WP Hashcash Plugin for Spam
What is WP Hashcash?
WP Hashcash is an antispam plugin that eradicates comment spam on Wordpress blogs. It works because your visitors must use obfuscated javascript to submit a proof-of-work that indicates they opened your website in a web browser, not a robot. If the javascript check fails, WP Hashcash now gives you three options; it can either put the comment into moderation (default), put the comment in the akismet queue, or delete it.
Features:
- Blocks all comment spam, but not real comments
- Also prevents most trackback / pingback spam
- Widget support to display spam statistics and edit the configuration
- Works with IE, Firefox, and Safari
- 100% standards compliant XHTML 1.1
- Tested with Wordpres 2.3, Firefox 2, Safari 3, and IE 7
- Akismet compatibility
Limitations:
- Javascript is required to submit a comment
WP Hashcash relies on the presence of two hooks in your theme, wp_head and comment_form. If your theme doesn’t include these actions, you will need to add them immediately before the </head> and </form> tags respectively.
Download:
You can download the latest version (4.1) of WP Hashcash from Wordpress Extend: wp-hashcash.zip.
To install WP Hashcash, please download the plugin and unzip it, then copy the wp-hashcash.php file to wp-content/plugins. Activate the plugin and drag into your Widgetized sidebar for public statistics, or visit Options, WP Hashcash from the admin panel to configure options:
Questions & Answers:
I’m having issues with it working.
If you’re installing it over an older version, please disabled then re-enable the plugin. This will reset the preferences.
Do I need widgets to use this?
No, WP Hashcash ships with reasonable defaults, and lets you change them via the standard Wordpress options panel.
How does it prevent comment spam?
By forcing clients submitting comments to additional compute a value from javascript and submit it along with the comment.
How does it prevent trackback spam?
By comparing the IP of the trackback’s url with the senders IP, and by looking in the trackback’s url for a link back to your post.
Testimonials:
- “One of my favorites” (src)
- “this is a clever idea that I think might work well” (src)
- “I haven’t had a single comment spam in my comment moderation queue for over a week now. I’m feeling the love!” (src)
- “The least annoying one I have found” (src)
- “this thing was a trivial install” (src)
- “a fancier technique” (src)
- “Comment Spam is a thing of the past, and I owe it to Spam Stopgap Extreme. If you use WordPress, I highly recommend installing this plugin. It has completely eliminated the comment spam problem I was having. I no longer need the spammer Tarpit plugin, or anything.” (src)
- “Why am I not worried about comment spam anymore? Because of my awesome new blog plugin, Spam Stopgap Extreme. This baby blocks any bot trying to post to my blog. No blacklists, no moderation, no “spam points”, no nothing. You won’t even know that it’s working.” (src)
- “I haven’t had anything to “deal” with in several weeks. That’s a nice thing. I’ve also had a bunch of folks leave legitimate comments that have gotten through. It’s all good.” (src)
Changelog:
WP Hashcash 4.1
- Added a new options page under Options, Wordpress Hashcash
- Fixed XHTML standards compliance
- Added validation options for pingbacks and trackbacks (stolen from here)
- Added a logging option for moderated comments
WP Hashcash 4.0.5:
- Added an option for handling comments via moderation, the akismet queue, or deletion
- Removed database dependencies
- Removed error message for hash fail
- Added the noscript tag for users without javascript
- Corrected the widget formatting
- Changed zip file format from winrar to 7zip, hopefully it will be more compatible
WP Hashcash 4.0.4:
- Removed version checking
- Removed an unnecessary <link> element in the head section
WP Hashcash 4.0.3:
- Suppress errors on loading remote version by any method
- Fix typo-bugs everywhere affecting the widget reporting, date checking, etc
- Strip tags from remote version
- Try various methods to get remote version, ignore if we can’t open sockets
- Fix a bug with one of the javascripts
Should you encounter any issues using this widget, please leave a comment. Likewise for improvements, outcry, and other commentary you might have.
Tagged with: widget support, spam statistics, public statistics, options panel, javascript check, admin panel, widgets, hashcash, moderation, ie 7, hooks, queue, firefox, safari, robot, sidebar, lt, amp, wp, compatibility
January 21st, 2008 at 11:08 pm
I love the changes you’ve made to Hashcash, E. Hashcash is back on my page to stay now. Thanks!
January 23rd, 2008 at 11:59 pm
I love WP_HashCash, here is a short article I wrote praising it.
http://my.opera.com/djp/blog/show.dml/1570265
February 5th, 2008 at 9:01 am
i tested the plugin and i like it! thx! i really hate spam!!
February 8th, 2008 at 12:10 pm
like it!! thanks! i really work and hate spam in 99%!!
February 9th, 2008 at 12:16 pm
Hashcash is back on my page
February 19th, 2008 at 4:33 pm
I’m amazed at how well your plugin works. I’ve never been happy with the others I’ve tired. You’re a genius!
February 21st, 2008 at 10:05 am
Excellent tool. Thank you. Spam went from 200 to 1 in moderation. Wonderful accurate filter.
March 24th, 2008 at 5:29 am
v4.1 is much easier to use, thanks!
March 25th, 2008 at 3:22 am
Dang! that’s the killer I wanted for spam!
Thank you for making such an awesome plugin and sharing it with the community.
Cheers!
March 28th, 2008 at 8:42 pm
What does it mean for a comment to be “put [into] the akismet queue”? Does that mean that I need to check the Akismet queue for comments from users with Javascript disabled?
Ideally, it would first whitelist any comment that passes the hash test, let Akismet put anything it doesn’t like into the spam queue, and drop everything else into moderation. Is there a way of using Hashcash that way?
