WP-Morph 1.0 is yet another anti-spam plugin for WordPress. Features include:
- No capcha. The user doesn’t have to enter any additional code.
- JavaScript support required in the browser.
- Spammers would have to interpret the JavaScript in the page to be able to submit comments.
Mmm… Well, I don’t think it’s just “yet another.” Let me explain myself. I’ve studied a lot of spam plugins, from capchas to OSA that you’re using here including SpamKarma.
Capcha based are painful, as you have to enter the code, and also are against people with disabilities, and also force the user to change their way of doing things just _because_ spammers.
Others like OSA and SpamKarma are complicated, include database access, and even require maintainer from time to time activating the moderation and moderating comments (removing spam, teaching the bayesian what is spam and what is not…).
The simplicity of WP-Morph is that you don’t have to do any of these. It generates a randomly complicated JavaScript code that must be executed in order to be able to pust a comment. The browser does that for us, but spammers with their bots won’t include a complete JavaScript interpreter just to decode the code and obtain the result. Thus, the test for spam is just a comparison (instead accessing data bases as SpamKarma and OSA) and the plugin is really simple. Just look at the code here.
Best regards,
diego
Diego: What’s the difference with wp-hashcash?
What about the 10-11% of users who have JavaScript disabled in their browsers?
Hi, Denis:
Now, this is a good question I was expecting.
There are two main differences:
1. Wp-hashcash doesn’t have any “hidden” value. By hidden I mean a value that is *only* known by the server. This value is essential, and is used in pre- and post-processing. Spammers cannot know this value, and cannot generate correct results unless they execute the JavaScript. In other words, WP-Hashcash gives the spammers all the info they need to produce a fake response.
2. In WP-Morph the JavaScript code *has to* be executed. WP-Hashcash claims that in his case, the JavaScript code that calculates the md5 *must* be executed by the client. But this is false: any spammer with an “md5” function in his pocket can do the calculus without executing any JavaScript in the page, then generating the fake response form. In fact, reading the comments to the WP-Hashcash blog entry, I see that any stupid pimprick has taken the time to study the code and release this code that fools the plugin. In WP-Morph, the code is generated ad-hoc for the page, it must be executed to obtain the result (because the code changes every time), and the result must be returned.
Hope this clarifies the differences.
Best reards,
diego.
John,
Yeah, that is a problem with the plugin, I must admit it… I thought about it, but there are really many things that depend on JavaScript: look at how many sidebars implement it without it… So I decided that I could pay this inconvenience to stop spammers…
Best regards,
diego
Diego: I thought the wp-hashcash generated the key on the client…
John: Personally, I wouldn’t care much about users with js disabled. To start with, I’ll take the bet most of them are in fact bots. And for the very few real users that remain, you can always put a noscript tag in your page to notify them js is required to use the comment form.
Fair enough Diego. Comment spam has caused everyone inconvenience and with almost any implementation of a filtered device, some innocent users will get caught in the filter.