Block Comment Spam Bots
Professional spammers use programs to automate their spamming. The ‘Block Comment Spam Bots’ (BCSB) plugin efficiently blocks their process. No more comment spam! As no legitimate user will use the professional spammer’s automated process which relies on cURL and WGET commands, real users will never notice the BCSB plugin at work. There are no CAPTCHAS for your visitors to interact with. No silly questions. Just the comment form as designed in any theme. On the admin side, there are no blacklists, special keys (like Askimet), overloaded spam queues, or overworked databases that store spam comments until you manually delete them. Install the plugin and that’s it. Invisible, to you and your visitors. The only change you will notice is in your admin area. The list of comments now has a green check next to them. That way you know that comment was made on your website by a real person and was not bypassed by hacking spammers connecting directly to your server. All that remains is comments made by real people, and while real people can spam, it takes them time and effort. The amount of spam from real people is a lot more manageable than the tsunami from automated spammers, saving you time to concentrate on the important things in life, like your readers, and making connections. We’ve tested it on multiple websites and it wipes out automated spam completely. If it doesn’t on your site, please let us know. ** Geeky Stuff ** …in case you are interested in how it works… tl;dr – This provides a total and easy solution to comment spam from spam bots. Comments are processed by the WordPress wp-post-comments.php file. Automated spammers (‘spam bots’) can provide (‘post’) data directly to that page, bypassing any comment processing, by using CURL/WGET commands. Bypassing the comment form by posting directly (via CURL or WGET commands), is quite easy. Just send the post ID number, and the bot’s fake name and email, and the spammy content. Boom! Comment spam is on your site! The result is comment spam – and that is not always caught by other comment spam checkers. Even if it is caught by programs such as Akismet, processing that spam takes some server resources, including writing to the database. This plugin uses several techniques to ‘sense’ a spambot. There are hidden fields that are changed after a delay. There is a delay in displaying the submit button. And it blocks direct access to the WordPress post/processing functions. The techniques, also used in our standalone “FormSpemmerTrap” (FST) program, and our other anti-spam plugins (like FormSpammerTrap for Comments), are very effective. They use a bit of JavaScript to block spambots – since automated processes via CURL/WGET/etc cannot process JS code. It’s simple: you install this plugin, activate it, and bot comments will stop. Immediately. And it doesn’t add any visual impediments to your comments. No reCaptcha things (which many see as a pain). No silly questions (‘what is 2+8’) on the form. Your comment form does not change. Regular users will not notice a difference. But you will. No more spam comments for you! This is the best solution to block comment spam. We’ve tested it on a site that had 20-40 spam comments a day. With this plugin enabled, the spam comment stopped. Immediately. And there have been none since installing this plugin. ** Not one. Zero.** The Admin, Comments list page is modified to show a column with a green checkmark icon if the comment was entered by a real person and not a bot. This is an assurance that the comment was not entered via an automated CURL/WGET to the wp-comments-post.php file. A comment that is on the list that does not show the checkmark was done by a bot. But you won’t see those blocked comments with this plugin enabled. They never get into your database. You can hover over the checkmark icon to see the GUID value indicating a person entered the comment. The plugins ‘Settings’ screen has no settings. You don’t even need to look at the Settings screen. If you do, you’ll see information about the plugin. And there is a CURL command you can use to test the effectiveness of blocking (or not blocking) direct access to the wp-comments-post.php file. The plugin also adds the hidden GUID field to the comment form after a delay to help block bots that are using the comment form to submit. If the hidden field is not submitted then a bot tried to bypass the comment form. And a short delay happens before the comment submit button is displayed – another bot protection.
Top keywords
- comment21×2.68%
- spam18×2.29%
- comments11×1.40%
- comment spam7×0.89%
- form7×0.89%
- automated6×0.76%
- bot6×0.76%
- comment form6×0.76%
- curl6×0.76%
- real6×0.76%
- there6×0.76%
- wget5×0.64%
EDH Bad Bots
EDH Bad Bots is an intelligent bot detection and blocking system that protects your WordPress site from unwanted crawlers and malicious bots. Unlike traditional blocking methods that rely on user agent strings (which can be easily spoofed), this plugin uses a honeypot technique to identify and block bots that don’t respect your site’s robots.txt directives. Key Features Automatic Bot Detection: Identifies bad bots using a hidden trap URL technique Smart Blocking System: Blocks misbehaving bots with configurable duration (default 30 days) Advanced DNS Resolution: PTR record lookups with DNS over HTTPS (DoH) support for hostname identification Dual-Level Blocking: Server-level .htaccess blocking AND PHP-level blocking for maximum effectiveness Configurable Blocking Methods: Choose between .htaccess blocking (Apache) or PHP-only blocking (Nginx compatible) IP Whitelist Management: Protect trusted IPs from ever being blocked Enhanced Admin Interface: Clean dashboard with hostname display, manual hostname updates, and debug tools Background Processing: Automated hostname resolution via WordPress cron jobs Legitimate Crawler Protection: Synchronous FCrDNS verification prevents Googlebot and similar crawlers from being blocked, even if robots.txt is misconfigured robots.txt Health Check: Daily cron monitors for a physical robots.txt missing the trap Disallow rule and alerts the admin Database Optimization: Automatic cleanup of expired blocks to maintain performance Security-First Design: All forms include proper nonce verification and user capability checks How It