Wp-hashcash — an excellent comment SPAM plugin

Wp-Hashcash-3-Banner

The comment and trackback spams had been a headache for me. Every blogger understands how annoying they are and how unproductive they can make you. Besides from being a blogger, I maintain systems that hosts many wordpress blogs. The good news for a normal blogger who uses wordpress is that the built-in Akismet anti-spam in wordpress 2 is already very mature and can catch most of the spams. The spam comments are caught by the mighty Akismet but from system’s perspective, it’ll still have to process and classify it as spam or good comments. When there’re robots and scripts commenting in thousands, it makes MySql consume a lot of system resources (Memory, CPU and connections), making the whole system unavailable at times.

I had this problem with one of the wordpress blogs hosted in our system. The Akismet was catching 10s of thousands of spam comments every few hours. This made the system choke. First I blocked the ip address, then blocked the whole ip range (class C address). And finally I started looking for permanent solutions.

The wordpress has a long list of available Spam Tools. After checking some Captcha Tools, and reading Combating Comment Spam, I found the Wp-hashcash. This is how it works:

Every four hours, your blog picks a random large number (close to 32 bits). Whenever a visitor visits your permalink pages, an ajax call is made which retrieves some javascript. This javascript first decrypts itself, then executes itself again to retrieve the secret value, which it sets in the form. If a comment does not have this value, it is rejected. If a comment is rejected more than four times, the user is blocked for a specified period of time.

After seeing the good results in other blogs, I’ve implemented it in mine as well. About the future of Wp-hashcash I agree with the author of Captcha plugin, who says:

Regarding Spam, WP-HashCash and its derivatives are methods that will eventually fail in the future. This is because those methods can be made automatic (it’s possible to make a program which interpretes JavaScript, the same way current browsers do, and sends Spam; I’ve already seen 2 ways to do that in Internet). It’s only a matter of time.

I think Wp-hashcash is an excellent way to block spam comments from robots and automated scripts for the time being.