The Stop Spammer Registrations Plugin checks against StopForumSpam.com, Project Honeypot and BotScout to to prevent spammers from registering or making comments.
The Stop Spammer Registrations Plugin works by checking the IP address, email and user id of anyone who tries to register, login, or leave a comment. This effectively blocks spammers who try to register on blogs or leave spam. It checks a users credentials against up to three databases: Stop Forum Spam, Project Honeypot, and BotScout. In order to use the Project HoneyPot or BotScout spam databases you will need to register at those sites and get a free API key. Stop Forum Spam does not require a key so this plugin will work immediately without getting a key. The API key for Stop Forum Spam is only used for reporting spam.
In addition to checking on the top forum spam databases, the plugin will optionally check agains several email spam DNSBL sites such as spamhaus, dsbl, sorbs, spamcop, ordb, and njabl. In testing, this sometimes caught spam that the comment spam databases missed.
Optionally, a webmaster can specify that disposable emails be denied. These disposable emails are frequently used by spammers to hide their identity. They have a certain legitimate use in that they can provide anonymity to users. Legitimate commenters will probably not feel the need to remain annonymous, though. The plugin detects about 500 disposable email domains, but there are probably many more.
This plugin keeps track of a number spammer emails and IP addresses in a cache to avoid pinging databases more often than necessary. The results of the most recent checks are saved and displayed under settings. The size of the history and bad user lists can be set from 10 to 100. This information is stored in an array in the WP options table. The size of the array can raise the resource requirements of WordPress, which is already pushing the resource limits of some hosts, so keep the cache small.
In case a user results in a false positive on one of the spam databases there is a white list that can be entered of email address or IP addresses. This will allow such users to register, login and comment on the bog.
Requirements: The plugin uses the WP_Http class to query the spam databases. Normally, if WordPress is working, then this class can access the databases. If, however, the system administrator has turned off the ability to open a url, then the plugin will not work. Sometimes placing a php.ini file in the blog’s root directory with the line “allow_url_fopen=On” will solve this.
The plugin is ON when it is installed and enabled. To turn it off just disable the plugin from the plugin menu..
The plugin keeps a count of the spammers that it has blocked and displays this on the WordPress dashboard.
The plugin will also reject registrations, comments and pings where the HTTP_ACCEPT header is missing. This header is present in all browsers and its absence indicates that a program, not a human, is attempting to leave spam.
If you are running a networked WPMU system of blogs, you can optionally control this plugin from the control panel of the main blog. By checking the “Networked ON” radio button, the individual blogs will not see the options page. The API keyes will only have to entered in one place and the history will only appear in one place, making the plugin easier to use for administrating many blogs. The comments, however, still must be maintained from each blog. The Network buttons only appear if you have a Networked installation.
The plugin adds links to the Comment Moderation page to check a comment’s credentials agains the spam databases. If you have entered the Stop Forum Spam API key you can also report the spammer to the SFS database. Please make sure that the comment is actually spam and not from some clueless commentor who likes to salt his comments with spammy links. (I find that comments that do not specifically reference the post are always spam. “Nice Blog” comments I tend to report immediately.)
The Stop Forum Spam site requires an email and an api key to report spam. If the commentor did not leave an email address (as in a pingback) then the link to report the spam will not be visible.
Problems: In systems with constraints on memory and many other plugins, this plugin will sometimes fail trying to retrieve its options. This results in resetting the configuration. The plugin uses two or three thousand bytes to store the history, cache, and settings. This is not very much, but some plugins use much more memory, and they will cause this plugin to fail. The solution is to remove or disable some of the plugins that are hogging all the memory.
StopForumSpam.com limits checks to 10,000 per day for each IP so the plugin may stop validating on very busy sites. I have not seen this happen, yet. Results are cached in order to thwart repeated attempts.
You may see your own email in the cache as spammers try to use it to leave comments. You may have to white list your own email if that is the case, to keep the plugin from locking you out.
Watch the youtube spam trap video! The video shows one of my plugins that anti-spam cops use. They run honey pots or sites that do nothing but attract spammers. These sites report as many as 500 spammers per hour to the same database that this plugin checks.
Download
Latest version: Download Stop Spammer Registrations Plugin v2.20 [zip]
Installation
- Download the plugin.
- Upload the plugin to your wp-content/plugins directory.
- Activate the plugin.
- Under the settings, add the appropriate API keys (optional). Update the white list. Set any of the optional items and limits.
FAQ
Changelog
1.0
- initial release
1.2
- renumber releases due to typo
1.3
- Check the ip address whenever email is checked.
1.4
- Checks the user name. Cache failed attempts with option to clear cache. Cleans up after itself when uninstalled.
1.5
- fixed a bug where the the admin user was cached in error.
