You might struggle something when preventing spam on your WordPress blog. Sure, the built-in post-types of WordPress might already have some spam-protection (like nonces and/or Akismet), but what if you are creating your own post-types? Or you have some exotic submission-form that is not using any post-type at all? Well, in those cases you can fairly simple add some of that juicy spam-protection without all too much trouble.
Nonce
The first line of defence is a nonce. You might already have seen these before. A nonce in WordPress is a ‘number used once’. It prevents form from being misused by checking for things like the referrer and time for example. Adding a nonce to your field is very simple, it just requires one function you must embed in your form:
|
1 |
<!--?<span class="hiddenSpellError" pre="" data-mce-bogus="1"-->php wp_nonce_field( 'my-nonce' ); ?> |
This function generates something like the following HTML:
|
1 2 |
<input type="hidden" id="_wpnonce" name="_wpnonce" value="6108e1e021"> <input type="hidden" name="_wp_http_referer" value="/some-page-title/"> |
Now in the piece of code where you are about to save all submitted data in the database you can add the following check:
|
1 2 3 4 |
if(wp_verify_nonce( $_REQUEST['_wpnonce'], 'my-nonce' )) { // Do some amazing saving stuff ... } |
That’s just how easy you can use nonces in your site.
Akismet
Another nice approach that might not be familiar with some of you is to use what’s already there: Akismet. If you are currently using the Akismet WordPress plugin to prevent spam comments, you can already make use of this plugin to check any kind of content or form submission for spam. I first read about this method in this article. The approach is fairly simple: just use the static Akismet::http_post() -method to check with the Akismet server if your form submission contains spam. A simple method for this could look something like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
/** * Check if the user is a spammer * * @param string $content * * @return bool */ public function checkWithAkismet($content = '') { // We assume that Akismet is installed with the corresponding API key if( method_exists( 'Akismet', 'http_post' ) ) { // Get the visitors IP Address: $ip = $_SERVER['REMOTE_ADDR'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['HTTP_CLIENT_IP']); // data package to be delivered to Akismet (Modify this to your needs) $data = array( 'comment_content' => 'Hello Spam World!', 'user_ip' => $ip, 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'referrer' => $_SERVER['HTTP_REFERER'], 'blog' => get_site_url(), 'is_test' => false, ); // construct the query string $query_string = http_build_query( $data ); // post it to Akismet $response = Akismet::http_post( $query_string, 'comment-check' ); // check the results $result = ( is_array( $response ) && isset( $response[1] ) ) ? $response[1] : 'false'; // display the result (it can be 'true', 'false' or some error message ) if($result == false) { return false; } else { // Spam! return true; } } return false; } |
In conclusion
You see that it’s very easy to add two lines of defence in the battle against spam. Without too much hassle you can protect your own forms and custom post-types from being clogged up with spam. If you have any suggestions, tips, comments or more approaches on how to prevent spam on your blog, please let share the knowledge in the comments below.
Special thanks go out to Birgir Erlendsson for pointing out the Akismet-method.
Visitors give this article an average rating of 5.0 out of 5.
How would you rate this article?
★ ★ ★ ★ ★