for this problem?
thank you
[...] and switched to the new default theme. The only plugins I use are Livejournal CrossPoster and WP Hashcash (for blocking automated spam comments), and I need to write a post and get no spam on it to see if [...]
[...] into a comment field. Among the plugins that are recommended is Akismet, SI Captcha Anti-Spam and WP Hashcash. Many Anti-Spam plugins available out there. You just need to choose [...]
I want a contact form plugin, but I don’t want spam or captchas. Thanks…..
Thank you. Installation was great. Have used Akismet in the past and it was phenomenal. Thank you again though for a fantastic plugin.
Paul
[...] WP-Hashcash – Javascript校对实现反垃圾留言的Wordpress插件. [...]
How about making a contact form plugin with Hash-Cash? I want a contact form plugin, but I don’t want spam or captchas
I have been using reCAPTCHA along with my contact forms and have had some success at stopping spam on it. However, having Hash-Cash on a form generator would be very nice!