Maximum Anti-spam Measures for WordPress

On my blog I’ve had to take what I consider maximum, or perhaps even extreme, measures to minimize spam. I use captcha’s, which I don’t particularly like, as well as mandatory approval for comments along with shutting off comments after 30 days. Oh, and I’ve also commented out the code that allows for trackbacks and pingbacks.  It was the combination of these measures that finally gave me some peace-of-mind.

Back during the month when I finally implemented all of these anti-spam methods I had received over 400 spam messages via various methods. It was filling up my mail box and getting really annoying. Mostly it was the time wasted while glancing at each message to weed out legitimate comments from junk before deleting it. Now I’m down to around six or so spam comment posts per month, and while this is still annoying is a much more manageable number.

I’ve gradually accepted that I won’t be able to completely eliminate spam (argh!). And, there are several downsides to this heavy handed approach. Now, every time I upgrade to a new version of WordPress I have to re-comment out the trackbacks and pingbacks PHP code. If I don’t, I start getting spam again within 24 hours. Also, if someone wants to post a legitimate comment after 30 days they won’t be able to.

Minor Code Change – Bye Bye WordPress Trackback Spam

I’ve been getting a bit frustrated with thirty or more trackback/pingback spam emails per day from my blog. I’ve been trying to ignore it for about a month, but my inbox keeps filling up. So, I did some research and, surprisingly, most of the anti-spam WordPress blog posts are from five to six years ago. I’m currently using WordPress 3.2.1.

Some of the fixes/hacks crashed my blog faster than you can blink an eye. Others, such as turning off trackbacks/pingsbacks in the WordPress settings did nothing to stop the waterfall o’ spam. Simply put: most of the old hacks don’t work on the latest version of the WordPress. One fix was to install the Askimet plug-in, but that required registering for a key and I didn’t feel like doing that.

So, I decided to actually look at the WordPress code and create my own home-made hack just to see if it might work. What I’ve done is rather brute force.

Step 1. Locate the php file responsible for trackbacks. On my system it’s under /htdocs/WordPress/wp-trackback.php.

Step 2. [Update: 11/18/2011] Comment out the following two lines of code. Then save your work and make sure your blog still runs. These lines of code are the one that writes the trackback to the database. In theory, if I stop that from happening then I won’t be annoyed by spambots for at least a little while.

 //wp_new_comment($commentdata);
 //do_action('trackback_post', $wpdb->insert_id);

So, now that’s done I’m going to sit back and wait. I’ll update the post if my “experiment” is successful. Or, if I have to dig further into the WordPress code.

[Update: 11/18/2011] With the additional line commented out all trackbacks are now ignored and they cannot be written to the database. Sweet!