Peter's Useful Crap

My anti-spam plugin is one of many Captcha comment plugins for WordPress. In the effort of continuous improvement, I’m perpetually trying to tweak my plugin for better performance, effectiveness, and compatibility. Here are two points that are problematic for most of the Captchas and that might be helpful for other amateur developers like me.

1. Use the preprocess_comment filter to analyze comments early
Thanks to the ever-so-detailed WordPress Plugin API I discovered the filter preprocess_comment, which is the first “event” that occurs when a comment is posted. Most plugins call their functions during the action comment_post, but this “event” occurs a bit too late in the timeline. While comment_post is occuring, the comment has already been posted to the database, and your plugin is forced to go into the database to delete spam comments. This is obviously transparent to users, but is ineffecient from the processing point of view.

What you should try to do is to stop the spam before it hits the database by using preprocess_comment instead of comment_post.

2. Give users the option to allow trackbacks and pingbacks through
Captcha forces users to enter the characters seen in an image in order to ensure that the poster is not a spambot. However, trackbacks and pingbacks are other ways of posting comments, and they obviously cannot see your Captcha image. You can use other methods of stopping trackback and pingback spam, such as installing a filter-type plugin (for example, Akismet) or renaming your trackback file. But the problem remains that you have to correctly identify trackbacks and pingbacks in order to turn off the Captcha test. Otherwise, users that install your plugin are effectively blocking all trackbacks and pingbacks.

Surprisingly, the answer to this problem was a bit hard to find, but it turned out to be quite a simple solution. In the array that is sent during the preprocess_comment event, one of the fields that is submitted is comment_type. The value of this is blank for normal comments, and is otherwise equal to “pingback” and “trackback”. Therefore, use an “if” statement such as the one below (in your comment filter function), in order to identify and subsequent allow the passing through of pingbacks and trackbacks.

if ($incoming_comment['comment_type'] == "") {
// run anti-spam check }
else {
// return to normal }

————————————–

Thanks to Ajay for taking the time to examine some of this stuff with me.

Other variations

• A version where the text is more obscured
• A Math Anti-Spam version for WordPress
• A Random Anti-Spam version for WordPress
• A version of this plugin for non-WordPress sites at the request of a few visitors.
• eZ Publish version of this plugin for eZ Publish 3.8+.
• Case study on applying the plugin to a forum. Perhaps this could serve as a framework for others!
• Version for WordPress MU (multi-user) The latest normal WordPress version of this plugin should work with WPMU. Instructions on how to install the plugin with WordPress MU.

———————–

I really dislike spambot posts. You know, the ones that advertise jumbled links. There are quite a few plugins to combat blog comment spam, and they usually come in two varieties: one that filters and identifies spam posts and another that forces users to identify a random word displayed as an image in order to block spambots that cannot read your image. You can use both varieties of spam filters in tandem. There’s even a third option where you can rename your comment and trackback files in order to reduce the server load from spambots.

At any rate, I’ve developed my own anti-spam image plugin. You can test it by leaving a comment on this site.

My plugin is based on Anti-Spam Image by Krazy Nio (which I can no longer locate) and I also used some code that I learned from what I like to call the best PHP tutorial ever.

Features

• Toggle whether registered users need to enter the word
• Random font display
• No cookies required
• No JavaScript required
• Auto-generated audio for visually impaired users
• Easy-to-read
• No mapping of words from the code — words are used once or removed after 24 hours
• Reminder of what was entered if you get the word wrong
• Selective blocking of trackbacks, pingbacks
• Easy to translate

Negatives

• Purposely no obscuring techniques so that the anti-spam word is easy to read
• The more people who use this plugin, the more motivation for spambots to target it

Requirements

• GD Library and FreeType Library (There’s a diagnostic page at Manage > Custom Anti-Spam in your WordPress admin panel to tell you whether you have them installed. If needed, just ask your web host to install them!)
• WordPress 3.2 or higher

That being said…

Version 3.2.2 of Peter’s Custom Anti-Spam Image Plugin for WordPress [February 8, 2014: Minor code cleanup (thanks koc!)]

Download Version 3.2.2

Translations

• ru_RU translation by koc
• Patrik Žec (PATWIST)

View all past versions

Instructions:
2.0+ releases:
Unzip the entire folder custom-anti-spam to your plugins directory, so that the path is wp-content/plugins/custom-anti-spam/. Then activate the plugin via your WordPress admin section. The plugin should work directly “out of the box”, but all settings can be customized in the Settings > Custom anti-spam page in your WordPress control panel (3.1.0 and up) or in the plugin file itself (3.0.7 and lower). If you are upgrading from a previous release, de-activate that release first.

Here’s a brief outline on how to do the manual insert.

Check the archive page for pre-2.0 instructions.