1.6
- Improved caching to help stop false rejections.
1.7
- Included signup form, that I forgot to add before. Cached data is automatically expired after 24 hours.
1.8
- fixed the cache cleanup (again). Changed the name in the titles and menus of the plugin to reflect that it does more than stop registrations.
1.9
- Added link to report spam to StopForumSpam.com database.
1.10
- Improved the access to StopForumSpam.com database. Fixed white space at end of plugin.
1.11
- Stored the StopForumSpam API Key. Fixed a possible security hole on the settings page.
1.12
- Fixed typo error.
1.13
- Changed Evidence field to spam url or content
1.14
- Changes suggested by Paul at StopForumSpam. Fix bug in zero history data. There has been much interest in the plugin so there has been lots of feedback. I am sorry for all the updates, but they are all good stuff.
I am stopping a few hundred per day on each of 9 blogs.
It is still not a replacement for Akismet. Since they both do different things they complement each other. It works well with Akismet.
If I ever release another version I’ll make note of the 20K in the notes. I need a break from plugin writing for a few weeks, at least.
Keith
Hi!
Nice plugin, I loved my smf stop forum spam plugin I’m glad someone did it for wordpress..
I have a little suggestion. I still have some spam users registering to my site. Can you please add an option to ban those people & report them to stop forum spam automatically?
Like when I go to users panel, I can choose those spam users and select ban & report from the drop down menu. This will be great! Thanks..
If there is another version, I will try to include this. SFM requires IP address, and it is shortcoming of WordPress that it does not record a users IP address anywhere.
Keith
If you use Register IP – MultiSite plugin it will log the users IPs and you can then report them.
Batch submitting is a bit tricky, because the IP isn’t logged in the wp_users table, where it should be, but in the wp_usermeta table.
It is odd that WP doesn’t log users ips.
wp_usermeta is the right place for a plugin to put the IP for the WP way of doing things, but you are right, it means a difficult look-up. You’d have to get the ip, and possibly a flag to say whether or not the user has been checked and then another usermeta flag to mark the spam.
It is not a nice clean solution. The use of meta tables breaks the whole idea of the relational calculus.
I worked on a project at IBM that would have added a database operation to rotate metatables so that the keywords could be uses in selects like column names. Maybe MySQL will have this ability someday, but until then there is no nice way to do this.
Keith,
V2.0 is simply brilliant….easy to use and keep track of…. plus effective.
Thank you so much Keith – I just hope this plugin stops an attack Im experiencing on my blog: about a 100 registrations in 12 hours had me looking for this …
having trouble finding APIs of Honeypot though….
BIG THX to you tho
Thank you, Keith! I’m really looking forward to this augmenting my existing anti-spam stuff from WPMU-DEV.
One note, however, is that you’ve got a bug in the link on 3.1+ on this page:
/wp-admin/network/settings.php?page=kpg_stop_sp_reg_control
The “There are X spam comments waiting for you to report them” link needs to have the “/network” portion of the path removed.
Thanks again, and I’m looking forward to reading your book.
I will check this out. It works for me, but I have very ordinary installations. I’ll see how I figure out that address and why it breaks.
Thanks,
Keith
That effect is on a multisite installation where the configuration was performed thru the “network” settings page, instead of thru the main site settings page.
Also, a feature request…
Would you mind adding the ability to a super-admin to report spam to SFS on user blogs? Currently (even with api keys all assigned) it appears that I can only report spam within the “home” blog on a multisite installation, and it’s VERY rare that the home site is the one that’s going to get the majority of spam on these sites. Something like this right inside any procedures you call should be sufficient:
if(is_multisite() && !is_super_admin()){return(0);}
Thank you!
I see the bug in the code. I am not sure how to fix it easily. I have to do some thinking. There are a bunch of new MU functions that would be useful on the network page, but they start working in 3.1. I should take the notice off the network page altogether and replace it with a link to a global comment page. (see caveat below).
As to the feature request. I have a site with 15 blogs, so I know what you mean. An option to display spam for all the sites is not going to be easy as there are some MU sites with tens of thousands of blogs. I might make it a separate plugin, just for MU.
I’m not really concerned about seeing all the spam on all sites from one interface (frankly, that would be a burden to manage the data), but it would be great to be able to see+submit the spam on individual blogs when I’m at their individual dashboards. I do manage a few sites that have a lot of users and blogs (almost 100k), but the spam on those sites needs to be managed as much as possible by the users. I’ve got ~30 blogs of my own between various MU installs though, and want to be able to manage them within their own dashboards.
I appreciate the plugin, it has helped this attack our site has experienced these past 3 days. I’ve had about 150 spammers register per day all of a sudden…before that, nothing. Your plugin was able to stop about 30% of them.
