New Bookstore! Save 20% on books with discount code: LAUNCH
Web Dev + WordPress + Security

10 Characters for Your WordPress Blacklist

Quick WordPress tip for easily and quietly blocking a ton of comment spam. Akismet and other programs are good at catching most spam, but every now and then a bunch of weird, foreign-language spam will sneak past the filters and post live to your site. Here’s a good example of the kind of stuff that’s easy to block:

[ Screenshot: Comment Spam in Moderation ]

This type of spam hits in waves, with similar character patterns running throughout each batch. So you’ll see a bunch of nonsensical spam comments that vary in IP, name, email address, and so on. If other spam mechanisms fail, using WordPress’ built-in anti-spam functionality is a great way to immunize against junk like this:

[ Screenshot: Comment Spam in Moderation ]

We can stop that sort of garbage from scaring away visitors by adding a few lines to your Comment Moderation or Comment Blacklist (both located in your Discussion Settings). Simply add these codes to either list.

The beauty of this technique is its simplicity. WordPress uses regular expressions to scan comments for any of these characters. The comments aren’t deleted, so there’s no real risk, and the chances of someone actually using one of these characters in a real comment is slim to none. What WordPress does with matching comments depends on where you put the list:

  • Added to the Comment Moderation list will result in blocked comments getting sent to the Moderation queue.
  • Added it to the Comment Blacklist will result in blocked comments getting flagged as spam and sent to the Spam bin.

It’s probably safest to add these characters to your Moderation list just in case anything worthwhile happens to show up (it won’t). Once you Save your changes, forget about it. Just monitor (or don’t) your comments as usual and let WordPress’ built-in anti-spam skillz do the work.

Exceptions

Although an elegant and effective technique, you may want to skip using if either of the following apply:

  • You have trackbacks/pingbacks enabled and displaying on your site
  • You allow comments in languages that use any of the blocked glyphs

Otherwise, the list makes an excellent addition to any anti-spam strategy. Especially if you are only using Akismet, this is a great way to further improve the overall security and integrity of your site. For more information and more extensive WordPress blacklists, check these:

Note: To suggest additional characters in the comments, remember to wrap each one with a <code> tag. Thanks :)

Jeff Starr
About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
WP Themes In Depth: Deep dive into WP theme development.

28 responses to “10 Characters for Your WordPress Blacklist”

  1. Jeff Rine 2011/04/18 1:40 pm

    Great tip, I plan to incorporate it on both of my sites as soon as they are accessible again. For the second time this year, my web host is in failure mode. Grrr.

  2. Patrick Daly 2011/04/18 2:10 pm

    Those screenshots suggest you’re a bit overdue for upgrading. ;)

  3. John Rocheleau 2011/04/18 2:26 pm

    For what it is worth, and I hope it helps, I use a plug-in called WP-SpamFree. Here is the link: http://www.polepositionmarketing.com/library/wp-spamfree/

    I installed it a couple years ago due to a boat load of comment spam that I was getting daily. Each spam comment was over 800 words long. Akismet set them aside but I still had to deal with them.

    Since I installed WP-SpamFree I haven’t had one spam comment, nor have I had even one false positive. I have had Akismet deactivated for a long time now. Spam is history for me since installing this.

    :-)
    John

  4. Quite a good way to block unwanted comments from foreign language. Thanks Jeff for this wonderful article.

  5. redwall_hp 2011/04/19 11:21 am

    Thanks! I get a lot of Cyrillic spam. It never occurred to me that the blacklist would accept Unicode characters…

  6. Guess, I’ve been lucky and haven’t come across these types of comment issues before. I get spam but not those odd characters.

  7. Hi Jeff, thank you for the post. You have so much great information here on your site.
    I actually have a question for you, because you are the only person I thought of right away as my problem started.

    I remember one of your posts something about fake bots black list, I am not very technical at all, I only started blogging a few month’s ago.

    My server has started to block my IP address almost everyday now, and sometimes several times a day. At firs they told me it was something to do with my wireless company, but today this is what they told me: Please note your IP is being blocked of enormous server activity. Please check your site for overloading scripts or minimize your web site update activity from single IP.”

    So finally when they unblocked me, I saw in my 404 monitor 8 errors, which had some really weird endings together with my site address, and it was from MSIE bot.
    I don’t really know anyone I can ask about this, and I don’t really know what it means overloading scripts. So now, I am just sitting around and praying it will stop happening. Any advice? Thank you Jeff

    • Jeff Starr
      Jeff Starr 2011/04/19 9:26 pm

      Hey Tatianna, I would be happy to look at any data you have and reply with any suggestions.. just send an email to jeff at this domain. Thanks :)

  8. Hi Jeff,

    I guess it really depends on the volume of comments, but i was wondering if the baked-in system “skip validation if the user has had one comment approved already” wouldn’t work perfectly?

    It forces you to validate one comment per new commenter on your blog, but then every other comment they leave is effortless.

    I suppose you pushed that solution aside, and i wonder, could you tell us more about that choice?

  9. My question was actually more “why don’t you use that method yourself here on PP?”. Another way to formulate it is “why did you publish this post?”.

  10. Jeff Starr
    Jeff Starr 2011/04/19 9:23 pm

    I do use that method here at Perishable Press. I also use this method. I published this post to share the information with people who may find it useful.

  11. Konstantin 2011/04/20 1:05 am

    Is that umm.. WordPress 1.5? Hehe.. Too bad I’m from Russia, so I sometimes get comments in Russian, can’t miss those, but anyway, great idea!

  12. Yes it was Russian and the comment is not very nice.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
Thoughts
Take a screenshot with Firefox (no extension required). Open Developer Tools Settings and enable the “Take a screenshot” button. Then click the button :)
Take a screenshot with Chrome (no extension required). Open DevTools, type Cmd + Shift + P, then type screenshot.
After 10 years working on my 2010 iMac, my upgrade finally arrived. Shiny new iMac shipped from Ireland :)
Too much caffeine weirds me out. But I love the taste of coffee. So once in a while I enjoy a small cup of decaf. Hits the spot.
Chris Coyier is a truly awesome person. One of the finest people I've ever worked with. Just #gottasayit
Excel won't open CSV file because SYLK format? Open it with text editor and add an apostrophe ' at the beginning of the file, save changes, done.
Displaying too many social media buttons and links all over the place imho makes you look desperate and frankly kinda sad.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.