WP Hashcash Plugin for Spam
What is WP Hashcash?
WP Hashcash is an antispam plugin that eradicates comment spam on Wordpress blogs. It works because your visitors must use obfuscated javascript to submit a proof-of-work that indicates they opened your website in a web browser, not a robot. If the javascript check fails, WP Hashcash now gives you three options; it can either put the comment into moderation (default), put the comment in the akismet queue, or delete it.
Features:
- Blocks all comment spam, but not real comments
- Also prevents most trackback / pingback spam
- Widget support to display spam statistics and edit the configuration
- Works with IE, Firefox, and Safari
- 100% standards compliant XHTML 1.1
- Tested with Wordpres 2.3, Firefox 2, Safari 3, and IE 7
- Akismet compatibility
Limitations:
- Javascript is required to submit a comment
WP Hashcash relies on the presence of two hooks in your theme, wp_head and comment_form. If your theme doesn’t include these actions, you will need to add them immediately before the </head> and </form> tags respectively.
Download:
You can download the latest version of WP Hashcash from Wordpress Extend: wp-hashcash.zip.
To install WP Hashcash, please download the plugin and unzip it, then copy the wp-hashcash.php file to wp-content/plugins. Activate the plugin and drag into your Widgetized sidebar for public statistics, or visit Options, WP Hashcash from the admin panel to configure options:
Questions & Answers:
I’m having issues with it working.
If you’re installing it over an older version, please disabled then re-enable the plugin. This will reset the preferences.
Do I need widgets to use this?
No, WP Hashcash ships with reasonable defaults, and lets you change them via the standard Wordpress options panel.
How does it prevent comment spam?
By forcing clients submitting comments to additional compute a value from javascript and submit it along with the comment.
How does it prevent trackback spam?
By comparing the IP of the trackback’s url with the senders IP, and by looking in the trackback’s url for a link back to your post.
Testimonials:
- “One of my favorites” (src)
- “this is a clever idea that I think might work well” (src)
- “I haven’t had a single comment spam in my comment moderation queue for over a week now. I’m feeling the love!” (src)
- “The least annoying one I have found” (src)
- “this thing was a trivial install” (src)
- “a fancier technique” (src)
- “Comment Spam is a thing of the past, and I owe it to Spam Stopgap Extreme. If you use WordPress, I highly recommend installing this plugin. It has completely eliminated the comment spam problem I was having. I no longer need the spammer Tarpit plugin, or anything.” (src)
- “Why am I not worried about comment spam anymore? Because of my awesome new blog plugin, Spam Stopgap Extreme. This baby blocks any bot trying to post to my blog. No blacklists, no moderation, no “spam points”, no nothing. You won’t even know that it’s working.” (src)
- “I haven’t had anything to “deal” with in several weeks. That’s a nice thing. I’ve also had a bunch of folks leave legitimate comments that have gotten through. It’s all good.” (src)
Changelog:
WP Hashcash 4.4
- Admin users can now comment from Dashboard
- Tested on WP 2.9.2 in Chrome, IE, and FF
- Fix a potential JS error
WP Hashcash 4.1
- Added a new options page under Options, Wordpress Hashcash
- Fixed XHTML standards compliance
- Added validation options for pingbacks and trackbacks (stolen from here)
- Added a logging option for moderated comments
WP Hashcash 4.0.5:
- Added an option for handling comments via moderation, the akismet queue, or deletion
- Removed database dependencies
- Removed error message for hash fail
- Added the noscript tag for users without javascript
- Corrected the widget formatting
- Changed zip file format from winrar to 7zip, hopefully it will be more compatible
WP Hashcash 4.0.4:
- Removed version checking
- Removed an unnecessary <link> element in the head section
WP Hashcash 4.0.3:
- Suppress errors on loading remote version by any method
- Fix typo-bugs everywhere affecting the widget reporting, date checking, etc
- Strip tags from remote version
- Try various methods to get remote version, ignore if we can’t open sockets
- Fix a bug with one of the javascripts
Should you encounter any issues using this widget, please leave a comment. Likewise for improvements, outcry, and other commentary you might have.
Tagged with: widget support, spam statistics, public statistics, options panel, javascript check, admin panel, widgets, hashcash, moderation, ie 7, hooks, queue, firefox, safari, robot, sidebar, lt, amp, wp, compatibility
It worked just perfect – but now it just blocks every comment from an unregistered user with [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.
