Hi, DIYgod

nintendo switch

WordPress Anti-Spam Comment Battle

WordPress spam comments have always been super annoying. Without an effective interception solution, websites can be instantly flooded with hundreds of spam comments every day.

Because it is a problem that every WordPress site cannot avoid, everyone has come up with various solutions. Here is a summary of the characteristics and advantages and disadvantages of each method:

Identifying spam comments#

Represented by the Akismet plugin, it determines whether a comment is spam based on the content of the comment or the information of the commenter, and then decides whether to intercept it. When enabled, it can intercept almost all spam comments, but the biggest drawback of this method is false positives. Our site has been using the Akismet plugin before, and the probability of false positives is quite high. Even if we frequently check the spam folder, it is easy to miss a normal comment mixed with a bunch of spam comments in the spam folder. Secondly, it slows down the speed of submitting comments because each comment needs to be sent to Akismet's foreign servers for identification.


Prohibit non-Chinese comments#

More than 90% of spam comments come from abroad, so this method can intercept more than 90% of spam comments. However, the disadvantage is that it cannot send pure emoticons and normal comments like "2333" or "Thanks", and it cannot intercept Chinese spam comments.


Modify the comment post address#

Although this method seems a bit self-deceiving, the effect is surprisingly good because the vast majority of spam comments are like idiots who only know how to submit spam comments through the wp-comments-post.php in the website's root directory. The only slightly troublesome thing is that WordPress needs to be modified again after each upgrade.


Manual verification plugin#

For example, drag and unlock, puzzle, and captcha have good effects, but they sacrifice user experience and are unnecessary for small sites.


Set token#

Our site now uses this method, the principle is that every time the page is refreshed, the backend will return a different token and place it anywhere on the page, and then use JavaScript to fill the token into a hidden input at the appropriate time. When submitting a comment, the value of the hidden input (normally the token) is submitted together. The backend judges whether the value is legal to determine whether the comment is submitted through normal channels. Although this method can also be cracked, the difficulty of cracking is obviously much higher, and more importantly, the token algorithm and the structure of the hidden input can be easily changed. Every simple modification can make the cracking invalid.

It is also very simple to use. Just put the following code in the theme's function.php:

$leonax_magic_lower = 328;  // minimum value of token, modify as you like
$leonax_magic_upper = 3450709;  // maximum value of token, modify as you like
function leonax_anti_spam_form($fields){
    global $leonax_magic_lower, $leonax_magic_upper;
    $leonax_magic = mt_rand($leonax_magic_lower, $leonax_magic_upper);  // token value placed on the page, a random number that is different every time
    $fields['leonax_magic'] = <<<EOT
        <input type="hidden" id="leonax-magic" name="leonax-magic" value="0">  // hidden input
            $(function() {
                $("#comment-content").on("keyup", function() {  // js detects and fills in the token when triggering keyup, click, or touch events
                $('body').on('click touch', function () {
    return $fields;
add_filter('comment_form_default_fields', 'leonax_anti_spam_form');

function leonax_anit_spam_caught() {
    wp_die('<strong>Comment failed</strong>: Go to hell, spam comments!');

function leonax_anti_spam_check( $commentdata ) {
    $comment_type = '';
    if ( isset($commentdata['comment_type']) ) {
        $comment_type = trim($commentdata['comment_type']);

    if ( ($comment_type == 'pingback') || ($comment_type == 'trackback') ) {
        return $commentdata;
    $content = '';
    if ( isset($commentdata['comment_content']) ) {
        $content = trim($commentdata['comment_content']);
    if (!strlen($content)) {

    global $leonax_magic_lower, $leonax_magic_upper;

    if ( isset($commentdata['user_ID']) && $commentdata['user_ID'] ) { // do not judge for logged-in users
        return $commentdata;

    if ( !isset($_POST['leonax-magic']) ) {
    $magic = intval($_POST['leonax-magic']);
    if ($magic < $leonax_magic_lower || $magic > $leonax_magic_upper) {  // the token value is legal only between the maximum and minimum values set above
    return $commentdata;

add_filter( 'preprocess_comment' , 'leonax_anti_spam_check' );

The above code is from LEONA+ and


Currently, only these methods have been found. Feel free to add more.

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.