WP Plugins and Widgets For Wordpress 2.1+

WP Hashcash Plugin for Spam

May 28th, 2007 by Elliott Back

hashcash.png

What is WP Hashcash?

WP Hashcash is an antispam plugin that eradicates comment spam on Wordpress blogs. It works because your visitors must use obfuscated javascript to submit a proof-of-work that indicates they opened your website in a web browser, not a robot. If the javascript check fails, WP Hashcash now gives you three options; it can either put the comment into moderation (default), put the comment in the akismet queue, or delete it.

WP Hashcash also protects the signup forms of WordPress Multi-User (WPMU) and BuddyPress (BP) blogs.

Features:

  • Blocks all comment spam, but not real comments
  • Also prevents most trackback / pingback spam
  • Also protects signup pages for Wordpress (WP), BuddyPress (BP), and Wordpress Multi-User (WPMU)
  • Widget support to display spam statistics and edit the configuration
  • Works with IE, Firefox, and Safari
  • 100% standards compliant XHTML 1.1, works with jQuery and Prototype
  • Tested with Wordpres 2, Firefox, Safari, IE, and Chrome
  • Akismet compatibility

Limitations:

  • Javascript is required to submit a comment

WP Hashcash relies on the presence of two hooks in your theme, wp_head and comment_form. If your theme doesn’t include these actions, you will need to add them immediately before the </head> and </form> tags respectively.

Download:

You can download the latest version of WP Hashcash from Wordpress Extend: wp-hashcash.zip.

To install WP Hashcash, please download the plugin and unzip it, then copy the wp-hashcash.php file to wp-content/plugins. Activate the plugin and drag into your Widgetized sidebar for public statistics, or visit Options, WP Hashcash from the admin panel to configure options:

hashcash-options.png

Questions & Answers:

I’m having issues with it working.
If you’re installing it over an older version, please disabled then re-enable the plugin. This will reset the preferences.

Do I need widgets to use this?
No, WP Hashcash ships with reasonable defaults, and lets you change them via the standard Wordpress options panel.

How does it prevent comment spam?
By forcing clients submitting comments to additional compute a value from javascript and submit it along with the comment.

How does it prevent trackback spam?
By comparing the IP of the trackback’s url with the senders IP, and by looking in the trackback’s url for a link back to your post.

Testimonials:

  • “One of my favorites” (src)
  • “this is a clever idea that I think might work well” (src)
  • “I haven’t had a single comment spam in my comment moderation queue for over a week now. I’m feeling the love!” (src)
  • “The least annoying one I have found” (src)
  • “this thing was a trivial install” (src)
  • “a fancier technique” (src)
  • “Comment Spam is a thing of the past, and I owe it to Spam Stopgap Extreme. If you use WordPress, I highly recommend installing this plugin. It has completely eliminated the comment spam problem I was having. I no longer need the spammer Tarpit plugin, or anything.” (src)
  • “Why am I not worried about comment spam anymore? Because of my awesome new blog plugin, Spam Stopgap Extreme. This baby blocks any bot trying to post to my blog. No blacklists, no moderation, no “spam points”, no nothing. You won’t even know that it’s working.” (src)
  • “I haven’t had anything to “deal” with in several weeks. That’s a nice thing. I’ve also had a bunch of folks leave legitimate comments that have gotten through. It’s all good.” (src)

Changelog:

WP Hashcash 4.5

  • Support onload via jQuery / Prototype if they happen to be loaded
  • Protect BuddyPress (BP) signup pages

WP Hashcash 4.4

  • Admin users can now comment from Dashboard
  • Tested on WP 2.9.2 in Chrome, IE, and FF
  • Fix a potential JS error

WP Hashcash 4.1

  • Added a new options page under Options, Wordpress Hashcash
  • Fixed XHTML standards compliance
  • Added validation options for pingbacks and trackbacks (stolen from here)
  • Added a logging option for moderated comments

WP Hashcash 4.0.5:

