Fighting Spam

What is the one common thing that all web site and blog owners hate? You're right - Spam. We all use Contact or Comment forms to interact with the site's visitors, but ending up as perfect targets for spammers to annoy the heck out of us.

There are different ways to fight the spam, some are helpful, others not. One of the popular methods is to use a CAPTHA, an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart.
However to make captchas efficient they have to be very hard to read by generating an image of a few random letters, using colours, distorted letters. Why? Because there are already several scripts used by spam bots that can OCR simple captchas in no time. The problem with this method is that many use captchas that even humans have a hard time recognizing, which is very frustrating.

Other methods include an addition of a simple skill-testing question that only humans can answer. I used this method myself on this blog, asking people about the number of letters in the word "inspiration". The problem with this one is sometimes even humans make mistakes answering these questions (simply due to not paying much attention to them) and often losing the entire comment when clicking back to correct the answer, which is very exasperating.

When browsing some Russian websites (one of the benefits of being multilingual) I stumbled upon one very interesting article: Antispam with no Captcha, which talked about a very different method of dealing with spam. I've decided to try it out, tested it on Inspiration Bit and now highly recommend you to do the same.

The idea behind this method is that most spam bots are trying to fill out every field in your forms. So what we can do is trick the bots by adding a couple of new fields to the form, but hiding them from our readers with the CSS code "display:none". And then validate them in PHP (or any other server-side programming language you use to validate the forms). If those fake hidden fields (hidden by CSS, not input type=hidden in HTML) get filled and contain some data, then we're getting a response from a bot, so we block it by rejecting the form submission, since humans can't see those fields and leave them blank.

However, those bot scripts are getting smart with it and very appropriately fill out only fields titled "email", "comments" and other titles that we usually use in our contact and comment forms. So it is important to use not just any name but the real-sounding names for our fake fields and use fake-sounding names for our "real" fields. When I've added a field, titled "email2" and hid it with CSS, it did reduce my spam, but I was still getting a few spams a day. So then I've left fields "email" and "comments" for spam bots to fill and hid them from humans, and created "ibitletter" and "ibitmsg" for the actual email and comment fields for humans in my comment form. This worked like a charm - no more than 3 spams a day.

To compare: without any spam prevention methods on my blog Akismet was catching up to 30-40 spams a day, with my skill-test question, it was reduced to 5-8 spams a day. With altering the comments form by adding the fake fields to trick the bots, the spam on my blog was further reduced to 2-3 spams a day. That's quite an improvement, don't you think so? The fact that I'm still getting some spam most probably indicates that those comments were filled out manually.

So here are my steps:

Update the HTML part of the code in your comments.php file by going to Dashboard->Presentation->Theme Editor (erase the comments in your code, I've used them here just to make it more clear for you what is where):

  1. <input type="text" name="email" id="email" value="" /><!--for bots-->
  2. <input type="text" name="ibitletter" id="ibitletter" value="<?php echo $comment_author_email; ?/>" size="20" tabindex="2" /><!--for humans-->
  3. ..........
  4. <textarea name="comment" id="comment" cols="50%" rows="2" tabindex="4"></textarea><!--for bots-->
  5. <p><textarea name="ibitmsg" id="msg" cols="50%" rows="10" tabindex="4"></textarea><!--for humans--></p>

Add the following CSS code to your styles.css file:

  1. input#email, textarea#comment {display: none;}

Open and edit the PHP code in your wp-comments-post.php file (it's located in the root folder of your website):

  1. $comment_author       = trim($_POST['author']);
  2. $comment_author_email = trim($_POST['ibitletter']); //for humans
  3. $comment_author_url   = trim($_POST['url']);
  4. $comment_content      = trim($_POST['ibitmsg']); //for humans
  6. $comment_fake_email = trim($_POST['email']); //for spam bots
  7. $comment_fake_content = trim($_POST['comment']); //for spam bots
  8. //add validation:
  9. if ( '' != $comment_fake_email ) //if not empty but filled by a bot
  10.     wp_die( __('Error: do not spam.') );
  12. if ( '' != $comment_fake_content ) //if not empty but filled by a bot
  13.     wp_die( __('Error: do not spam.') );

So give it a try and let me know how it worked for you.

Update: I just found another helpful article that talks about a similar alternative to fighting spam, this one is using a so-called The Invisible Captcha Mechanism (ICM). Definitely worth checking that one out.

Recent Bits
Related Bits
Tired Of Spam – Activate The Spam Stopper
Flattering Spam
Practical Information About WordPress Plugins
Latest Blogg buzz
Digg – Up close and personal
It’s Time for New Calendars. Seasons Greetings!
Comment Bits

27 Insightful Bits in response to “Fighting Spam Without Captcha”

  1. I’m glad you’ve found that concept works as I have also decided to try it out.

    I am in the process of writing a web app and am using this as my only spam protection method, so I have used PHP session variables to store a fake form name, chosen at random out of a list, to make it harder for bots to figure out what not to answer.

  2. Vivien,

    That looks spiffy. I’ll definitely have to try that out.

  3. Vivien

    Andrew, using a session variable in PHP for the fake field names is a very smart solution.
    I just found another article on the alternatives to captchas and found this one talking about a very similar method, called The Invisible Captcha Mechanism (ICM), I’ll add the link to the post, so that everyone could check it out. To trick the bots further that one is using the current date function in PHP with the day, month and year, adding that to the field names.

