Stopping spam with reCaptcha and Bad Behavior

Two of the most useful spam-fighting plugins are reCAPTCHA and Bad Behavior. The reCAPTCHA plugin fights spam by making sure that the person entering the spam is a human, not a spam bot. The Bad Behavior plugin takes a different approach. It keeps a list of known spammers that it will block from commenting on, or accessing, your site.

Time for action - setting up reCAPTCHA

1. Download the reCAPTCHA plugin from

2. Extract the file and upload the wp-recaptcha folder to your

/wp-content/plugins folder.

3. Move the file wp-recaptcha.php out of the wp-recaptcha folder so that it is inside the plugins folder.

4. Enable the plugin inside the Site Admin panel.

5. Go to Site Admin | reCAPTCHA and add your Public Key and Private Key.

6. Tick Enable reCAPTCHA for comments, Hide reCAPTCHA for registered users who can Publish Posts, and Enable reCAPTCHA for registrations.

7. Now, if you go to the registration page, you should see a CAPTCHA box at the bottom. You should also see one when you attempt to make a comment on a blog post.

What just happened?

We've just set up the reCAPTCHA plugin. This is an innovative CAPTCHA plugin with a twist. Every time someone enters your site and answers a CAPTCHA question correctly, they are helping with a global project to digitize old books. This way reCAPTCHA provides a useful service to webmasters for free and, at the same time, it's doing a great service by preserving old works of literature.

CAPTCHA actually stands for Completely Automated Public Turing test to tell Computers and Humans Apart. The aim of reCAPTCHA is to make a CAPTCHA that can be read by most humans but is too difficult for OCR (Optical Character Recognition) bots to correctly interpret.

CAPTCHAs work by presenting visitors with a question that can only be answered by a human. This could be a simple math problem, a piece of text to read, or something as easy as asking the visitor to "click on the picture of the cat". The answer to the question is simple enough that any human being should be able to answer it, but the question is presented in a way that makes it hard for a computer to tell what the answer should be.

Some CAPTCHAs can now be solved by spam programs—the battle against spam is a constant process and spammers are willing to create increasingly sophisticated methods of solving CAPTCHAs in order to continue their spamming endeavors.

The original Turing test was created by Alan Turing as a way to see if computers could actually think. The idea behind the test was to have a real human talk to a computer and another human being. After a long conversation, the human would be asked to identify which of the conversations had been with a computer. If they cannot identify the computer reliably over the course of several tests, then the computer has passed the Turing test.

So far, there is no computer program that has passed the test. Alan Turing predicts that machines capable of running a program that can pass the test will not be available until 2029. When a user who is not currently logged in goes to register a new blog or make a comment, they will be presented with a CAPTCHA that contains two words. The words have a wavy line drawn through them to make them harder for bots to read. Both of the words come from old books that have had digital copies made using a scanner, but still need to be converted into text format.

One of the words shown to the user is a control word; the correct answer to that word is already known. The other word is one that still needs to be translated from image to text. If the user gives the correct answer for the known word, it is assumed that they also answered the unknown word correctly. Of course, reCAPTCHA does not rely on just one answer for each unknown word. What if someone made a typing error when answering one of the words? Every word is offered up for solving several times and the answers are compared. If a large number of people agree on the answer to the unknown word, then the word is considered to be solved.

Can't see reCAPTCHA on comments?

-Xi—^ If you can't see the reCAPTCHA box when you go to make a comment on a C | blog post, make sure you are logged out! We've set up the plugin so that ^ our members don't have to worry about entering a CAPTCHA to make a comment—after all, we already know that they are real people, not bots.

Bad Behavior

Bad Behavior is a spam-fighting plugin that attacks the issue of comment spam from several different angles to ensure that as much spam as possible is blocked, while keeping false positives to an absolute minimum.

Time for action - setting up Bad Behavior

1. Download the plugin from

2. Extract the files.

3. Upload the contents of the bad-behavior folder to /wp-content/plugins.

4. You should have several files whose names begin with "bad-behavior" in the plugins folder and then some more inside a folder called bad-behavior.

