WP-SpamFree
July 8th, 2008 by Michael Hampton
There’s a whole lot of buzz about the newest WordPress spam-fighting plugin on the block, and so I decided to go take a look and see if WP-SpamFree lives up to its hype.
“The WP-SpamFree plugin virtually eliminates automated comment spam from bots, including trackback and pingback spam,” its author, Scott Allen, claims. “It takes a different approach than most and stops spam at the door.”
Indeed, everyone who’s tried it reports that their spam has dropped off to virtually zero and that they haven’t heard from anybody who had problems leaving comments. Sounds like the Holy Grail of spam prevention, right?
Not so fast.
WP-SpamFree, it turns out, uses JavaScript and cookies to verify that someone is using an actual web browser to access your site and leave a comment. These approaches are not that different from what other plugins have done in the past. What distinguishes WP-SpamFree in this respect is that it requires both JavaScript and cookies in order for someone to post a comment. This will certainly keep out virtually every spambot out there.
Unfortunately, it will also block most mobile web browsers and some disabled users. In both cases the browsers being used aren’t capable of JavaScript, cookies, or both. If your blog targets mobile web users or people with disabilities, WP-SpamFree might not be for you.
Then there is WP-SpamFree’s method of blocking trackback and pingback spam. These are always automated, so using JavaScript and cookies is impossible. WP-SpamFree, it turns out, uses several extensive internal lists of IP addresses, URL fragments, and keywords to block this type of spam.
This works fairly well; however, the way it’s implemented in the current version of WP-SpamFree (1.9.6.2) is quite strange. It appears the author didn’t want to use arrays and loops to iterate through his lists and instead unrolled all his loops, resulting in a huge plugin clocking in at over 3,700 lines. There’s no obvious good reason for this; it would seem in PHP that the plugin would be much slower than it would otherwise. The gain of not having the loops doesn’t seem nearly as much as the overhead of compiling thousands of extra lines of bytecode. In addition there are several other examples of duplicate code which could have been split into functions.
These technical implementation issues make me wonder at how much experience the programmer has. If they were intentionally done by an experienced programmer, I would have expected them to be mentioned in the README or release notes or a blog entry, but especially in the code comments.
Despite those issues, the plugin works pretty well for what it does. I hope that the author addresses those implementation issues for his next major version, though, to make the plugin even better.
And there are things that WP-SpamFree does not do. It does not block email harvesters, for instance. It also does not block spambots when they scrape your site looking for your comment forms, nor block denial of service attacks. Indeed, under a heavy spam attack, its size and CPU usage could cause limited web hosting resources to be exhausted.
That’s all just a long way of saying that WP-SpamFree has its pros and cons, and if you choose to use WP-SpamFree, you still should keep Bad Behavior around as part of your overall spam prevention strategy.
