Hey guys I had a problem with blogspam in wordpress. What I did was open up comments template in theme editor and find the html markup for the comment field and javascript obsuficated it. like this <script language="javascript"> document.write( unescape( '%3C%70%3E%3C%74%65%78%74%61%72%65%61%20%6E%61%6D%65%3D%22%63%6F%6D%6D%65%6E%74%22%20%69%64%3D%22%63%6F%6D%6D%65%6E%74%22%20%63%6F%6C%73%3D%22%36%30%22%20%72%6F%77%73%3D%22%31%30%22%20%74%61%62%69%6E%64%65%78%3D%22%34%22%3E%3C%2F%74%65%78%74%61%72%65%61%3E%3C%2F%70%3E')); </script> <script language="javascript"> document.write( unescape( '%3C%70%3E%3C%69%6E%70%75%74%20%63%6C%61%73%73%3D%22%73%75%62%6D%69%74%63%6F%6D%6D%65%6E%74%22%20%6E%61%6D%65%3D%22%73%75%62%6D%69%74%22%20%74%79%70%65%3D%22%73%75%62%6D%69%74%22%20%69%64%3D%22%73%75%62%6D%69%74%22%20%74%61%62%69%6E%64%65%78%3D%22%35%22%20%76%61%6C%75%65%3D%22%53%75%62%6D%69%74%22%20%2F%3E%0A%3C%69%6E%70%75%74%20%63%6C%61%73%73%3D%22%72%65%73%65%74%63%6F%6D%6D%65%6E%74%22%20%6E%61%6D%65%3D%22%72%65%73%65%74%22%20%74%79%70%65%3D%22%72%65%73%65%74%22%20%69%64%3D%22%72%65%73%65%74%22%20%74%61%62%69%6E%64%65%78%3D%22%35%22%20%76%61%6C%75%65%3D%22%52%65%73%65%74%22%20%2F%3E%0A%3C%69%6E%70%75%74%20%74%79%70%65%3D%22%68%69%64%64%65%6E%22%20%6E%61%6D%65%3D%22%63%6F%6D%6D%65%6E%74%5F%70%6F%73%74%5F%49%44%22%20%76%61%6C%75%65%3D%22')); </script><?php echo $id; ?>" /> </p> Code (markup): No more blogspam for weeks now, Online javascript obsuficator Note: make sure only to obsufiscate HTML only. You cant obsuficate PHP tags. If this gets rid of your spam , feel free to drop me a green!
This doesn't interest anyone? Hello?? This is how it works. <script type="text/javascript">document.write(unescape('encoded string');</script> It takes the html comment form and hides it in javascript. when a visitor views the page, it unescapes the javascript, hence the user will see no difference. But a SPAM bot will not see the form! So it cannot fill out hte form with spam and hit post, I have not had any spam on my wordpress for weeks now. This is escapes sentance. Example Hello world = %68%65%6C%6C%6F%20%77%6F%72%6C%64 If you put that in <script language="javascript"> document.write( unescape( '%68%65%6C%6C%6F%20%77%6F%72%6C%64' ) ); </script> It will unescape and put on the page with document.write You will still see Hello world, it just obsuficated in javascript.
Its the part that has the html for the comment form. probably called comment template in themeeditor in wordpress. Find the exact html for the comment form and copy and put into here Using that tool, then replace the html with <script language="javascript"> document.write( unescape( '<--INSERT ESCAPED STRING HERE -->' ) ); </script> Code (markup): You don't have to escaped the entire template file, just the form part of it probably starts with <form> attribute. Make sure not to escape PHP tags there are few a around the html You may have to work around. Meaning you might have 2 or 3 escaped strings with the javascript. and back it up first also before editing it. This is better then a captcha! I guarantee it. The spammer will not like this. they will have make there bots unescape javascript to see it. (which is unlikely to happen anytime soon)
Here is example. This is the default file for comment.php Template The bolded part is what you would javascript obsuficate.
most people don't want to mess with the template files. Here are the 3 must have plugins that I use to combat blogspam: Akismet Comment Timeout Simple Trackback Validation
Those might work to some degree What the bot does it parse the html and find the form, and auto fills it in presumably, the hits post. Which then the comment is put your qoue to be moderated, but encrypting the form itself in javascript, makes it entirely invisible to bots (including spam bots). They will not see the form when they parse the html, meaning they have nothing to fill out and post too. So you wouldn't have to have a captcha or annoy legitimated commenters in anyway. (except if they javascript off but those are the small minority)
nice..I'll have to take a look at that plugin... to the OP, someone like me or anyone who's got experience with modifying php files could easily do what you're suggesting...I think it's brilliant.. just saying the average user might find it too confusing, perhaps... thanks for sharing
I've taken a look at your blog and I see no escaped javascript strings hiding the comment form on your posts. Yes most likely,
Understand that this is going to make the blog inaccessible to anyone who's using a browser that doesn't support JavaScript (such as most mobile phones), has been blocked by a firewall (the price we pay for Web surfing at work - well not me, I work for myself), or has otherwise been "turned off" out of an absurd paranoid fear of having their computer broken into.
To be honest, I don't care what you see when you look for escaped javascript strings on my blog WP Spam-Free blocks 99.9% of spam comments for me, leaving 2-3 in Akismet which are usually false positives. And it does it all without me adding code to my files. Plus it uses cookies along with JS to make it even more useful. That's what I care about http://wordpress.org/extend/plugins/wp-spamfree/