Works The plugin implements a sophisticated honeypot system: Trap URL Generation: Creates a unique, hidden URL specific to your domain Robots.txt Integration: Automatically adds a Disallow rule for the trap URL Hidden Link Placement: Places an invisible link to the trap URL in your site’s footer Bot Detection: When bad bots ignore robots.txt and follow the hidden link, they’re identified Automatic Blocking: Detected bot IPs are blocked with configurable duration and immediate effect Hostname Resolution: PTR record lookups identify the hostname/organization behind blocked IPs Legitimate Crawler Guard: If a request to the trap URL carries a Googlebot, Bingbot, or similar User-Agent, FCrDNS is run synchronously before any block decision. Verified crawlers are whitelisted on the spot; spoofed UAs are blocked normally. robots.txt Health Check: A daily cron fetches and validates the site’s robots.txt. If a physical file is missing the Disallow rule, an admin notice is shown until the issue is resolved. Configuration Admin Dashboard Access the plugin dashboard at Tools > Bad Bots in your WordPress admin: Whitelisted IPs Tab Add IP addresses that should never be blocked Remove IPs from the whitelist View all currently whitelisted addresses with timestamps Blocked Bots Tab View all currently blocked IP addresses with hostnames See when each IP was blocked and when the block expires Manually update missing hostnames for better identification Force refresh all hostnames to clear cache and re-resolve Debug hostname resolution issues (when WP_DEBUG is enabled) Manually unblock IPs if needed Options Tab .htaccess Blocking: Enable/disable server-level IP blocking via .htaccess file Block Duration: Configure how many days to block detected bots Configure blocking method based on your server setup (Apache vs Nginx) Server-level blocking bypasses caching for immediate effect Help Tab Detailed explanation of how the plugin works Best practices for managing IPs Information about .htaccess blocking options Unique trap URL for caching plugin exclusion Requirements WordPress 6.2 or higher PHP 7.4 or higher MySQL 5.6 or higher Apache server (for .htaccess blocking) or Nginx (PHP-only blocking) Writable .htaccess file (if using Apache server-level blocking) Technical Details Database Tables The plugin creates two custom database tables: wp_edhbb_blocked_bots: Stores blocked IP addresses with expiration dates and hostnames wp_edhbb_whitelisted_ips: Stores permanently whitelisted IP addresses DNS Resolution System The plugin includes an advanced DNS lookup system: DNS over HTTPS (DoH) Support Primary providers: Cloudflare DNS, Google DNS Secure queries: HTTPS-encrypted DNS requests for enhanced privacy Fallback system: Automatic fallback to traditional DNS methods PTR Record Lookups Reverse DNS: Converts IP addresses to hostnames for better identification IPv4 and IPv6 support: Full support for both IP versions Caching: Results cached for 1 hour to improve performance Background processing: Automated hostname resolution via WordPress cron Blocking Methods The plugin offers two blocking approaches: 1. Server-Level Blocking (.htaccess) Default method for Apache servers Blocks IPs at the server level before WordPress loads Bypasses caching plugins for immediate effect More efficient and faster blocking Automatically manages .htaccess file with unique markers Safe cleanup on plugin deactivation 2. PHP-Level Blocking Alternative method for Nginx or when .htaccess is unavailable Blocks IPs during WordPress initialization Compatible with all web servers May be affected by caching plugins No server configuration files modified Security Features Nonce Verification: All forms use WordPress nonces for CSRF protection Capability Checks: Only users with manage_options capability can access admin features Input Sanitization: All user inputs are properly sanitized and validated SQL Injection Protection: All database queries use prepared statements Safe .htaccess Management: Uses unique markers and automatic cleanup Performance Optimization Automatic Cleanup: Expired blocks are automatically removed from the database Efficient Queries: Database operations are optimized for minimal performance impact Smart Loading: Admin assets only load on the plugin’s admin page Server-Level Blocking: .htaccess blocking prevents blocked requests from reaching PHP Whitelist Filtering: Whitelisted IPs are excluded from .htaccess rules automatically DNS Caching: Hostname lookups cached to reduce DNS query overhead Background Processing: Hostname resolution runs in background to avoid delays API Hooks Actions plugins_loaded: Plugin initialization init: Early request blocking check template_redirect: Bot trap detection wp_footer: Hidden link injection admin_menu: Admin page registration admin_notices: robots.txt misconfiguration warning edhbb_update_hostnames_cron: Background hostname resolution (hourly) edhbb_check_robots_txt_cron: robots.txt Disallow validation (daily) Filters robots_txt: Adds disallow rule to robots.txt edhbb_trusted_crawler_domains: Customise the FCrDNS hostname suffixes used to identify legitimate crawlers (e.g. .googlebot.com) edhbb_trusted_crawler_ua_patterns: Customise the User-Agent tokens that trigger a synchronous FCrDNS check on trap hits (e.g. googlebot, bingbot) File Structure ` edh-bad-bots/ ├── admin/ │ └── views/ │ └── admin-display.php # Admin interface HTML ├── assets/ │ ├── css/ │ │ └── admin-style.css # Admin page styling │ └── js/ │ └── admin-script.js # Admin page JavaScript ├── includes/ │ ├── class-edhbb-admin.php # Admin functionality │ ├── class-edhbb-blocker.php # Bot detection and blocking │ ├── class-edhbb-database.php # Database operations │ └── class-edhbb-dnslookup.php # DNS/PTR lookup system ├── edh-bad-bots.php # Main plugin file ├── LICENSE └── readme.txt ` Contributing Contributions are welcome! Please feel free to submit a Pull Request. Development Setup Clone the repository to your WordPress plugins directory Ensure you have a WordPress development environment running Activate the plugin and test your changes License This project is licensed under the GPL v3 or later. Author EncodeDotHost – Website: https://encode.host – GitHub: @EncodeDotHost Support For support, please visit the support forum: https://wordpress.org/support/plugin/edh-bad-bots/