  • Added an option for handling comments via moderation, the akismet queue, or deletion
  • Removed database dependencies
  • Removed error message for hash fail
  • Added the noscript tag for users without javascript
  • Corrected the widget formatting
  • Changed zip file format from winrar to 7zip, hopefully it will be more compatible

WP Hashcash 4.0.4:

  • Removed version checking
  • Removed an unnecessary <link> element in the head section

WP Hashcash 4.0.3:

  • Suppress errors on loading remote version by any method
  • Fix typo-bugs everywhere affecting the widget reporting, date checking, etc
  • Strip tags from remote version
  • Try various methods to get remote version, ignore if we can’t open sockets
  • Fix a bug with one of the javascripts

Should you encounter any issues using this widget, please leave a comment. Likewise for improvements, outcry, and other commentary you might have.

Tagged with:

107 Responses to “WP Hashcash Plugin for Spam”

  1. Lobotomia says:

    To enable signup spam protection for WordPRess MU, it must be enabled to all blog or only on main blog?

  2. Arturo says:

    Hi, is possible have an updated version working with normal wp installation and buddypress? i’ve tested it but no options page and other on my installation.

    thanks for your work! i’m waiting this update

  3. ElectroFlavor says:

    I’ll be implementing this on my new wp blog. Just can’t name it cus it will spamming lolololool

  4. notaspambot says:

    There seems to be some conflict between this plugin and the login widget for BuddyPress. I’m trying to login and I keep getting kicked out with the error message “Bye Bye, Spambot!”

    The login page works fine. The widget does not.

    Using Buddypress 1.2.3 and WPMU 2.9.2.

    • notaspambot says:

      As a follow-up, it seems like sploggers and spammers are breaking through now. I had several great spam-free days but just had another signup. I’ll report back if I get any more.

      • NotasPambot says:

        Well, that was an anomaly, as the isolated signups were not repeated. Maybe stragglers from before hashcash was installed?

  5. miguael says:

    It worked just perfect – but now it just blocks every comment from an unregistered user with [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

    Would greatly appreciate any help!

    (running on WPMU 2.9.1.1 and Buddypress 1.2.1)

    • notaspambot says:

      I can confirm this happened to me with pretty much the same WPMU/Buddypress specs – I couldn’t post with an admin account, though I have a pretty weird setup in that I have a Reply form directly on the blog front page, index.php. When posting from the traditional Reply box on single.php, hashcash let me in without a problem.

  6. I installed this on Wordpress MU but there is not javascript image…. Am I doing something wrong?

  7. TamDosya says:

    This is inherently broken if a person has NoScript extension in Firefox. I just had a pretty big comment eaten by your WP Plugin because I had no warning about this. If you would be so kind, please people to make sure javascript is enabled so that our posts don’t get eaten up by your plugin. Thanks!

  8. This is brilliant, using javascript to check for an auto-submit was very clever, and the fact that it can then put comments from suspected robots into the moderation queue is exactly what i’ve been looking for!

    Bravo Elliott :)

  9. mirc says:

    How about making a contact form plugin with Hash-Cash? I want a contact form plugin, but I don’t want spam or captchas

  10. Cliff says:

    Minor issue, when a page is displayed (rather than a post) and comments on pages are turned off, wp-hashcash throws a JavaScript error on the addLoadEvent().

    The simple fix is to insert a line at line 640 of the php source that reads:

    echo “if (document.getElementById(‘wphc_value’)) “;

  11. Excelent plugin!

    I’d love a way to be able to completely turn off comments protection, as I only need this plugin for the signup protection to prevent spammers from registering.

  12. bloggista says:

    Unfortunately, authors comments are also blocked in my case. Even my own comments are blocked. Could have been a great plugin but I couldnt find any solution to stop me from checking my moderation queue and approve all valid comments. No choice but have to deactivate this. SIgh.

  13. jose galvez says:

    Hi i would like to use wp-hashcash on a html form.
    It’s possible to do that?

    Thanks

  14. Websper says:

    running on WP 2.8.4 ?

    Kartuş

  15. bojananw@gmail.com says:

    Excelent plugin!

