Defending WordPress MU from Splog Abuse

Over the weekend most of my new WordPress MU weblog servers were hit by splogs -- spam blogs created by bots and filled with links to commercial sites.

I added a WordPress hacker's unofficial patch that requires users to fill out a captcha to create a new blog. The patch modifies wp-signup.php and adds a new file, wp-valid.php that generates the captcha graphic using code from the Quick Captcha PHP script.

The first two active blogs to spring up on these servers are Political Fretwork and the Ad Whisperers.

Update: I don't like how captchas break accessibility for visually impaired people, so I'm looking for a way to prevent that.


Rogers, try a negative captcha. Add a form field that's hidden with CSS and named something splog-friendly like "email" or "name". If the field gets submitted, it's a splog. If not, probably human.

I also like using javascript-generated hidden form fields that get inserted dynamically in the browser. I check for the existence of the field when the form is submitted, and if it isn't, I reject the comment. Since most splogs are automated scripts looking for and not running a full browser instance + javascript engine, this works pretty successfully at combating spam.

I've seen blogs that have a little speaker icon next to the captcha that reads out the letters, allowing the visually impaired to enter the string.

Well, here was my solution...

I'm sorry to say, but it looks like your content is being "leeched" onto another website. I ran across the site when I was checking my Akismet spam folder.

I found it funny they lifted a post about stopping spam, on a site which was 100% spam.

Hope wordpress figures out a way to stop this stuff soon,

Bradford Knowlton

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).