    Ronald, let me know how it works for you.

  4. Hey Vivien,

    I found an error in one of your code snippets. It’s in the first block. When you end the PHP statement in the first block, it should be ?> instead of ?/>

  5. Vivien,

    One other thing I’ve found out testing this thing out:

    Make sure you clear your cookies for the site in question, otherwise the e-mail and comment forms might automatically be filled out without you realizing it and you’ll get the “do not spam” error.

  6. Vivien

    oh-ho… how did that slash end up there?… thanks for noticing, it was only in my post, not the actual code. I’ve just corrected it.

    Good point about the cookies. Thanks, Ronald.

  7. That’s pretty genius! I need to do something along these lines — I get way too much crap in my moderation queue. It would be nice to be excited about moderating comments rather than dreading having to wade through the spam.

    One thing I’m noticing though… my CoComment bar has attached itself to your hidden “comment” box. Looks like you’ve fooled more than the bots! I’m curious if it will still track the conversation.

  8. Very interesting article. I wonder if there’s a variation on the hidden fields that would work — seems like a good idea. The whole captcha thing has become one of those “necessary” evils sadly. I’m off to read that last article you mentioned.

    I receive very few spam messages on iLT, and only 2 have made there way past Askimet. Now that I’ve said that, I’ll probably start to get hundreds.

  9. I woke up to zero spams on RA Project this morning using this technique. Woot! I hope it continues to work :)

  10. This concept is good . I will try this out on my blog too .

  11. I’ve come across this technique with contact forms before, but not really thought of applying it to WordPress comments. It’s a good idea.

    Personally I don’t like having to update a core file as you will need to remember this every time you upgrade WordPress… Could be a very good idea for a plugin though.

  12. One thing to be careful of — for the forms to be completely accessible to humans, you should label the “don’t fill this out” fields for people who have CSS disabled. They might be using a mobile phone or are visually impaired and thus will find the extra fields confusing.

  13. Vivien

    Hi Brian. Let me know if you tried the no-captcha method for your comment form. What anti-spam options do you currently use on your blog besides Akismet? I see you don’t use any captchas either.

    John, I do hope you won’t start getting more spam. I wonder though how come you don’t get much spam on iLT despite its great popularity and having a captcha that is a very legible one.

    Hurrah to a morning with no Spam, Ronald. Hope it stays the same every moring.

    Good luck, Madhur. Let me know how it works for you.

    Aaron, I agree, it would be better to have a plugin that will add those hidden fields, rather than changing the core files. But until then, I find it’s worth changing the WP files for my blog.

    Peter, thank you so much for reminding me about it. I meant to include that in the footnote of my post, but forgot. Yes, it’s advisable to leave a warning message for those who have CSS disabled.

  14. Vivien
    Yes, it is odd tht I don’t get more spam. Since starting iLT, Askimet has stopped 75 spam comments and missed 2.

  15. Nice article!

    I’ve written another article on my website to fight the hateful spam:

    Keep on bloggin,,,

  16. Hey awesome, John uses my plugin! What a small world…

  17. Very good idea.
    But what if bots try and find out the hidden fields?

    What if they did not fill those fields?

  18. Vivien

    Reasonable question, Niyaz. But why wouldn’t the bots fill those hidden fields?

  19. Hi Vivien! I really love how simple yet sneaky this anti-spam field is! I’ve just fixed my coding to reflect these changes and I would love it if it cut down my spam even by 50%. It’s quite disheartening to sign on to my blog after a few days of being away to find 400+ spam messages. I’m sure it was the slight popularity of one of my articles on Digg that got me this lovely attention from spam bots.

  20. Lauren, let me know please how did it work for you, it’s very frustrating to be getting so much spam. Hope it works for you as well as it did for me.

  21. Well even though it’s been less than 24 hours, I can say this method is working wonderfully! I haven’t seen a SINGLE spam comment since adding those extra fields. I wish I’d done it sooner! Thanks, Vivien!!!

  22. HURRRRAH! I’m so glad to hear that, Lauren. Glad it worked for you so well. You might still get a few spams here and there, ’cause there are some manually entered spam comments, but definitely not much. Thanks for the update.

  23. Ooo, remember to update wp-comments-post.php when you upgrade! I forgot and didn’t get comments for a few days there… hope I didn’t miss anything important!

  24. oh, thanks for the heads up, Lauren. I haven’t had a chance to upgrade yet. Glad you realized soon enough.

  25. lol

    This whole concept is a waste of time for obvious reasons.

    The only hope something like this has is if spammers don’t target it, and the spambots have horrible very VERY bad heuristics (Filling out hidden forms? Come on!).

  26. I wouldn’t call it a waste of time. It obviously works for me and worked for many others. It’s not the best anti-spam fighter, but I doubt there is one.

  1. Spam, Spam, Spam, Spam, lovely spam, wonderful spam…

    [...] at Inspiration Bit has written about her most recent attempts to stop spam so I thought I would explain the methods I have used on various sites, all with some [...]

Selected Bits





Hi, I'm Vivien. Thanks for visiting my Inspiration Bit. I often find myself scouring the internet looking for either answers to many questions I have or websites that inspire me, sites that I can learn from. On what topics you might ask — any topics that interest me, anything from web design to typography and art, from blogging to entrepreneurship, from programming to open source.
read more…
When I'm not blogging, I design web sites, teach, play with my daughter and try to balance family, work, friends and a somewhat active social life on