A few months ago WordPress and WordPress MU merged with the release of the Wordpres 3 series. This was awesome if you ran multisites as now the code bases were a single branch. Unfortunately, the problem with spambots creating blogs to simply load links back to their spam sites didn’t get any better. If anything, it’s gotten worse and the problem isn’t just limited to multisite installations, single site WordPress installs are just as prone to comment spam and/or bogus users being created. A new WordPress installation can expect to be attacked by bots within days of going live and if you have an open comment or registration process, your going to be spending a lot of time weeding out bogus blogs and comments.
A year ago I released a plugin I’d been tinkering with called WPMU Block Spam By Math. It’s was based on the simple, yet highly effective plugin Block Spam By Math created by Alexander Grau. The WPMU version solely addressed the need in WPMU to try and control spam blog creation. While nothing is 100% both plugins together provided some pretty nice protection. Since the release of WordPress 3 and the ever increasing use of Buddypress, I decided to combine both plugins, updated for the current code bases with a few enhancements built in. The result is Block Spam By Math Reloaded.
It’s still a simple plugin based on an even simpler concept but it’s proven to be highly effective at what it does. By simply adding a math question to the workflow processes (something like “what is 5+2”) you can dramatically reduce the amount of spam you have to deal with. In fact, I rarely get comment spam and if it does get by (usually because someone actually posted the spam not a bot) Akismet nabs it. I’ve been running this plugin on my other site Reality Wired for several weeks and it’s been (in my opinion) 100% effective. Another advantage is you don’t have to worry about GD2, Imagemagic or other graphics library issues when using the random image generators. Block Spam By Math Reloaded just works.
Installation is simple:
- Download the plugin from WordPress.org.
- Copy it into the wp-content/plugins directory of your blog.
- Go into your wp-admin/plugins and activate the plugin.
- Go to wp-admin/settings/block-spam-by-math-reloaded and set your options.
That’s all there is to it. You should now start to see a dramatic reduction in the amount spam blogs and comment spam. NOTE: This does not protect against those spammers who take the time to manually create spam blogs on your site. For those I still recommend barbed wire and toothpicks under the fingernails.
Buddypress Users
If you are using Buddypress, the plugin has been tested against the latest version 1.2.7 using the default Buddypress theme. I’m fairly certain it won’t work with any version prior to 1.2.7 due to a missing hook. If you don’t have the latest version of Buddypress I recommend you look into updating anyway.
FAQ
- Does this plugin work with the original Block Spam By Math plugin?
- Does this plugin work with the regular WPMU Block Spam By Math plugin?
- Does this plugin work on WordPress versions prior to the 3.x series?
- Can I change the math questions?
- Does this plugin work on regular Buddypress?
No, this plugin uses some of the same functions and function names and will most likely cause you problems if you try and run them together.
No, this plugin uses some of the same functions and function names and will most likely cause you problems if you try and run them together.
Not sure, although it won’t run on anything older than 2.7 for sure.
Yes, just edit the two rand functions in the plugin file to generate whatever type of numbers you want.
Yes. Requires Buddypress 1.2.7 or higher using the default Buddypress theme
Future Updates
I’ve got a few more things I want to add to this plugin, mostly convenience things that have annoyed me with the previous ones. I hope to have them included in a few weeks. If you have a suggestion please leave a comment with your ideas.
Support
I’ll do my best to support any issues that crop up with the plugin. If you run into an issue, either shoot us a note via the contact page or simply leave a comment below.
If you like this plugin and want to support me, leave a comment or check out my donations and support page!
Version 2.0 Update
Version 2.0 of this plugin has been released. It includes a number of changes to base code, bringing it more inline with current WordPress standards.
* Added a number of enhancements that allow for field validation.
* Added the option to add the security form to the stand alone WordPress user registration form.
* Added customization for almost every available object
* Added the ability to change when the security form appears on the comment form (see the note below).
The biggest piece of this was adding the ability to change where the security form appears on the comments form. The issue with this was there is no default WordPress hook for this location and not all templates integrate the necessary part of the form into the template code making a manual edit of a template not very feasible. What I chose to do was provide 3 options that I believe will cover most cases.
- The default option is to use the default hook location. In most cases this places the security form below the comments submit button.
- The second option is the ability to use a predefined hook location. This won’t exist in most templates but several of the frameworks are starting to use it. Thesis Theme for example uses it’s own comment code and adds a hook for us. Therefore we are able to make use of that hook to relocate the form above the submit button rather easily.
- The third option will be the most difficult for some to grasp. This involves a manual edit to a core WordPress file. This means that everytime an upgrade is performed this edit will have to be readded. Instructions are included on the plugins options screen.
Maybe in the future WordPress will add additional hooks or alter the whole comments system to make the comment form use a template thus allow for easier manual placement. Until then, a little pain was necessary to make this happen.
Version 2.1 Update
After a few quick releases to fix some minor issues, I’ve pushed version 2.1 to the repository. No functional changes have been made, most are all cosmetic but I think it makes the admin options page a little less cluttered.
