The Comment Redlist Plugin

WordPress Comment RedlistThis page explains how Comment Redlist works. If you don’t care how it works, you might skip ahead to the next page, which will explain all of the settings for using the plugin.

Learn Some Lingo

You may not understand what I’m talking about on this page without a little help, so please familiarize yourself with these terms and their definitions:

  • Bot: A computer programmed to hunt for blogs and submit spam.
  • Post: A submission of the comment data, many times bypassing the actual comment form.
  • Cookie: Some info that gets passed between you and a website.
  • Javascript: A simple programming language that performs functions on your browser.
  • Browser: The computer program or app you use to look at websites.
  • Database: A place where a website can insert, read, update and delete comments.

How it Works

Thumbnail Screenshot of Comment Redlist OptionsThere are going to be two kinds of bots that post spam comments to your blog. The first type posts comments directly to WordPress, with no regard for the actual comment form. The second type, which is a little smarter, will attempt to use the fields in your comment form. If you analyze your server access logs, you will see that both types of bots do an initial request for a blog page, and in less than a second post to wp-comments-post.php. In both cases the bots need a post ID, but bot type #2 will scan the form and do it’s best to submit a comment. Whether bot type #2 submits your actual form or just uses the fields in it’s own post request is not known, but it doesn’t effect Comment Redlist’s ability to block the comments.

Spam Detection Summary

  • Sequence Matching: Any comment that contains a character sequence that you redlist is blocked.
  • IP Address Matching: Any comment submitted from an IP address that you redlist is blocked. Furthermore, any request to your blog from an IP address you redlist is blocked.
  • Optional Form Token Usage: *Form tokens use cookies to make a site visitor prove they are posting a legitimate comment.
  • Optional Character Restriction: You can designate that you want to only accept comments that contain US keyboard characters, or create your own custom restriction.
  • Optional Website Field Restriction: The Website comment form field is removed, and comments that contain this field are instantly blocked.

” When you take a look at spam, you’ll see a repetitive pattern of words or characters that no real person would put in a comment. “

*Form token usage requires cookies, and is not possible for blogs where caching plugins or other caching is in use. Because form tokens rely on a value that is generated with every page request, requests made by links that WordPress places in the document head of all pages must be removed. This is only necessary for pages where your comment forms are located. Always make sure to confirm that your comment form is working after enabling form tokens.

Recommended Sequences to Redlist

Bot type #2 is almost always going to try to post links in it’s comments. Look through a few hundred spams to confirm this (or don’t), and recognize the following character sequences:

  • [URL=
  • http://
  • https://

One of these three character sequences is going to be in nearly every spam comment you receive. I guarantee that you will block a lot of spam with these recommended sequences. If you expect that people (not bots) will want to post links in their comments, you are probably right. They can surely do so without these character sequences, and Comment Redlist will let them know what sequences to remove so their comment will avoid being blocked. Javascript makes this possible.

WordPress will actually make links out of what it thinks are links in the comments of your site visitors.