    I’d love a way to be able to completely turn off comments protection, as I only need this plugin for the signup protection to prevent spammers from registering.

  16. Master WIL says:

    PS…Considering my (just a few minutes ago)previous post…& This (directly underneath the WP HashCash/Elliot {I’ll be} Back…”By Elliott Back
    1 spam signups blocked out of 1 human signups. 50% of your signups are spam!”

    Since I detailed your program’s misssing my real human nature using a technological tool…by Publically & inacurately labeling ME as essentially being a spammer….doesn’t that really make YOU the egregious SPAMING party here?!

  17. Master WIL says:

    I’m a real human being..I swear to(well I’m also an atheist)..& because I have a few human imperfections such as memory limitation & so many divergent reqiirements for sign up/registration for my many varied areas of interest – I use robo-form to remmember various user names & passwords for me…which when used to fill in / login forms using your software – LABLED ME AS A “BOT” & SHUT ME OUT of a new WordPress site I wanted to explore. Nice

  18. Tom says:

    I like that you have Akismet compatibility, but for those of us who don’t wanna sign up for Wordpress.com, can you add Defensio compatibility?

  19. Alex says:

    A colleague and I are trying to work out why you have encoded the javascript function, why not just have javascript generate a random number ? Javascript will still be required.

  20. micky says:

    HI

    I left a comment here yesterday but it seems to have disappeared – not sure if it was inappropriate?

    I simply wanted to know if this version works on 2.8.2? If it does, I was looking for some help with what could possibly be wrong.

    I get the Powered by WP Hashcash message on my blog page – but not my contact page and no hashcash question/box etc. on any page.

    I do have a custom theme – so its a custom contact form and a few other plugin’s installed.

  21. mickym says:

    There are some recent posts so I am assuming they’ve been successful in running it on some of the 2009 releases — but is anyone running on WP 2.8.2?

    I get the powered by WP HashCash message on my blog page but nothing else.

    Not sure where to check for the 2 hooks in my custom theme – wp_head and comment_form – as another poster said, but I didn’t get any error per se so I’m not sure that’s the issue.

  22. Susana Comollo says:

    Hi have I to paid any thing ?

  23. Atif Iqbal says:

    I have downloaded the plugin and installed. But could get the following instructions:

    “WP Hashcash relies on the presence of two hooks in your theme, wp_head and comment_form. If your theme doesn’t include these actions, you will need to add them immediately before the and tags respectively.”

    Do I need to put just wp_head in template before the close, and same at the comment page just I need to put comment_form

    Kindly help

  24. Saras says:

    a better way to anti spam.

  25. cristian says:

    me parese muy bueno este blog porque aprendemos mucho de este curso, vemosfotos y muchas cosas mas

  26. jehzlau says:

    oh my.. I must use this plugin! Thanks Elliott. This is what I’m looking for, to stop spam for good. Akismet can’t handle all the spams anymore. ~_~

  27. Carlo says:

    Hi Elliot, can you email me on how to turn off the notice at the bottom that says “Powered by WP Hashcash” – I know it’s totally not the point, but still..

  28. Couldnt this be worked around by using a webBrowser object then figuring out how to reach the form using tabs etc. then using sendKeys to

  29. [...] over the other. Two I use from time to time that are still being maintained are… WP-SpamFree WP-HashCash There are some others, such as SpamKarma, that were good but are no longer being maintained so I [...]

  30. [...] plugin has a settings page which you can set to filter spam. HashCash can be downloaded from here, make sure it is compatible with your wordpress version [...]

  31. [...] just installed WP Hashcash on my blog to try to get rid of all the spam I’ve been getting. Hopefully no-one will notice it [...]

  32. [...] developedSafe Signup Form using some key functions from Elliot Back’s WP Hashcash. WP Hashcash isan elegant anti-spam plugin for blocking automatedsubmissions toWordpress [...]

  33. A contact form would be very useful. Any progress/movement on this?

  34. [...] is great news for WPMU user that facing splog signups problem. Donncha has modified WP Hashcash plugin for WPMU user to stop splog signup. This is first releases and need to testing whether its work [...]