5. To take full advantage of the plugin, you will need an account with

6. Once you've registered with Project Honey Pot, go to Services | Setup HTTP Blacklist and request an http:BL Access Key.

7. Go to the plugins section of the Site Admin panel and activate Bad Behavior sitewide.

8. Next, go to Settings | Bad Behavior and add your access key under the http:BL section.

9. When a suspicious request is made to the site, the user will see the following:

10. Blog owners can see requests that Bad Behavior has blocked under the Tools | Bad Behavior option in the Site Admin panel.

What just happened?

We have just set up the Bad Behavior plugin.

This plugin judges visitors using a range of criteria, including their User Agent (the browser that they claim they are using), their IP address, and the content of the request to make an educated guess as to the legitimacy of the request.

The plugin uses the blacklist known as http:BL from Project Honey Pot as an extra layer of protection. The blacklist contains a number of known spammer IP addresses.

Under the default settings, Bad Behavior will block bots that send requests, which do not look like those sent by a default browser. The http:BL will block known harvesters, spammers, and dictionary (or brute force) attackers.

One side effect of this system is that many users surfing via a proxy will be prevented from viewing your site, as shown in the screenshot below step eight. Whether this is acceptable to you will depend on how many of your normal users would be likely to use a proxy. If your site is aimed at Net Neutrality Campaigners, you may find that many of your users tend to surf using TOR, Your Freedom, or other similar proxy services out of habit or necessity based on the country in which they live. Rather than block those users, you may want to relax the rules used by Bad Behavior and use another spam protection service instead—perhaps one that analyzes the contents of the comment rather than the way the comment is being made.

SlayerCafe has chosen a strict approach to fighting spam. The site does have a few users who would need to surf via a proxy. It is quite common for Watchers to have to take a normal job in addition to their Watching. Typically, they work in libraries, book stores, and schools—places where web surfing is very controlled. Fortunately for us, Watchers are only a small percentage of our target audience and they are willing to accept the extra layer of security.

Fighting spam with Spam Karma and Akismet

There is not enough space in this chapter to cover all the spam-fighting solutions available for WordPress MU. A few others, however, do deserve a quick mention. Akismet is a very good spam-fighting solution, and one you may recognize if you have ever ran a normal WordPress blog. The multiuser version of Akismet usually costs money, although the developers are willing to consider offering their service for free to relatively low traffic, non-profit WordPress MU sites.

Spam Karma is a free spam fighting solution. The original developer ceased supporting the script in January 2009. He has released the source code under the GPL so that other developers can continue his work, so I would suggest you watch the WordPress forums to see if anyone picks up the project.

Have a go hero - taking spam prevention to the next level

If you feel you need more advanced spam protection, the Spam Karma project is worth a look. You can download the current source code from spam-karma/. It is a good idea to read the documentation and the issues page for the project before installing it, especially if you plan to run Spam Karma in conjunction with Bad Behavior.

If you would like to give back to the spam prevention community, take a look at Project Honey Pot. The project is looking for people to donate MX Records from domains that they do not use to receive email. They are also looking for people to run honey pots or to link to honey pots that others have set up.

If you have the server resources, or a spare domain to donate, take a look at the FAQ for Project Honey Pot at If you don't have the resources, consider adding an invisible link to one of the honey pots in the footer of your site.

Making sure the plugins run for your users

In Chapter 3 we discussed the mu-plugins folder. WordPress MU plugins that are placed there will run automatically on your users' blogs. Unfortunately, some standard WordPress plugins do not behave in this manner.

To make sure that our users are protected by the spam-blocking plugins, we need to install a plugin manager that will automatically enable those plugins for each new blog when it is created.

Time for action - managing your users' plugins

There are two very good plugin management tools—Plugin Manager and Plugin Commander. Let's set them up.