Does anyone happen to know or read why all of a sudden these are happening? We didn’t add or change anything on the site and the IP’s that I ran through ‘Stop Forum Spam’, and etc, were not listed. This may be a silly question as I am still a novice.
Thanks again for the plugin and will take a look at your eBook. Wish you continued success.
Mia
Register with project honeypot and botscout so you can use these databases also. Help everyone else by diligently reporting all of your spam.
I have had about 300 hits a day on one of my blogs. It looked like garbage to me, or some kind of test. I am amazed how the spammers never run out of IP addresses to hit you with.
Keith
Keith,
I would like to ask for a paid feature, that can be released to all, to check the db of registered users for spam account.
That is the case when a WP admin found this fantastic plugin, but he already has thousands of registered users.
Thanks,
–
P.
I have one that I am working on, but WP does not keep the IP address of users. I can check email, but that is usually spoofed. The way I have my plugin working is that it creates a “last_login” record for each user and lets you check against that.
Keith
I should have known that, having worked on it some years ago! Sorry for that and thanks nonetheless.
In the meantime I thought about blocking disposable emails, using http://www.block-disposable-email.com/ but maybe that is not real “spam” so is outside the role of the plugin.
Thanks again,
http://www.block-disposable-email.com requires registration. It also has a difficult API as I remember. There are many public lists of disposable email sites so it would possible block with a public list. 90% of the spam has spoofed addresses so I think that it would only provide a marginal benefit. It could help, though, with more sophisticated spammers who really want to register and get their spam out.
If I ever release another version, I will consider this.
Keith
Your plugin has been working great, and then all of a sudden yesterday I was hit with a wave of spam registrations. There were probably about 30 yesterday that go through, and I woke up this morning to another 48. Any suggestions for dealing with this sudden spike?
Make sure that you have the botScout and Bad behavior API keys. These two sites sometimes get spammers before SFS. I use my htaccess file to block whole countries, as well as ip ranges for know spammer sites. There are public lists for htaccess files to block bad ip ranges. Akismet is still the best way to stop spammers after they get into the system. Akismet is usually up to date with spammers, although it is a pain to remove all the spam.
I’ve been getting 30 or more spammers a day for about a week on a couple of my sites that my plugin does not detect. There must be a new bot out there that is hitting wordpress sites.
Keith
I got hit with that attack last week as well….I also have my “regulars” that come back on a monthly schedule.
I just wanted to double check about the cache.
For example a cache bad email/IP is on the list with a very old date….then a new attempt is made with that email address/IP and the date is updated. It does not change position on the info page…..does that mean it is still close to being flushed from the cache or is the “aging” of the cache based on the last seen date?
red
At one point I sorted the cache and then I took the sort out. I just checked the code and it looks like I am still doing the sort. I looked at my caches and they don’t look sorted. I have to see what is going on with the sort.
I guess it is time to finish up some of the code I’m working on, fix the sort, and re-release.
Keith
I am not sure how important it is……
I saw during the June spam attack that my “regulars” got flushed out of the cache. The new guys also must have used a “proxytron” so after an hour or so they where back to the original IPs, but they where getting pusged of the list.
I was using a IP block plugin and htaccess…..but since your last update this plugin is so effective and easy to use I have been able to uninstall a bunch of others. My entire site runs better now.
Thanks again,
rd
There is a bug in PHP that an array can be broken with a combination of characters. Some spammers send that combination of characters. I have tried to compensate, but every once in a while the cache array breaks and causes an error when I read it. I have code that prevents the plugin from crashing, but it resets all of the parameters.
The next version 2.10, has a workaround, but I still haven’t figured out how the array gets broken.
Version 2.10 should be out in week or two.
One thing I just ran into: the plugin assumes that the IP it sees in the REMOTE_ADDR HTTP header is the actual client IP. My sites run behind a Varnish cache which means that ALL traffic comes from the Varnish cache server’s IP address!
Thus, once a single spammer gets blocked, ALL users get subsequently blocked with a cached bad ip. And if I whitelist the cache’s IP, then all traffic is automatically whitelisted.
One possible way to work around this would be to use the X-Forwarded-For HTTP header to get the IP address. This might work partially, but sometimes you’ll get a non-Internet IP from clients which means you have a similar situation ( any user with 192.168.0.1 would look the same to this plugin!).
So. My suggestion is this: Add an array of ‘internal’ IPs which are not fully whitelisted, but that are marked as ‘unknown’ — so they do not get cached. This, plus a way to use X-Forwarded-For when the REMOTE_ADDR is listed in an array of known proxy IPs, would let me use this plugin.
Thanks, otherwise the plugin works exactly as advertised
I can give that a try. I’ll add it to the list for the 2.2 release.