  35. I’ll support this product just because I LOVE the name and message of Hash Cash!

    Party On DUDES!

  36. Ankit says:

    I just installed this plugin alongwith akismet and i must say that now i dont need to keep the comments moderated anymore :D

  37. WelshPixie says:

    Having the same problem as Frank; whenever I submit a comment from admin onto the admin page, it’s held for moderation.

    I’m also seeing the following message appear beneath any comments left by any of our registered users;

    “[WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.”

    I’m guessing that’s the ‘logging’ option?

    I’d love a way to be able to completely turn off comments protection, as I only need this plugin for the signup protection to prevent spammers from registering. I checked the box next to the ‘comment protection’ option but comments are still going into the moderation queue.

  38. Frank says:

    Great plugin, thanks a lot!

    There’s just one feature I’m missing at the moment: Comments from the admin shouldn’t be validated thru the tool.
    With WP2.7x and the ajax comment plugin Hashcash means that comments from the admin which are created in the wp-admin section are spam because there’s no java running.

  39. [...] Hashcash is an antispam plugin that eradicates comment spam on Wordpress blogs… …..read more Download Plugin! Version 4.3 Last Updated: July 30, 2008 Plugin Owner: Authors: ecb29, [...]

  40. Cristian says:

    After trying different plugins with little success, finally one worth keeping!

  41. Seems to fail for all friends and family members using Firefox on Mac. Works great for Firefox on IE. Any ideas on how to debug?

    I get: [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

    • Elliott Back says:

      I’d love to debug this, but I don’t have a mac. You can test it out with Firebug and see if the WPHC callback gets hit?

  42. dave says:

    it’s working just fine on my site, thank you – caught 2 comments within hours of install on a new site – also using with “cookies for comments” and it is awesome!

    if folks want to ‘test it out’ please feel free to hit my site, though only if you’re gonna leave real comments! don’t try ‘manual spam’ to disprove it (what i mean is that you can see a real comment float through just fine, contrary to what others above are saying)

    site is at badzit.com, your daily dose of ugly

  43. Marlene says:

    I was looking for a plugin that prevents spam. And I found this. Better give it a try.

  44. slayerboy says:

    This is inherently broken if a person has NoScript extension in Firefox. I just had a pretty big comment eaten by your WP Plugin because I had no warning about this. If you would be so kind, please people to make sure javascript is enabled so that our posts don’t get eaten up by your plugin. Thanks!

  45. Kelson says:

    Maybe I’m being pedantic, but claiming that it “Blocks all comment spam, but not real comments” seems to be stretching the truth a bit. A hashcash solution won’t block manually submitted spam (and yes, I’ve seen it!), just the automated types. And just a few lines later, you mention that it does block real comments by people who have JavaScript turned off.

  46. Elliott, thanks for the WP plugin!

    Do you by know of a way to do this in straight PHP without Wordpress? I have some contact forms I’d like to Hashcashify, but can’t find a solution.

  47. Joe.H says:

    Couldn’t this be worked around by using a webBrowser object then figuring out how to reach the form using tabs etc. then using sendKeys to send it anyway? This way the user would technically be using a webBrowser

  48. TB says:

    Looks like Hashcash thinks comments with an OpenId enabled website are spam (using the WP-OpenID plugin). Disabling the WP-OpenID plugin or not entering an OpenID website during comment submission seems to be OK with WP-Hashcash.

  49. Christian says:

    How about making a contact form plugin with Hash-Cash? I want a contact form plugin, but I don’t want spam or captchas.

  50. recentlyafish says:

    The site still has some bugs, but we’re trying to iron them out.

    What do you use to get the guts off the iron?

Leave a Reply

Powered by WP Hashcash

Search Posts


Categories

Blogroll

WP Hashcash

  • By Elliott Back
  • 970300 spam comments blocked out of 19389 human comments. 98.04% of your comments are spam!

Admin

Links

Feeds