How to implement anti-spam measures using Honeypot in WordPress without plugins

How to implement anti-spam measures using Honeypot in WordPress without plugins

Thank you for visiting. This page is an English translation of the Japanese site [Knowledge Base] using Google Translate. Please understand that there are some points that are difficult to read, such as sentences and expressions.

Since WordPress is a blog + α site management tool, comment fields for posts are output as standard for most themes (Of course, you can set WordPress to not accept comments at all). ..

Since it is a post I wrote with much effort, I want a reaction if possible, so it is a problem to output a comment column because it is spamming. There may be some comments, but it’s the impression of each reader, so even if it can’t be helped, the real problem is that it’s written in English and has nothing to do with it.

Most of these types of comments are not actually manually entered and sent, but are mechanically found in the comment field and sent automatically. In the worst case, most of the comments awaiting approval are spam and difficult to organize.

To prevent this, there are standard WordPress functions such as creating a blacklist and preventing comments using a specific email address, but all of them must be received and seen once. However, most of the email addresses used for such actions are disposable, so it may not be possible to block them.

This method is for sorting spam comments sent mechanically as spam the moment they arrive, so it is impossible to completely prevent it, but some spam can be done by just adding a simple code. You can expect a comment prevention effect.

What is a Honeypot? Specific operation with this measure

Honeypot literally means “a jar with honey,” and as the word implies, it means to attract sweets.

The honeypot for comments created this time is intentionally provided with items that are invisible to the human eye (hidden) and that the machine does not think to be input, and if there is input there, high spam !! It is to judge. Specifically, the following mechanism is used to operate it.

  1. Create hidden (invisible) input items in the comment form
  2. Make a spam judgment based on whether there is an input in 1
  3. If it is determined to be spam in 2, move to the “spam” item.

In the case of spam, it seems that you can just throw it away, but I think you need to know how many spam comments are on the site, so I mark (move) it as a “spam” item.

By marking it as spam, it seems that the Akismet plugin etc. will be an element to be included in the target of spam judgment, so it may be better to leave the spam as it is when used together.

How to use Honeypot to instantly move a spam comment to a “spam” item

It is common to use a dedicated plug-in to prevent spam comments on your own, but you can implement it with unexpectedly simple code.

To implement it, just insert the following code into your theme’s functions.php.

/*** Added honeypot in the comment section ***/
/* Create a hidden item called confirmation input of the email address in the comment form */
function ha_add_honeypot($postID) {
	echo '<p style="display:none">';
	echo '<textarea name="confirmationmail" cols="100%" rows="10" autocomplete="off"> </textarea>';
	echo '<label  for="confirmationmail">' . __("Please enter your email address again for confirmation","ha-basic") . '</label>';	
	echo '</p>';
}
add_action('comment_form', 'ha_add_honeypot');

/* If there is input in the hidden item, move it to spam */
function ha_detect_honeypot($comment_status) {
   if (!empty($_POST['confirmationmail'])) {
        $comment_status = 'spam';
    }
	return $comment_status;
}
add_filter('pre_comment_approved', 'ha_detect_honeypot');

A brief description of the code

The above code uses two user-defined functions, “ha_add_honeypot” and “ha_detect_honeypot”.

In “ha_add_honeypot”, a text input item “confirmation mail” is provided at the bottom of the comment form, and an explanation “Please re-enter your email address for confirmation” is added.

The form item itself is invisible to the human eye by specifying “style =” display: none “”.

In “ha_detect_honeypot”, depending on whether or not there is an input in the dummy item created in “ha_add_honeypot”, if there is an input, it will move to the “spam” item at the same time as sending.

How to check if Honeypot is working properly

Since it cannot be confirmed as it is, rewrite the following (upper) code in “ha_add_honeypot” to the lower code once.

echo '<p style="display:none">';
echo '<p>';

I’m just setting display: none in the style, so I just want to turn it off.

Now display one of the posts that are accepting comments, actually enter it in the re-entry field of your email address, and then click the submit button.

After sending, click the comment on the management screen, and if the comment moves in the spam item, Honeypot is complete.

If you leave it as it is, the re-entry field of the email address will be displayed in all comment forms, so please restore it after confirmation.

As mentioned above, I was surprised that Honeypot can be implemented in the comment form with just this much code. You don’t have to register it somewhere with a plugin, so if this is enough, it’s easy.

As of May 25, 2021, I stopped the plugin I was using on the site I manage and put this code in its place, but all the sites have almost no spam in the first place (almost no comments … sad) Since it is only a site), the effect is unknown.

If you implement it on your site and it is effective, I would appreciate it if you could spread it on SNS etc.

参考:https://gist.github.com/vijujohns/b0b8582d50abc1bc508a

Post Author: