WP Hashcash Plugin for Spam
What is WP Hashcash?
WP Hashcash is an antispam plugin that eradicates comment spam on Wordpress blogs. It works because your visitors must use obfuscated javascript to submit a proof-of-work that indicates they opened your website in a web browser, not a robot. If the javascript check fails, WP Hashcash now gives you three options; it can either put the comment into moderation (default), put the comment in the akismet queue, or delete it.
Features:
- Blocks all comment spam, but not real comments
- Also prevents most trackback / pingback spam
- Widget support to display spam statistics and edit the configuration
- Works with IE, Firefox, and Safari
- 100% standards compliant XHTML 1.1
- Tested with Wordpres 2.3, Firefox 2, Safari 3, and IE 7
- Akismet compatibility
Limitations:
- Javascript is required to submit a comment
WP Hashcash relies on the presence of two hooks in your theme, wp_head and comment_form. If your theme doesn’t include these actions, you will need to add them immediately before the </head> and </form> tags respectively.
Download:
You can download the latest version of WP Hashcash from Wordpress Extend: wp-hashcash.zip.
To install WP Hashcash, please download the plugin and unzip it, then copy the wp-hashcash.php file to wp-content/plugins. Activate the plugin and drag into your Widgetized sidebar for public statistics, or visit Options, WP Hashcash from the admin panel to configure options:
Questions & Answers:
I’m having issues with it working.
If you’re installing it over an older version, please disabled then re-enable the plugin. This will reset the preferences.
Do I need widgets to use this?
No, WP Hashcash ships with reasonable defaults, and lets you change them via the standard Wordpress options panel.
How does it prevent comment spam?
By forcing clients submitting comments to additional compute a value from javascript and submit it along with the comment.
How does it prevent trackback spam?
By comparing the IP of the trackback’s url with the senders IP, and by looking in the trackback’s url for a link back to your post.
Testimonials:
- “One of my favorites” (src)
- “this is a clever idea that I think might work well” (src)
- “I haven’t had a single comment spam in my comment moderation queue for over a week now. I’m feeling the love!” (src)
- “The least annoying one I have found” (src)
- “this thing was a trivial install” (src)
- “a fancier technique” (src)
- “Comment Spam is a thing of the past, and I owe it to Spam Stopgap Extreme. If you use WordPress, I highly recommend installing this plugin. It has completely eliminated the comment spam problem I was having. I no longer need the spammer Tarpit plugin, or anything.” (src)
- “Why am I not worried about comment spam anymore? Because of my awesome new blog plugin, Spam Stopgap Extreme. This baby blocks any bot trying to post to my blog. No blacklists, no moderation, no “spam points”, no nothing. You won’t even know that it’s working.” (src)
- “I haven’t had anything to “deal” with in several weeks. That’s a nice thing. I’ve also had a bunch of folks leave legitimate comments that have gotten through. It’s all good.” (src)
Changelog:
WP Hashcash 4.1
- Added a new options page under Options, Wordpress Hashcash
- Fixed XHTML standards compliance
- Added validation options for pingbacks and trackbacks (stolen from here)
- Added a logging option for moderated comments
WP Hashcash 4.0.5:
- Added an option for handling comments via moderation, the akismet queue, or deletion
- Removed database dependencies
- Removed error message for hash fail
- Added the noscript tag for users without javascript
- Corrected the widget formatting
- Changed zip file format from winrar to 7zip, hopefully it will be more compatible
WP Hashcash 4.0.4:
- Removed version checking
- Removed an unnecessary <link> element in the head section
WP Hashcash 4.0.3:
- Suppress errors on loading remote version by any method
- Fix typo-bugs everywhere affecting the widget reporting, date checking, etc
- Strip tags from remote version
- Try various methods to get remote version, ignore if we can’t open sockets
- Fix a bug with one of the javascripts
Should you encounter any issues using this widget, please leave a comment. Likewise for improvements, outcry, and other commentary you might have.