Common issues

– Keep the words short (7-8 letters max).
– Make sure you upload the .ttf files in binary, not ASCII format.
– After initializing the plugin, log out of WordPress to test it. By default registered users don’t have to enter the anti-spam word (although this can be changed in the settings at the top of the plugin file).
– If you have a funky theme, you might want to tweak the code to display optimally. For example, with the In Business theme, try copying and pasting the default comments.php code over In Business’s comments.php; for the Blix theme, check this out.
– Check the diagnostic page at Settings > Custom Anti-Spam in your WordPress admin panel to see any possible problems.
– Getting a database error after installing? You might have to create the tables manually. See this forum post for details.
– Are you using WordPress 2.6 or higher and did you move wp-config.php or the wp-content folder to a non-default location? Upgrade to version 3.0.7 of the plugin or higher and configure the $cas_wpconfig setting in the plugin file itself.
– If you are using a caching plugin that does not allow specific parts of a page to be uncached, set the option “Use JavaScript to generate anti-spam code” to “Yes”.

Plugin upkeep

For best continuing anti-spam performance:

– Change up the anti-spam words every once in a while
– Change up the fonts every once in a while

————————

Please make all comments and questions regarding the plugin in the forum! The number of comments were getting to be a bit hard to follow, so the forum should help with organization. Old comments are on the history page.

Note: you can still test the plugin using the comment form on this page. However, all comments are deleted once daily.

Forum for Peter’s Custom Anti-Spam Image

Forum/Topic	Started	Last post	Posts
Peter’s Custom Anti-Spam for WordPress Some suggestions for markup validation and Russian translation	February 5, 2014 7:23 am by koc	February 5, 2014 7:51 am by Peter	2
Peter’s Custom Anti-Spam for WordPress WP 2.9.2 + anti-spam 3.2.0 + install manual = no images,	September 24, 2013 10:35 pm by juliyanto	September 25, 2013 1:54 pm by Peter	2

July 10th, 2007 note: I have spun off a separate site to deal specifically with high interest savings accounts: highinterestsavings.ca. Therefore, the three reviews below will be maintained and updated there.

If you have access to a computer and you’re not yet doing online banking, get with the program! Save time and money by conducting day-to-day transactions such as bill payments online; while you’re at it, stop giving the big banks funds to re-distribute to their shareholders. Consider a high-savings account at one of the “online” banks for rates that are comparable to GICs! When I first heard of ING Direct (when I was first considered online banks) a few years ago, I was wondering, “is it for real?” The answer is a resounding yes — these are all real banks, their web interfaces are secure, and you are covered under the CDIC.

Once I went the online banking route, I have never looked back. Most of them suggest that you still keep at least one account at a bricks and mortar (b&m) bank, which is a good idea. Whenever you open an account with an online bank, simply mail in a void cheque (they will give you detailed instructions on how to do this) and you will be able to electronically transfer between your b&m and online accounts. Electronic transfers usually take 5 business days.

Here is a review of the three banks that I have accounts with:

A caveat: I’ve tried to cover all of the main points as accurately as possible. Feel free to leave a comment to this post asking me any questions about banking with these three banks, as I have accounts with all three of them and do not work for any of them! However, please visit the banks’ respective websites to get the most updated information!

————————————-

ING Direct

Website: http://www.ingdirect.ca
Account of note: Investment Savings Account, 3.5% as of April 11th, 2007

Catchy ads and fun newsletters call attention to what is actually a rather limited account. You must rely on linking this account to another bank (once you do this, you can transfer money between banks for free), as there are only 7 ATMs in Canada where you won’t be charged fees to withdraw money directly from ING Direct. This might actually encourage you to save your money…

What ING Direct has going for it is the simplest online interface I have ever seen. Online banking beginners will enjoy the flat learning curve:

Key Details
-no minimum balance required
-no cheques available, no online bill payment system
-very accessible customer service by phone

Interesting Facts:
-Get a $13 sign-up bonus by registering at http://www.ingdirect.ca/en/ISAfriends/ before the end of the 2007 (that page says until the end of 2006, but it’s still valid). If you don’t know anybody who has an existing ING Direct account and you need a referral code, ask me for mine. I’d post mine publicly, but that might defeat the unbiased approach I’m going for…

————————————-

Citizens Bank of Canada

Website: http://www.citizensbank.ca
Accounts of note: Ultimate Savings Account, 3.55%; Investment Savings Account, 2.4% as of April 11th, 2007

Citizens Bank is actually a Vancity company, and is my favourite bank. You get free cheques on the Investment Savings Account, and can transfer funds between that account and the Ultimate Savings Account instantly (instantly as in… as soon as you click the button!).

Therefore, keep as much money as you can in the Ultimate Savings Account and transfer it to the Investment Savings Account whenever you need it (this transfer happens instantly).