1. Download Plugin Manager from Plugin-Manager and install it to the wp-content/plugins directory.

2. Do the same with Plugin Commander, which can be obtained from

3. Activate the two plugins in your Site Admin panel.

4. Go to Site Admin | Plugins and click on Check Active Plugins. You should see a list of the plugins your users currently have activated:

5. Under Site Admin | Plugin Commander you should see a list of all the plug-ins that you currently have installed on your blog:

, G httpi/Zlocalhost.kxakJomain/wp-adnnin/wpnnu-adrriin.phpipage-Plugln^ZOConnnnander

The Slayer Cafe

New Post T 1 Howdy, admin | Log Out




Upgrade reCAFTCHA




New Bieg Defaults

Plugin Commander

Add New Link Categories 10 Pages Edit

Add New

Comments ©

I® Appearance $ Plugins O ^ Users TA Tools

Tools Import

Hi admin! You're logged in as a site administrator.

Manage plugins


Auto activation

When auto activation is on for a plugin, newly created blogs will have that plugin activated automatically, this does not effect existing blogs.

User control

When user control is enabled for a plugin, all users will be able to activate/deactivate the plugin through the Manage->Plugins menu.

This menu will only appear if there is at least one plugin with user control enabled.

Note; if you want to use this, be sure to disable the built-in plugins menu from Site Admin->Options->Menus to prevent users from activating plugins which should not be under user control.

Mass activation/deactivation

Mass activate and Mass deactivate buttons activate/deactivates the specified plugin for all blogs. this only effects existing blogs.





User control

Mass activate

Mass deactivate

AHP Sitewide Recent Posts for WordPress MU


Off, click to

Disabled, click to enable

Activate all

Deactivate all

Bad Behavior



Off, click to

Disabled, click to enable

Activate all

Deactivate all

cets_bl og_d efa u Its


Deanna Schneider

Off, click to turn on

Disabled, click to enable

Activate all

Deactivate all

Featu red - Posts


Off, click to turn on

Disabled, click to enable

Activate all

Deactivate all

Filosofo Remove Dashboard


Austin Matzko

Off, click to turn on

Disabled, click to enable

Activate all

Deactivate all

Multi-user plugin Manager


Off, click to

Disabled, click to enable

Activate all

Deactivate all

Plugin Commander


Omry Yadan

Off, click to

Disabled, click to enable

Activate all

Deactivate all

Userthemes Revisited Plugin


D Sader

Off, click to

Disabled, click to enable

Activate all

Deactivate all

6. Click the Auto-activate link to turn on automatic activation of the plugins you would like to have active on all your users' blogs (for example, Bad Behavior and reCAPTCHA).

7. Click the User control link to enable user activation and deactivation of plugins that you would like to give your users the option to turn on and off— for example Featured-Posts and Sitewide Recent comments.

8. If you do not want your users to be able to turn off the plugins you have enabled for them, disable the Plugins menu via the Site Admin | Options page.

What just happened?

The two plugins that we have installed give us more control over the plugins that our users can have active.

Plugin Manager allows us to see which plugins our users have activated. This is useful because it allows us to make sure that very important plugins—such as anti-spam ones, are turned on for every blog. It will also be useful for tracking the use of plugins in the long term. Knowing which plugins are very popular and which ones are used by only a handful of people will help you figure out what your users like and the features they want to see on the site.

Plugin Commander can be used to force the activation of plugins. You can force all of your users (including existing ones) to activate or deactivate a plugin and you can use it to ensure that all new blogs come with certain plugins activated.

While some features such as the ability to embed videos in posts aren't essential, it is very important to ensure that spam protection measures are set up earlier for every blog. Your individual users may not mind if they get spam comments on their own blogs, but uncontrolled spam on one blog could adversely affect the way search engines view the entire site, which is bad for you and your site's other users.

Was this article helpful?

0 0
Karma Crash Course

Karma Crash Course

Finally, The Ultimate Guide To Changing Your Life Forever. Get Your Hands On The Ultimate Guide For Improving Karma And Live A Life Of Fortune And Certainty. Discover How Ordinary People Can Live Extraordinary Lives Through Improving Their Karma.

Get My Free Ebook

Post a comment