Tagged with: widget support, spam statistics, public statistics, options panel, javascript check, admin panel, widgets, hashcash, moderation, ie 7, hooks, queue, firefox, safari, robot, sidebar, lt, amp, wp, compatibility
January 21st, 2008 at 11:08 pm
I love the changes you’ve made to Hashcash, E. Hashcash is back on my page to stay now. Thanks!
January 23rd, 2008 at 11:59 pm
I love WP_HashCash, here is a short article I wrote praising it.
http://my.opera.com/djp/blog/show.dml/1570265
February 5th, 2008 at 9:01 am
i tested the plugin and i like it! thx! i really hate spam!!
February 8th, 2008 at 12:10 pm
like it!! thanks! i really work and hate spam in 99%!!
February 9th, 2008 at 12:16 pm
Hashcash is back on my page
February 19th, 2008 at 4:33 pm
I’m amazed at how well your plugin works. I’ve never been happy with the others I’ve tired. You’re a genius!
February 21st, 2008 at 10:05 am
Excellent tool. Thank you. Spam went from 200 to 1 in moderation. Wonderful accurate filter.
March 24th, 2008 at 5:29 am
v4.1 is much easier to use, thanks!
March 25th, 2008 at 3:22 am
Dang! that’s the killer I wanted for spam!
Thank you for making such an awesome plugin and sharing it with the community.
Cheers!
March 28th, 2008 at 8:42 pm
What does it mean for a comment to be “put [into] the akismet queue”? Does that mean that I need to check the Akismet queue for comments from users with Javascript disabled?
Ideally, it would first whitelist any comment that passes the hash test, let Akismet put anything it doesn’t like into the spam queue, and drop everything else into moderation. Is there a way of using Hashcash that way?
March 28th, 2008 at 8:45 pm
Yeah I can’t think of an easy way to do that generically, especially given that Wordpress Hashcash can’t whitelist anything, only banlist things it thinks are bad. It would be possible to add this as a special option, though, to drop failing comments into akismet and let it sort it out…
March 29th, 2008 at 3:49 pm
Any word on WordPress 2.5 compatibility? I noticed it’s not listed anywhere in this list:
http://codex.wordpress.org/Plugins/Plugin_Compatibility/2.5
March 29th, 2008 at 4:36 pm
I haven’t tried WP 2.5 yet, but feel free to try yourself. I don’t /think/ anything will break, but you never know right?
March 30th, 2008 at 6:50 am
Since installing the new version of hashcash, it’s started blocking *all* comments by users on my site again. Where can I view the comments blocked (since it’s storing them somewhere) and either approve or delete them?
March 30th, 2008 at 2:11 pm
Ian, by default they go to moderation or Akismet if it is installed. However, the problem is that your theme doesn’t have the wp_head hook in it. You need to add a call to wp_head(); inside your template.
March 31st, 2008 at 12:56 am
Okay, will do. Will consult the documentation on where I need to put that.
Thanks again, Elliott!
March 31st, 2008 at 1:06 am
Okay, that seemed to fix it. Apparently the theme author had commented it out. I uncommented it and it hashcash works as advertised.
Thanks!
March 31st, 2008 at 1:07 am
Oh, and it works with WP 2.5 just fine.
March 31st, 2008 at 2:53 pm
How about making a contact form plugin with Hash-Cash? I want a contact form plugin, but I don’t want spam or captchas.
April 5th, 2008 at 12:40 am
Am gonna try!
10Q for the plugin!
April 5th, 2008 at 2:32 am
After having problems with HashCash working, Elliot suggested I sent him my theme files so he could see what was going on.
It turned out to be my theme and some javascript that I had added that was causing the problems. Elliot re-wrote the javascript and sorted out my php!
Many many thanks Elliot!
April 6th, 2008 at 10:40 am
Small note: on line 302, if you change it to
echo "addLoadEvent(function(){var el=document.getElementById('wphc_value'); if(el){el.value=wphc();}});\n";it will not error on pages which are lacking a comment form despite being a post.