Thanks,
Keith
Thanks for devoting your time and writing this application. It’s a great value to the community and I’m glad I found it.
The dashboard line does not update on 2.10……cleared the cache and everything.
on the other hand everything else is working even after upgrading to WP 3.2.
rd
Fixed in 2.20. I’m running it on a few sites for testing and I’ll release it on Friday.
Keith
Hi I have been looking for this type of plugin for my free blog site. can it be used for everyone in the multisite network. or just main account?
It is aware of MU and you can set it so it is administered from the main blog or network administrator.
I setup the plugin yesterday and so far it seems to be working pretty well. The only thing is, I’m using it with multisite (fka WPMU) and I can’t figure out how to report spammers that aren’t caught by the filter – is there way to do that? This is for registrations, not for comments. Thanks.
Registrations don’t record the IP address. This is a problem with WordPress. I can’t report the user without an IP address.
The version I am working on records the “Last Login IP” in the user meta table and it will be able to report new registrations. I will probably not finish this for a few weeks, though.
Keith
Strange, in the logs (on your plugin’s page) I see an IP listed for ./wp-signup.php
Yes, I record it in the logs, but I don’t save it anywhere else. WordPress does not store it. I limit the number of log entries and once it is gone, it is gone.
I could, perhaps, make a link right on the log to report the bad registration. I did not do that because I felt the logs were transient and not the right place for it.
Makes sense. Thanks for the details. I installed the plugin as I’m getting registration spam… same 3 or 4 IP’s. I’ll just report them manually.
Great, Once you report them, they should not bother you again.
Keith
Finally had one get through after over 260 catches. I think the ability to report a spam registration that has slipped through “on the spot” would be immensely helpful for those of us less…er…technically minded. Great plugin.
I am rewriting things now. This will be a feature.
Keith
Hi,
Your plugin is used on our town website and is wonderful! May I ask if there is a way to have it scan the already-registered users to see if any of them are spam? If not, then could this feature be incorporated in a future update?
Many thanks,
~Andrew~
A volunteer helping with http://Whitchurch.org.uk
Unfortunately, the databases all use the IP address of the user and wordpress does not store IP addresses. In the next version the plugin will record ip addresses of logins, but that will not help with old users who don’t login anymore.
Keith
I only have a concern and a request.
First this summer I was getting at most 1 per week out of hundreds of blocks but now it has shot up to 20+ per day getting through and I’ve found a few spammers that are in the database have been able to register on my site. (@charter.1x email address matches the SFS database.
I’ve deleted the offending user accounts and wonder if I should uninstall your plugin and reinstall it just in case they were able to hack me once they were able to get subscriber status? re-install the WP again also and overwrite any changes they may have made also?
Next as I just came home from vacation (2 days) and had 68 spam posts so I started to report all of them to SFS and every time I click a report to SFS it then opens a new window for the report form. But in talking to the SFS database owner once I was taken to that submission window and it says submission successful I don’t need to do anything further. Now I have to click back to my dashboard page and find the next entry and report it and be taken back to the report SFS page.
Can we simply have that page open in the background so I can continue to click report, report, report etc… mark all for delete perm and apply? That would make my job so much easier…
Thanks
WordPress does now seem to be storing IP addresses, so might there soon be a version of Stop Spammer Registrations that enables us to banish spam registrants (and simultaneously submit their data to StopForumSpam) with the ease of a click or two? Thanks.
Thanks,
I will check it out. I was working on the new release last week.
Keith
Great Script for stoping spam comments!!
Do you think it can also prevent spam users from posting posts? For instance, I am using http://www.appthemes.com/themes/classipress/ which is a classified script that allows users to post ads (Not comments). Your script would be amazing if it worked with classipress. I installed it and it seems like it’s stopping SOME registrations..
Thanks for this plugin.
However I’ve found what I won’t call a bug as I’m sure there is some logic behind it – but it’s not giving the correct feedback to the user.
I’m trying to register a test account from my IP address but cannot. WordPress gives me this
ERROR: Please type your e-mail address.
A quick search of kpg_stop_sp_reg_stats for the address I tried to use shows that I have been snagged.
It would appear that you have already tagged my IP (potentially as admin) and therefor restrict the ability to register a new account from that IP. The address I tried to use has then, after multiple attempts, also been snagged and further attempting to register from a completely different IP address also gives the same error.
I guess this is the desired effect so for testing we need to de-activate the plugin it would seem.
What would be nice is a message to the user, assuming a legitimate attempt at registration, to contact admin for help.
thanks
Put your IP address in the “White List” box on the settings screen of the plugin. This will allow you to test.
Keith
Your script saved my site from 468 spammers. Thanks!