Let’s look at a couple of things you can do to modify WordPress comment forms to discourage automated spam. These are by no means guaranteed methods to block all spam but they are things you can do to make automated spamming a little more difficult. As in our previous post about blocking IP addresses from which spam is common, we’ll be managing these from WordPress’s pre_comment_on_post filter. Both of these will also take advantage of the WordPress comment_form_default_fields filter.

Remove Comment Author URL Field

WordPress comment forms include an Author URL field which commenters can use to specify their Web site. This can be a neighborly thing to do but it’s unfortunately a favorite place for spammers to place URLs for sites that they are trying to parasitically inject into any WordPress site they can. We can remove that comment form field and reduce the comment form’s usefulness to spammers. Legitimate commenters no longer have a place to specify their URL but is this really a great loss? Ideally comments should be related to your posts, not a way to advertise somebody else’s Web site or product.

We can easily remove the author URL comment field by using the comment_form_default_fields WordPress filter:

// Remove the author URL comment field
function remove_url_field($fields) {
   $fields['url'] = "";
   return $fields;
}

add_filter('comment_form_default_fields', 'remove_url_field');

A lot of the automated spam software won’t recognize that you’ve eliminated this field and send it anyway. This is a perfect opportunity to unequivocally identify the comment as spam. We can just check the incoming comment for the presence of the URL field and reject the comment if the URL field is present. (See the addition to pre_comment_on_post further down.)

Change Comment Form Field Names

Another thing to toss into the mix to inconvenience spammers is to change the names of fields in your comment forms to something other than the standard names WordPress uses, and spam software expects:

// Change name of 'author' field to 'telephone'
function change_comment_field_names($args) {
   $args['author'] = preg_replace('/name="author"/', 'name="telephone"', $args['author']);
   return $args;
}

add_filter('comment_form_default_fields', 'change_comment_field_names');

Hooking Into WordPress Comment Processing

Now that we’ve changed our comment form, we need to hook into WordPress’s pre_comment_on_post filter to handle our changes. For eliminating the author URL field, we just check for its presence in the submitted comment and reject the comment as spam. For changing form field names, we will check to see if the original WordPress names are present and reject the comment if they are, otherwise we change our new names to the WordPress default names and let the comment processing proceed.

function pre_comment_check() {

   // Handle attempt to send comment author URL
   if (!empty( $_POST['url'] ) ) {
      wp_die("Comment rejected.");
   }

   // Handle improper form naming if we switched things
   if (isset($_POST['author']) && !isset($_POST['telephone']) ) {
      wp_die("Comment rejected.");
   }
   else { // fix things the way they should be for WP to continue
      $_POST['author'] = $_POST['telephone'];
      unset($_POST['telephone']);
   }
}

add_action('pre_comment_on_post', 'pre_comment_check');

(Note that, for clarity, we haven’t copied over the pre_comment_check processing from the earlier post.)

We’re Not Done Yet

Later we’ll look at a few more things we can do to make things inconvenient for spammer parasites. We’ll do some referrer URL checking, develop a content spam scoring technique, and maybe eventually get into a couple more sophisticated things we can do with metadata, timing user events, and black-list management.