Over several years, I have identified more than 16,000 phrases, patterns, and keywords commonly used by spammers and comment bots in usernames, email addresses, link text, and URIs. This blacklist is an ongoing work in progress and as such, there is always room for optimization and improvement. Suggestions and bug reports are certainly appreciated. Please use the issue tracker to let me know.
Copy the list of keywords found in the blacklist.txt file, paste it into the Comment Blacklist field of your WordPress Discussion Settings panel, and click the “Save Changes” button.
That’s it.
Repeat this procedure each time you want to install an updated version of the blacklist.
If you prefer a more hands-off approach, there are several plugins that will check whether the master blacklist has changed and then automatically install the most recent version. How handy is that?
- Blacklist Updater by Sergej Müller
- Comment Blacklist Manager by Andrew Norcross
- WordPress Simple Firewall by iControlWP
I don’t blame you if you’re skeptical about how well this blacklist works compared to a commercial solution like Akismet. Because I am subjectively including keywords based on comment spam submitted to my own sites, there is a chance that the blacklist will “overclean” your comment queue. Consider that fair warning.
However, Jason Cosper reports that he used an earlier version of the blacklist on a client’s WordPress installation containing 800,000 or so comments. The blacklist flagged 40% of those comments as “spammy”. As a sanity check, he then exported those flagged comments to a local WordPress install and subsequently had Akismet do its thing. According to Jason, there were “zero false positives.”
Still need convincing? The blacklist was featured over at WP Daily (now Torque) in John Saddington’s enticingly titled post, Die Spam! Blacklist That Shiz with This Gist!
WordPress stores the contents of the Comment Blacklist setting in the options table as blacklist_keys. Defined as a longtext data type, this MySQL column can contain up to 4,294,967,295 bytes (approximately 4GB) of text. There is no chance of us running out of room to expand the blacklist any time soon.
There has been some talk about storing the blacklist_keys option in an entirely separate table.
URL Shorteners
As mentioned above, the keywords in the blacklist are based on spam submitted to my own sites. Spammers often utilize the obscuring capabilities of URL shorteners to hide their nefarious links. Therefore, I have included a handful of URL shortener domains in the blacklist. For all practical purposes, there’s no need for a comment to include a shortened URL, as unmodified links can be easily formatted using HTML. If you find that your visitors are using shortened URLs on a regular basis, you may wish to remove these domains from the blacklist.
WordPress Links
Spammers will also utilize links that include URLs that are specific to WordPress installations. These links often point at compromised admin, theme, or plugin files. In most cases, there’s no need to include a URL that deep-links into the bowels of a WordPress site. However, you may want to remove the following keywords from the blacklist if your visitors are commenting on topics related to WordPress site, plugin, or theme development.
- /wp-admin
- /wp-content
- /wp-image
- /wp-include
- /wp-list
- /wp-site
Non-English Comments
This blacklist has been created for use on English language sites. There are several dozen terms and phrases included in the blacklist that may flag legitimate comments posted in other languages. If you commonly receive comments in other languages (specifically those containing Chinese, Japanese Hiragana and Katakana, Korean, Thai, or Cyrillic characters), you may want to remove or modify those sections of the blacklist.
HTML Tag Attributes
The blacklist is not applied against HTML tag attributes found in comments, only the values assigned to those attributes. This means that you cannot include the attribute name, equal sign, or the quote marks as part a keyword. For example, the keyword phrase title="Discount will not match anything, even if that exact bit of text exists within the content of an HTML formatted comment. A keyword consisting of Discount should be used instead. Other HTML attributes commonly allowed in WordPress comments such as href, cite, and datetime are also ignored.
User Agent Strings
According to the WordPress Discussion Settings Screen documentation, a comment will be marked spam if any of the Comment Blacklist keywords are found in the comment content, name, URL, email, or IP address fields. Surprisingly, WordPress also applies the blacklist against the user agent string.
For example, in an earlier version of the blacklist the keywords /4. and /5. had been included to flag URLs with sequentially numbered pages with various file extensions. Unfortunately, these two benign-looking keywords also flagged comments containing common user agent strings, such as Mozilla/4.0 and Chrome/5.0. In other words, nearly every single comment was flagged as spam, regardless of its content or whether the commenter had been previously approved.
IPv6 Localhost
Since the blacklist is applied to commenter’s IP address, we need to be aware of strings that might match seemingly generic, but valid addresses.
For example, in an earlier version of the blacklist the keyword :: had been included, as it appeared occasionally in mangled comment text and URLs. However, double colons are also part of the IPv6 localhost IP address ::1. If you happened to be testing a WordPress installation on a system using IPv6 addresses, every single comment would have been flagged as spam.
“So much for using Akismet.”
Thanks to Mika Epstein, Paul Goodchild, Sergej Müller, Andrew Norcross, Claudio Schwarz, and Volker Schmidt for their various contributions, suggestions, and reports from the field.
Likewise, Chris Burton deserves a virtual fist bump for the above tweet.
I’d also like to acknowledge Paul Taubman, Christina Robinson, My Brain Lounge, Roger Williams Media, eComStyle.de, FliegenToeter, Thomas Leister, WPCoder, Nguyễn Đình Quân, WP Daily, and the Envato Market Blog for mentioning and linking to this project.
Copyright © 2011–2014 Grant Hutchinson
This project is licensed under the short and sweet MIT License. This license allows you to do anything pretty much anything you want with the contents of the repository, as long as you provide proper attribution and don’t hold anyone liable.
See the license.txt file included in this repository for further details.
- 20150108 — 16,000 entries
- 20141214 — 15,000 entries
- 20141124 — Fixed bug that affected IPv6 localhost addresses
- 20141115 — 14,000 entries
- 20141011 — 13,000 entries
- 20140911 — Added to the Combating Comment Spam section of the WordPress Codex
- 20140826 — 12,000 entries
- 20140624 — 11,000 entries
- 20140527 — Added MIT License
- 20140527 — WordPress Simple Firewall plugin adds “human spam comment filtering” support
- 20140508 — 10,000 entries
- 20140501 — Sergej Müller’s Blacklist Updater plugin released
- 20140501 — Andrew Norcross’ Comment Blacklist Manager plugin released
- 20140324 — 9,000 entries
- 20140206 — 8,000 entries
- 20131215 — 7,000 entries
- 20131122 — Fixed bug that affected most user agent strings
- 20131105 — Migrated project to GitHub
- 20131020 — 6,000 entries
- 20130911 — 5,000 entries
- 20130715 — 4,000 entries
- 20130226 — 3,000 entries
- 20130130 — Added documentation
- 20120529 — 2,000 entries
- 20120217 — 1,000 entries
- 20111122 — Released as a Gist with just over 140 entries
Contact me on Twitter.