The two biggest things I’ve added aside from the cosmetic are:
- A help link for registering the plugin that should fix the issues some of you have emailed me about.
- An Uninstall option that will clear all plugin settings from the database. When you deactivate the plugin the settings are still there, but if you want to completely remove it or just revert to default settings this is the quickest way. The plugin is automatically deactivated as part of the uninstall.
I think I’m fairly happy with this release and I think you guys will like it better. As always, leave a comment with any bugs or feature requests you have or drop us a note via the contact form.
Update 2.2.2 is uploaded, should be available shortly. This “should” fix the registration issue when running in network mode.
My security question is showing below the submit button, not above like on your site. How do I fix that?
Scroll to the lower portion of the plugins settings in wpadmin, there is instructions on how to do this.
Hey,
first off, I love this plugin.Simple, yet very effective.
Now to the problem: I edited the notice message in my admin panel and wanted to put in line breaks with html tags, since the description says “You can use html here.” I thought that wouldn’t be a problem, but in fact, it was, cause it doesn’t work, no matter how often I try …
After I hit the “Save Changes” button, the html just disappear in the text field and there are no line breaks.
Any idea why? Is this maybe a bug? Am I just stupid? 🙂
I had this issue as well (v.2.2.4). It removed the spans and ASCII encoded characters that I added. But I really like the simplicity of the plugin so I’ll just add the elements I need in the plugin files.
Oh, btw, should’ve mentioned that in the first comment: Line breaks don’t work in the “Incorrect Answer Error Message” & “Empty Field Error Message” either. However, other html tags work, like making the text bold and stuff …
Thanks for this 🙂 We could not find a good and simple answer to comments spam bots and yours worked a treat and first time!
For those of us who use Multisite with a caching plugin… does this work using PHP or Javascript?
If a user gets served a cached page with an old math problem, will this still work?
Hi there – I installed and activated this plugin today, but I am still receiving TONS of spam constantly. Does it take any time to take effect?
Works perfectly. Just one question though — the Security Question appears below my submit button. Is there a way to make it appear before the Submit button.
http://www.bethannerankinforcongress.com/blog/2011/08/shell-see-me-stand/.
Thank you. Yael
Has this exploit been patched yet?
http://www.exploit-db.com/exploits/17702/
No, and to be honest it’s not a high priority for me right now. The exploit isn’t an exploit against this plugin, it’s a WordPress exploit. I’ve talked to the WordPress people and suggested some changes they make and I have some enhancements to add to the plugin from their feedback that I will get in there sometime. Right now I’m caught up in finishing a deliverable for the J.O.B.
Regardless, enhancing the plugin will not make the real vulnerability that exploit takes advantage of go away.
Has the bypass exploit been patched yet?
http://www.exploit-db.com/exploits/17702/
Thanks.
Is a there a way to remove the line “Security Question:” ??
I tried to erase only the text, but the empty line remains…?!
Thanks!
Max, not without altering the code but that’s a great idea for an upgrade. For now, you can just comment out this line in the plugin file.
echo 'Should be around line 202.
I installed this on a multisite, but it seems each site can set up their own settings. Is there a way to set the options once for the entire network?
So, potentially bad news: This plugin took hundreds of plugins that were hitting my Akismet filter and killed them dead as a doornail. And they stayed dead for a long, long time. But starting yesterday afternoon, my spam filter has been getting slammed once again. I can only assume that somebody out there has cracked the plug-in and is auto-answering the math question.
Not sure what can be done about it, but I’m hoping somebody cleverer than I will be able to modify the plug-in so that it can go back to killing my spam problem.
A small question:
I have changed the value:
define (‘BSBM_NOTICE_MESSAGE’,’Udfyld venligst ovenstående’);
However it does not come through – it still displays.
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) 🙂
I have gone around it by deleting:
echo $options[‘bsbm_notice_message’];
But can I do some kind of “refresh” instead?
Where is that located anders?
Thanks for the Spam block plugin! I am using Plugin 2.2.2 which has been working until yesterday when some people managed to populated bunch of spams on my blog.
What could be the problem? Thanks.
It depends on how they got in there. If your using Akismet that should catch any that manage to get past the plugin.
Thanks, James. There are two or three random posts that full of garbage and mis-spelled words on some pages. I am currently not using payment required Akismet. Will have to find a free plugin similar to Akismet if any.
Sky, you can still get Akismet free. You just need a personal key and donate $0.
Thanks, James.
I’ve installed a free plugin named Growmap Anti Spambot yesterday. There are no spams this morning so far. Hopefully, my blog will be spam free with your plugin and Growmap Anti Spambot activated.
In the settings fields that allow HTML, how do I code a link? The typical HTML link code doesn’t work. Thanks.
And how about for multisites? Is there a way to apply it across the network or does it need to be activated on a site by site basis?