Regarding ATMs, Citizens Bank is on the Exchange network, which HSBC and all of the BC credit unions are a part of. Did somebody say coverage?

Key Details
-no minimum balance required
-pair the Ultimate Savings Account and Investment Savings account for a powerful combo
-free cheques, free bill payments

-four free debits from ATMs on the Exchange network, which should be plenty if you use your credit card as much as possible…

Interesting Facts:
-Ultimate Savings Account’s interest rate is unofficially pegged at 0.05% higher than that of ING Direct’s
-If you’re familiar with credit union online interfaces such as Vancity’s and Envision’s, you’ll feel right at home
-Call their customer service line (available 24/7) and get some of the same representatives that handle Vancity’s customer service. They’re not supposed to reveal this fact, but some of them will admit it…

————————————-

PC Financial

Website: http://www.banking.pcfinancial.ca/a/products/savingsPlusAccount.page
Account of note: Interest Plus Savings Account, 4.0% for balances over $1,000; No-Fee Bank Account, 0.10 to 0.50% as of April 11th, 2007

If you have over $1,000 to save, use PC Financial. Otherwise, consider ING Direct or Citizens Bank.

If you have a Superstore near you, head into their financial pavilion and set the account up in person. Then pair the Interest Plus account with the No-Fee account to enjoy free everything (cheques, bill payments, withdrawals from PC Financial and CIBC machines). Just be sure to only transfer as much as you need, when you need it to the No-Fee account. Currently I have $0 in my No-Fee account.

I find the interface a bit clunky, but it just takes some getting used to.

Key Details
-no minimum balance required in the No-Fee chequing account
-free everything (practically): just transfer money (allow yourself 24 hours, unlike with transferring between Citizens Bank accounts) from the Interest Plus account to the No-Fee account

Interesting Facts:
-PC Financial is now a divison of CIBC. This hasn’t seemed to negatively affect account features or service.

————————————-

The bottom line:
Use ING Direct for the easy-to-use interface.
Use Citizens Bank for the most powerful, flexible account with the best feature-to-rate ratio.
Use PC Financial for the highest rate if you have more than $1,000.

Extra reviews:
Here’s a guy who was looking at some less mainstream high-interest accounts, such as Achieva, Cataract, and Dundee: High Interest Savings Account Search. He ended up going with Achieva.

From the creators of BugMeNot (where you can find shared logins for all those sites that force you to register) is RetailMeNot. There are many coupon sites out there, but the interface of RetailMeNot is uncluttered and straightforward. RetailMeNot is a bit new, but in time it should become the premiere database for coupon codes. So check there before you buy anything online in order to save a few dollars.

For example, never pay regular price to register a domain name at godaddy.com again: get a coupon code that will knock the price down $2. Looking to sign up for online banking at ingdirect.ca? Get a referral code that will give you a bonus $13.

You might have the best anti-spam plugin in the world, but that won’t stop spambots from visiting your site. If you have a WordPress blog, they will hammer your wp-comments-post.php and wp-trackback.php files automatically — you might not see the spam anymore, but the bloody spambots are still bogging down your server (10% of all hits to theblog.ca are spambots!).

One possible solution is to rename the files that accept comments and trackbacks! This way, the spambots encounter a “file not found” page when they are looking for your default wp-comments-post.php and wp-trackback.php locations. This is much easier on your server and if you do it correctly, your regular visitors won’t even notice as commenting and trackback capabilities will continue to work. However, make sure you change the references to these two files in your WordPress code. For most installations, here’s what you do:

1) In your base WordPress directory, rename wp-comments-post.php to something like wp-comments-roller.php, and rename wp-trackback.php to something like wp-trackback-hockey.php.

2) Edit your WordPress files that reference these two files. For most with WordPress 2.0, this means editing one reference of wp-comments-post.php each in your theme’s comments.php and comments-popup.php files (found in the folder wp-content/themes/yourtheme/); wp-trackback.php is referenced once in comment-functions.php (this is comment-template.php in 2.1.x) and twice in template-loader.php (found in the folder wp-includes/).

———————————————

If you allow registration on your site, rename wp-login.php (this type was suggested by Kent). This file is the registration file (as well as the login file) — if you rename it and give its location only to potential members (that is, don’t link to it with a big “Register here” link) not as many spambots will be able to figure out where it is. Just remember to change all references to the file in the WordPress files, including:

wp-login.php
wp-admin/admin-header.php
wp-includes/general-template.php
wp-includes/pluggable.php

———————————————

Note: if you’re unsure of what you’re doing, back up your files first! When upgrading, remember to do this process over again. Also, if you have Notepad++ or some other program that can search source code, use that to find any overlooked references of your renamed files.