Would greatly appreciate any help!
(running on WPMU 2.9.1.1 and Buddypress 1.2.1)
I installed this on Wordpress MU but there is not javascript image…. Am I doing something wrong?
This is inherently broken if a person has NoScript extension in Firefox. I just had a pretty big comment eaten by your WP Plugin because I had no warning about this. If you would be so kind, please people to make sure javascript is enabled so that our posts don’t get eaten up by your plugin. Thanks!
This is brilliant, using javascript to check for an auto-submit was very clever, and the fact that it can then put comments from suspected robots into the moderation queue is exactly what i’ve been looking for!
Bravo Elliott
How about making a contact form plugin with Hash-Cash? I want a contact form plugin, but I don’t want spam or captchas
Minor issue, when a page is displayed (rather than a post) and comments on pages are turned off, wp-hashcash throws a JavaScript error on the addLoadEvent().
The simple fix is to insert a line at line 640 of the php source that reads:
echo “if (document.getElementById(‘wphc_value’)) “;
Er, actually the conditional should be inside the function or it fails on some themes.
Excelent plugin!
I’d love a way to be able to completely turn off comments protection, as I only need this plugin for the signup protection to prevent spammers from registering.
Unfortunately, authors comments are also blocked in my case. Even my own comments are blocked. Could have been a great plugin but I couldnt find any solution to stop me from checking my moderation queue and approve all valid comments. No choice but have to deactivate this. SIgh.
Hi i would like to use wp-hashcash on a html form.
It’s possible to do that?
Thanks
running on WP 2.8.4 ?
KartuÅŸ
Excelent plugin!
I’d love a way to be able to completely turn off comments protection, as I only need this plugin for the signup protection to prevent spammers from registering.
PS…Considering my (just a few minutes ago)previous post…& This (directly underneath the WP HashCash/Elliot {I’ll be} Back…”By Elliott Back
1 spam signups blocked out of 1 human signups. 50% of your signups are spam!”
Since I detailed your program’s misssing my real human nature using a technological tool…by Publically & inacurately labeling ME as essentially being a spammer….doesn’t that really make YOU the egregious SPAMING party here?!
I’m a real human being..I swear to(well I’m also an atheist)..& because I have a few human imperfections such as memory limitation & so many divergent reqiirements for sign up/registration for my many varied areas of interest – I use robo-form to remmember various user names & passwords for me…which when used to fill in / login forms using your software – LABLED ME AS A “BOT” & SHUT ME OUT of a new WordPress site I wanted to explore. Nice
I like that you have Akismet compatibility, but for those of us who don’t wanna sign up for Wordpress.com, can you add Defensio compatibility?
A colleague and I are trying to work out why you have encoded the javascript function, why not just have javascript generate a random number ? Javascript will still be required.
HI
I left a comment here yesterday but it seems to have disappeared – not sure if it was inappropriate?
I simply wanted to know if this version works on 2.8.2? If it does, I was looking for some help with what could possibly be wrong.
I get the Powered by WP Hashcash message on my blog page – but not my contact page and no hashcash question/box etc. on any page.
I do have a custom theme – so its a custom contact form and a few other plugin’s installed.
There are some recent posts so I am assuming they’ve been successful in running it on some of the 2009 releases — but is anyone running on WP 2.8.2?
I get the powered by WP HashCash message on my blog page but nothing else.
Not sure where to check for the 2 hooks in my custom theme – wp_head and comment_form – as another poster said, but I didn’t get any error per se so I’m not sure that’s the issue.
Hi have I to paid any thing ?
I have downloaded the plugin and installed. But could get the following instructions:
“WP Hashcash relies on the presence of two hooks in your theme, wp_head and comment_form. If your theme doesn’t include these actions, you will need to add them immediately before the and tags respectively.”
Do I need to put just wp_head in template before the close, and same at the comment page just I need to put comment_form
Kindly help
a better way to anti spam.
me parese muy bueno este blog porque aprendemos mucho de este curso, vemosfotos y muchas cosas mas
oh my.. I must use this plugin! Thanks Elliott. This is what I’m looking for, to stop spam for good. Akismet can’t handle all the spams anymore. ~_~
Hi Elliot, can you email me on how to turn off the notice at the bottom that says “Powered by WP Hashcash” – I know it’s totally not the point, but still..