Hi ! I was just about to translate your plugin into the languages my blog is using when I noticed that version 2.2.3 is not quite “standard” as far as po/mo files are handled in wordpress… 🙁
Were you by any chance looking for new possible enhancements ?
The plugin has helped kill nearly 90% of spam, however, i am now starting to get some comment spam despite this plugin. I would suggest that authors of plugin extend/renew the options as the more popular it becomes, the more spammers will try to crack it.
But overall, thumbs up for the plugin authors. The plugin works great and i am a very satisfied user.
Hello,
to begin with a praise to the good Captcha plug-in!
I have in addition, however, one more question:
If a visitor or member of my web page enters a wrong Captcha code, he is forwarded on an empty white page. I do not find this so good if visitors of the page are not any more on the real page and are not able in addition also any more about the ‘back-button’ back on the homepage!
How can I change this that the user is escorted after a wrong input again to the homepage or to the formular?
Greetings
Tom (Germany)
(Sorry for my bad english!)
Can you remove the “IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)” all together? I just get a random yellow box
How to make this plugin work with bbpress forum plugin?
Like solving the maths question before submitting new topic or before replying to any old topic?
Please help
Thanks
I would absolutely love this but am on blogger – darn it.
Hello,
Thank you for such a fabulous plugin. I have a quick question – is there a way to manually add the code for the security check to the plugin WPTouch? It uses its own mobile theme. Thanks in advance!
Hi – Can you help me to get the answer box for the math question to appear. I need to add a grey outline or background to it. I have tried turning off styling and on . Can you tell me which lines address the border and background in the bsbm.css to change to correct this.
Thank you so much.
Hi James – Just a small suggestion (if you haven’t had this one before) but a lot of people tab to the next box while filling in forms.
On the log in screen with your plugin, the tab misses your question out and moves onto *Remember me
Thanks for the plugin – Phil
Hi James,
Love your plug-in, but I have a couple suggestions.
1) You should not be storing the answer to the math question directly on the client page. Right now there’s a couple hidden INPUT boxes named “mathvalue0” and “mathvalue1” which contain the numbers. Very easy for a bot to figure out how to scrape that off the page and answer correctly.
Instead, store the answer in a session variable, which is stored server-side and inaccessible by a bot.
2) The actual math question itself should be obfuscated, the text “What is 6 + 14” is plain enough that a semi-intelligent bot could see a blank input box below a textual math question and put two-and-two-together (pun intended!)
Instead, the plug-in should generate an image of the number – the act of generating the image should fill the session variable I mentioned in (1). This will make it much much harder for a bot to “scrape” the page. As a bonus it makes it easy to then have a “refresh” button beside the image that can generates a new question if the user desired.
You can throw some unique-IDs into the mix to prevent multiple simultaneous open tabs or windows from messing things up, although this would be a minor issue.
I’m working on this right now for my own site. If you’re interested in the code when I’m done, shoot me an email.
James – I finished the code. I ended up using a salted hash for the answer instead of a session variable (that way there are no issues with multiple tabs etc.)
Also, I found and fixed a bug where the “BSBM_EMPTY_ERROR” and “BSBM_ANSWER_ERROR” error messages were reversed – look near line 325.
Can I send you the code? I can’t find you email anywhere on your site here.
It’d be nice to have this code already in the repository so when I install your plugin for future customers of mine I don’t have to manually modify it every time.
Hi James,
Block Spam By Math has helped a great deal blocking those spams for quite some time. However, I’ve just found that there are 10-15 anti-aging cream spams on my blog today. Do you have any suggestions in blocking those annoying spams? Thanks.
Hello there,
Thank you for the plugin.
I am facing a couple of problems that could be related.
1) The question is placed below the submit button. I tried to change it from the settings that you provided but whenver I change it from the default the question disappears.
2) Another issue is that the answer field can’t be selected. In some browsers it would select with a double click and in others it wouldn’t at all.
Could the second issue be because of the first?
Would really appreciate your advice.
Thank you.
Seems like an awesome plugin. For some reason, I’m using it on an ecommerce site and the math ? does show up on new user registration, but it is not showing on “login” form for existing members. I have it set to show up for everyone so maybe it just can’t work with this scenario.
James,
I love this plugin!
Could you please provide specific instructions to make this work with another wonderful plugin, “Contact Form 7”.
After update (3.5.1), Block-Spam-By-Math-Reloaded doesn’t work.
I installed the plugin and this is not showing up in my theme at all. How can I manually add it?
Hi!
It looks like in the version found on https://wordpress.org/extend/plugins/block-spam-by-math-reloaded/ the definition of the salt is erroneous. I had to replace the double quotes by single quote to prevent considering the salt as a PHP variable (“$2a$07$secretsaltstringASDFAS$” by default in the sources).
As the generation of the salt and the crypt fail, the hashed value is always “*0” which allows any answer to validate the comment.
Replacing the double by single quotes is sufficient to solve the problem.
Noted that the block spam by math is no longer showing up on the comment form. Did something change?