April 6th, 2008 at 5:19 pm
testcase
April 9th, 2008 at 9:46 am
thank you for this great plugin
April 14th, 2008 at 2:56 am
I’ve got Hash Cash on a WP2.5 site with the wp_head and comment_form hooks present in the theme. Every comment is being held for moderation, even my own comments when I’m logged in as admin. Here is the error that is logged:
[WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.April 14th, 2008 at 6:04 am
It’s because you’ve manually overloaded body.onLoad aka window.onLoad in your html. Instead of body onload=”Init()” you should just put in the js window.onload=Init.
April 17th, 2008 at 11:17 am
Whats wrong with the default wordpress askimnet antispam?
April 21st, 2008 at 4:50 am
For those of us new to WP, etc, can you provide exactly the code to include “the hooks” and exactly which file(s) to place them in?
Thanks
April 24th, 2008 at 4:49 pm
Could it be, that trackbacks doesn’t work with that plugin?
Greets
April 27th, 2008 at 4:23 am
Great I will try this - Thanks soo much
May 7th, 2008 at 2:06 am
Firebug says wphc took 0.465ms to execute. This is a nice check to make sure the client has JavaScript but it sure isn’t hashcash.
May 11th, 2008 at 2:38 am
Looks like Hashcash thinks comments with an OpenId enabled website are spam (using the WP-OpenID plugin). Disabling the WP-OpenID plugin or not entering an OpenID website during comment submission seems to be OK with WP-Hashcash.
May 25th, 2008 at 12:51 am
Nice plugin. I will use it and hope it will work well.
May 31st, 2008 at 6:08 pm
Couldn’t this be worked around by using a webBrowser object then figuring out how to reach the form using tabs etc. then using sendKeys to send it anyway? This way the user would technically be using a webBrowser
June 2nd, 2008 at 8:37 pm
Elliott, thanks for the WP plugin!
Do you by know of a way to do this in straight PHP without Wordpress? I have some contact forms I’d like to Hashcashify, but can’t find a solution.
June 17th, 2008 at 12:56 am
Thanks Elliott for this nice plugin, I really love it.
I got a tiny bug, when I get a trackback from a page without any links I get this error:
Warning: Invalid argument supplied for foreach() in …/wp-hashcash.php on line 491
June 30th, 2008 at 4:38 pm
ohw. thanks! i really work and hate spam in 99%!!
June 30th, 2008 at 8:08 pm
I’ll certainly try this! Thanks.
July 3rd, 2008 at 4:14 am
Since installing the new version of hashcash, it’s started blocking *all* comments by users on my site again.
July 6th, 2008 at 7:46 am
the hooks” and exactly which file(s) to place them in ? ? ?
July 7th, 2008 at 5:05 pm
This plugin was working brilliantly until I upgraded to WP 2.5; now I’m experiencing the same problem as Sean: every comment, including ones I post myself while logged in, get this error:
I don’t have body onload=”Init()” anywhere in my code…any other suggestions?
Thanks kindly!
July 9th, 2008 at 6:11 am
Wonderful accurate filter.
July 10th, 2008 at 4:53 am
Very interesting plugin.
July 10th, 2008 at 4:44 pm
Maybe I’m being pedantic, but claiming that it “Blocks all comment spam, but not real comments” seems to be stretching the truth a bit. A hashcash solution won’t block manually submitted spam (and yes, I’ve seen it!), just the automated types. And just a few lines later, you mention that it does block real comments by people who have JavaScript turned off.
July 29th, 2008 at 7:07 am
ho. everytime when i try to save options, i get …
——————————–
Fatal error: Cannot redeclare wphc_option() (previously declared in /home/blogono/public_html/wp-content/mu-plugins/wp-hashcash.php:22) in /home/blogono/public_html/wp-content/mu-plugins/wp-hashcash.php on line 33
————————————-
August 4th, 2008 at 5:29 pm
Just wanted to thank you for saving our *** from the bad guys…lol
August 10th, 2008 at 6:58 pm
test
August 12th, 2008 at 3:22 pm
Looks like your version info on this page is out of date (we now appear to be at 4.3 according to this page). Also, someone appears to have ‘fixed’ another problem here.