Just edit the PHP…
Couldn’t this be worked around by using a webBrowser object then figuring out how to reach the form using tabs etc. then using sendKeys to
Yes, theoretically.
[...] over the other. Two I use from time to time that are still being maintained are… WP-SpamFree WP-HashCash There are some others, such as SpamKarma, that were good but are no longer being maintained so I [...]
[...] plugin has a settings page which you can set to filter spam. HashCash can be downloaded from here, make sure it is compatible with your wordpress version [...]
[...] just installed WP Hashcash on my blog to try to get rid of all the spam I’ve been getting. Hopefully no-one will notice it [...]
[...] developed Safe Signup Form using some key functions from Elliot Back’s WP Hashcash. WP Hashcash is an elegant anti-spam plugin for blocking automated submissions to Wordpress [...]
A contact form would be very useful. Any progress/movement on this?
[...] is great news for WPMU user that facing splog signup’s problem. Donncha has modified WP Hashcash plugin for WPMU user to stop splog signup. This is first releases and need to testing whether it’s work [...]
I’ll support this product just because I LOVE the name and message of Hash Cash!
Party On DUDES!
I just installed this plugin alongwith akismet and i must say that now i dont need to keep the comments moderated anymore
Having the same problem as Frank; whenever I submit a comment from admin onto the admin page, it’s held for moderation.
I’m also seeing the following message appear beneath any comments left by any of our registered users;
“[WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.”
I’m guessing that’s the ‘logging’ option?
I’d love a way to be able to completely turn off comments protection, as I only need this plugin for the signup protection to prevent spammers from registering. I checked the box next to the ‘comment protection’ option but comments are still going into the moderation queue.
Great plugin, thanks a lot!
There’s just one feature I’m missing at the moment: Comments from the admin shouldn’t be validated thru the tool.
With WP2.7x and the ajax comment plugin Hashcash means that comments from the admin which are created in the wp-admin section are spam because there’s no java running.
[...] WP Hashcash [...]
[...] Hashcash is an antispam plugin that eradicates comment spam on Wordpress blogs… …..read more Download Plugin! Version 4.3 Last Updated: July 30, 2008 Plugin Owner: Authors: ecb29, [...]
After trying different plugins with little success, finally one worth keeping!
Seems to fail for all friends and family members using Firefox on Mac. Works great for Firefox on IE. Any ideas on how to debug?
I get: [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.
I’d love to debug this, but I don’t have a mac. You can test it out with Firebug and see if the WPHC callback gets hit?
it’s working just fine on my site, thank you – caught 2 comments within hours of install on a new site – also using with “cookies for comments” and it is awesome!
if folks want to ‘test it out’ please feel free to hit my site, though only if you’re gonna leave real comments! don’t try ‘manual spam’ to disprove it (what i mean is that you can see a real comment float through just fine, contrary to what others above are saying)
site is at badzit.com, your daily dose of ugly
I was looking for a plugin that prevents spam. And I found this. Better give it a try.
This is inherently broken if a person has NoScript extension in Firefox. I just had a pretty big comment eaten by your WP Plugin because I had no warning about this. If you would be so kind, please people to make sure javascript is enabled so that our posts don’t get eaten up by your plugin. Thanks!
Maybe I’m being pedantic, but claiming that it “Blocks all comment spam, but not real comments” seems to be stretching the truth a bit. A hashcash solution won’t block manually submitted spam (and yes, I’ve seen it!), just the automated types. And just a few lines later, you mention that it does block real comments by people who have JavaScript turned off.
Elliott, thanks for the WP plugin!
Do you by know of a way to do this in straight PHP without Wordpress? I have some contact forms I’d like to Hashcashify, but can’t find a solution.
Couldn’t this be worked around by using a webBrowser object then figuring out how to reach the form using tabs etc. then using sendKeys to send it anyway? This way the user would technically be using a webBrowser
Looks like Hashcash thinks comments with an OpenId enabled website are spam (using the WP-OpenID plugin). Disabling the WP-OpenID plugin or not entering an OpenID website during comment submission seems to be OK with WP-Hashcash.
How about making a contact form plugin with Hash-Cash? I want a contact form plugin, but I don’t want spam or captchas.