March 28th, 2008 at 8:45 pm
Yeah I can’t think of an easy way to do that generically, especially given that Wordpress Hashcash can’t whitelist anything, only banlist things it thinks are bad. It would be possible to add this as a special option, though, to drop failing comments into akismet and let it sort it out…
March 29th, 2008 at 3:49 pm
Any word on WordPress 2.5 compatibility? I noticed it’s not listed anywhere in this list:
http://codex.wordpress.org/Plugins/Plugin_Compatibility/2.5
March 29th, 2008 at 4:36 pm
I haven’t tried WP 2.5 yet, but feel free to try yourself. I don’t /think/ anything will break, but you never know right?
March 30th, 2008 at 6:50 am
Since installing the new version of hashcash, it’s started blocking *all* comments by users on my site again. Where can I view the comments blocked (since it’s storing them somewhere) and either approve or delete them?
March 30th, 2008 at 2:11 pm
Ian, by default they go to moderation or Akismet if it is installed. However, the problem is that your theme doesn’t have the wp_head hook in it. You need to add a call to wp_head(); inside your template.
March 31st, 2008 at 12:56 am
Okay, will do. Will consult the documentation on where I need to put that.
Thanks again, Elliott!
March 31st, 2008 at 1:06 am
Okay, that seemed to fix it. Apparently the theme author had commented it out. I uncommented it and it hashcash works as advertised.
Thanks!
March 31st, 2008 at 1:07 am
Oh, and it works with WP 2.5 just fine.
March 31st, 2008 at 2:53 pm
How about making a contact form plugin with Hash-Cash? I want a contact form plugin, but I don’t want spam or captchas.
April 5th, 2008 at 12:40 am
Am gonna try!
10Q for the plugin!
April 5th, 2008 at 2:32 am
After having problems with HashCash working, Elliot suggested I sent him my theme files so he could see what was going on.
It turned out to be my theme and some javascript that I had added that was causing the problems. Elliot re-wrote the javascript and sorted out my php!
Many many thanks Elliot!
April 6th, 2008 at 10:40 am
Small note: on line 302, if you change it to
echo "addLoadEvent(function(){var el=document.getElementById('wphc_value'); if(el){el.value=wphc();}});\n";it will not error on pages which are lacking a comment form despite being a post.
April 6th, 2008 at 5:19 pm
testcase
April 9th, 2008 at 9:46 am
thank you for this great plugin
April 14th, 2008 at 2:56 am
I’ve got Hash Cash on a WP2.5 site with the wp_head and comment_form hooks present in the theme. Every comment is being held for moderation, even my own comments when I’m logged in as admin. Here is the error that is logged:
[WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.April 14th, 2008 at 6:04 am
It’s because you’ve manually overloaded body.onLoad aka window.onLoad in your html. Instead of body onload=”Init()” you should just put in the js window.onload=Init.
April 17th, 2008 at 11:17 am
Whats wrong with the default wordpress askimnet antispam?
April 21st, 2008 at 4:50 am
For those of us new to WP, etc, can you provide exactly the code to include “the hooks” and exactly which file(s) to place them in?
Thanks
April 24th, 2008 at 4:49 pm
Could it be, that trackbacks doesn’t work with that plugin?
Greets
April 27th, 2008 at 4:23 am
Great I will try this - Thanks soo much
May 7th, 2008 at 2:06 am
Firebug says wphc took 0.465ms to execute. This is a nice check to make sure the client has JavaScript but it sure isn’t hashcash.
May 11th, 2008 at 2:38 am
Looks like Hashcash thinks comments with an OpenId enabled website are spam (using the WP-OpenID plugin). Disabling the WP-OpenID plugin or not entering an OpenID website during comment submission seems to be OK with WP-Hashcash.
May 25th, 2008 at 12:51 am
Nice plugin. I will use it and hope it will work well.
May 31st, 2008 at 6:08 pm
Couldn’t this be worked around by using a webBrowser object then figuring out how to reach the form using tabs etc. then using sendKeys to send it anyway? This way the user would technically be using a webBrowser
June 2nd, 2008 at 8:37 pm
Elliott, thanks for the WP plugin!
Do you by know of a way to do this in straight PHP without Wordpress? I have some contact forms I’d like to Hashcashify, but can’t find a solution.
June 17th, 2008 at 12:56 am
Thanks Elliott for this nice plugin, I really love it.
I got a tiny bug, when I get a trackback from a page without any links I get this error:
Warning: Invalid argument supplied for foreach() in …/wp-hashcash.php on line 491
June 30th, 2008 at 4:38 pm
ohw. thanks! i really work and hate spam in 99%!!
June 30th, 2008 at 8:08 pm
I’ll certainly try this! Thanks.
July 3rd, 2008 at 4:14 am
Since installing the new version of hashcash, it’s started blocking *all* comments by users on my site again.
July 6th, 2008 at 7:46 am
the hooks” and exactly which file(s) to place them in ? ? ?
July 7th, 2008 at 5:05 pm
This plugin was working brilliantly until I upgraded to WP 2.5; now I’m experiencing the same problem as Sean: every comment, including ones I post myself while logged in, get this error:
I don’t have body onload=”Init()” anywhere in my code…any other suggestions?
Thanks kindly!
July 9th, 2008 at 6:11 am
Wonderful accurate filter.
July 10th, 2008 at 4:53 am
Very interesting plugin.
July 10th, 2008 at 4:44 pm
Maybe I’m being pedantic, but claiming that it “Blocks all comment spam, but not real comments” seems to be stretching the truth a bit. A hashcash solution won’t block manually submitted spam (and yes, I’ve seen it!), just the automated types. And just a few lines later, you mention that it does block real comments by people who have JavaScript turned off.