August 22nd, 2008 at 11:50 am
wordpress tells me that 4.3 is available, but when I DL the 4.3 zipfile, it shows up as 4.1… Is there a mixup somewhere?
August 22nd, 2008 at 7:06 pm
Ian, are you sure? There’s nothing in the readme or .php file that would indicate 4.1, unless somehow you managed to download an older version.
Clay, even though this page says “4.1″ it’s the latest version. Let me remove that specific wording here…
August 24th, 2008 at 1:23 pm
Elliott,
I hate spam, but I also hate enabling JavaScript for sites I can’t trust. I await, sadly, the time when bots come with enough stupid javascript builtin to defeat this and similar methods.
Isn’t it said that no program is complete until it contains a lisp interpreter?
Best wishes though.
August 29th, 2008 at 3:40 pm
Hi,
Two questions:
1. I suppose I do not need simple-trackback-validation plugin anymore? Does it conflict with that plugin or simply does the same twice?
2. I am using the Anarchy Media Player plugin (beta version for WPMU 2.6) and found that when I close comments on a post, the Anarchy Media Player javascript does not work anymore (it should replace any link to an MP3 file with a simple Flash player) … When I remove/disable or switch of HashCash on its options page, or when I open comments again, the AMP plugin javascript works again. Is this incompatibility reported yet?
Any knowledge on this issue would be very welcome
August 30th, 2008 at 7:27 am
I am using the captcha image and it seems to work very good.
September 19th, 2008 at 6:10 am
wow great plugin and a alternative to askimet.
so long
Joachim
September 22nd, 2008 at 12:16 pm
I am using the captcha image and it seems to work very good.
September 22nd, 2008 at 12:18 pm
thanx you all
September 22nd, 2008 at 12:18 pm
I hate spam, but I also hate enabling JavaScript for sites I can’t trust. I await, sadly, the time when bots come with enough stupid javascript builtin to defeat this and similar methods.
Isn’t it said that no program is complete until it contains a lisp interpreter?
Best wishes though.
September 22nd, 2008 at 12:19 pm
Okay, will do. Will consult the documentation on where I need to put that.
Thanks again, Elliott!
September 24th, 2008 at 12:13 pm
This is a nice plugin.
Could you update the Other Notes page’s Change Log to reflect the changes for 4.3 (and, presumably, 4.2, if there was one…).
BTW, I believe another possible reason for Sean’s comment is that he may have WP-HashCash logging turned on.
September 29th, 2008 at 12:09 pm
This plugin doesn’t seem to work at all. I tried posting an single personally typed response to a story on a wordpress blog on ocregister.com and it says it’s spammy. It’s not at all, completely nice and on topic. Wonder what could be up with that?
It shouldn’t surprise me, the OC Register blocks single personally typed letters to the editor 100% too. I dunno how they can function.
October 9th, 2008 at 3:18 pm
New to WP. What is a hook?
October 12th, 2008 at 3:19 am
i dont know the technacalities but wiyh me it works just fine
November 3rd, 2008 at 1:38 am
This is inherently broken if a person has NoScript extension in Firefox. I just had a pretty big comment eaten by your WP Plugin because I had no warning about this. If you would be so kind, please people to make sure javascript is enabled so that our posts don’t get eaten up by your plugin. Thanks!
November 3rd, 2008 at 11:07 pm
I must not be doing something right. I have installed the plug-in, and the options are all checked, but I don’t see what it is doing on my sign-uppage on my WPMU website. Do I need to add a code to the sign-up page for it to work, or is it something that just works in the background automatically?
November 10th, 2008 at 11:50 am
This plugin that i am searching for. thanks!
November 14th, 2008 at 1:50 pm
Any solution to this problem?
[WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.
November 17th, 2008 at 2:02 pm
The latest hashcash has a bug with MSIE, .. because what it’s doing is adding the “above” the doctype it ruins any “centering” the page might have. So MSIE can’t interpret it correctly, any chance we can get this to load within the appropriate get_header area?