Samuel Elh Blog

WordPress, bbPress, BuddyPress, JavaScript tutorials and snippets

Tag: spam

An effective way of preventing spam registration with JavaScript – WordPress

As I am writing this blog post about preventing spam registration on wordPress, many weblogs out there are getting tons of new accounts registered which belong to robots and are totally untolerated spam.

Preventing Spam Registration on WordPress

There are so many ways out there, free and paid, which would help you knock off spam registration on your WordPress blog or website. One of them is CleanTalk, I love this one as it has a great database of malware checks (blacklist) and many online ready tools to verify a user before it successfully signs up.

But for me, I always prefer not to add another plugin to the load, so if it was to coding a little snippet of script that would help then that would be super. So hopefully this could help out preventing spam registration somehow.

Preventing Spam Registration – JavaScript

As many of you know, or as if you don’t know, spam bots (robots) actually run microsystems that do not have JavaScript running. This means that no DOM JavaScript is available for bots, so we will use this point to add a required (but hidden) field into the user registration form that will work with WordPress nonces too (cool, right?) which will be verified with wp_verify_nonce() function..

Every time the registration screen is requested, the form field for spam check will be added on window load, and it will be required to process the registration.

Important notice – if you are on an environment where your users prefer not to enable JavaScript, then do not use this process OR, notify your users to enable JavaScript in order to register and then switch back to disabled JS mode.

Once the field was not added, the request will be killed with a simple error message:

WordPress are you spamming go back - preventing spam registration

Are you spamming?

Or possibly if you don’t want to kill the request but show a warning message notice instead, comment out wp_die function and remove the comments for $errors->add method usage in the script code; inside se_nospam_register_validate callback function, and this would appear:

bad guy spotted spam registration wordpress - preventing spam registration

Cool! now where can I get the plugin? (no plugin, just some small snippet of non commented code) ; read on.

Preventing Spam Registration on WordPress: The code

You can use the following code to be added to your child theme’s functions file, or download the plugin from Github gist:

  * Plugin Name: No Spam Registration with JavaScript
  * Plugin URI:
  * Description: Prevents spam registration on your WordPress blog/website by adding a necessary form field with JavaScript on document load
  * Author:      Samuel Elh
  * Author URI:
  * Version:     0.1
add_action('register_form', 'se_nospam_register_append_input');
add_action('register_post', 'se_nospam_register_validate', 10, 3);
if ( !function_exists('se_nospam_register_append_input') ) :;
function se_nospam_register_append_input()
	<script type="text/javascript" id="se_nospam_inline_js">
		window.onload = function() { // it's all about this JS, once JS is loaded, the spamcheck field will be available..
			var e = document.getElementById('se_nospam_inline_js');
			if ( null !== e ) {
				e.outerHTML = '<input id="process-register" type="hidden" name="process-register" value="<?php echo wp_create_nonce( 'se-nospam-register' ); ?>" />';
			} return;
if ( !function_exists('se_nospam_register_validate') ) :;
function se_nospam_register_validate( $login, $email, $errors )
	$die_message = apply_filters( "se_nospam_register_error", "Are you spamming?<br/><br/> <a href=\"javascript: window.history.go(-1);\">&laquo; Go back</a>" );
    if( !isset($_POST['process-register']) ) {
    	wp_die( $die_message );
        // or just: $errors->add( 'empty_realname', "<strong>ERROR</strong>: Are you spamming?" );
    else if( empty($_POST['process-register']) )
    	wp_die( $die_message );
        // or just: $errors->add( 'empty_realname', "<strong>ERROR</strong>: Are you spamming?" );
    else if(!wp_verify_nonce($_POST['process-register'], 'se-nospam-register'))
    	wp_die( $die_message );
        // or just: $errors->add( 'empty_realname', "<strong>ERROR</strong>: Are you spamming?" );
    return $errors;

Cool! if preventing spam registration on WordPress with this custom trick has worked for you, then that’s what matters! Yay!! Personally it helped me a lot on my product support forums website where I have bbPress installed for the forums functionality.

Preventing Spam Registration on WordPress: After

Saying that it was helpful to preventing spam registration, there should be more to do after this, right? I mean like, capturing the prevented spam registration attempts and saving some count to the database so you can see a log of how many spam bots were blocked; something like adding this code:

update_option( $name = "se_how_many_spam", ( (int) get_option( $name ) ) + 1 );

That to be added right before each wp_die in the code, And then calling

get_option( "se_how_many_spam" );

to tell how much spam was denied. Also you might want to capture the user IP to block them or something, as long as possible, saying that spam can never be tolerated. (beware, bots will call you agressive then)

Note that this can also be effective on embedded forms like registration forms added with widgets or shortcodes, as the form field for spam check will be added with JavaScript there too.

That is it for this tutorial and I am hoping this helps you as it helped me and if there is any improvements or suggestions and ideas to implement, please feel free to discuss in below comments.

Thank you!

How to add a captcha to bbPress Messages plugin

Hello World,

So in this basic tutorial I am going to talk about how you can implement a spam quiz (know as Captcha) in your WordPress installation.

From the title, you’ll be required to use bbPress Messages v. 0.2.2 or greater, for the lite version I am going to make an update very shortly and you’ll be able to implement and complete this process on your lite plugin as well.

Using reCaptcha for bbPress Messages WordPress Plugin addon:

google reCaptcha bbPress messages

I have spent couple hours making a simple plugin to add and enable Google reCaptcha anti-spam in your bbPress Messages plugin. It is available for download on Github, make sure to check

Working your own script:

First things first, let’s talk a little about captchas:

A Captcha can be used to ignore and kill some (if not all) robot requests to your scripts. Now here with WordPress, it’s a common issue that you can have spam users signup and sign in to your website, and from there make request calls which are limited to logged in users now that they are logged in.

Beating these malware bots can be a real trouble, especially when you are on shared hosting or run server with limited ressources. Spam can eat up your bandwidth, and get you in trouble with your host and make you pay more money for the ressources.

Implementing a Captcha in bbPress Messages:

bbPress Messages WordPress plugin is very easy to extend, you can just read the core files to find any hook you need then hook into it. That is what we are going to do to add a spam check tool for specific user roles.

bbPress Messages already uses WordPress nonces which can be handy most of the time.

You can use image Captchas, test written on image, but those could be beaten up easily nowadays since there are hundreds or anti-captcha scripts and APIs and OCR providers, that could not work most of the time..

In the following example we will be using a simple test, where we till our user to calculate something and do the maths.

“What’s 9+10?” – let’s try to use the word plus instead of symbol, perhaps bots will get workarounds to solve that one but when providing words and hints you are causing them more failure to solve the test.

User roles:

If you want to show the spam test to only one or specific roles, add or remove those roles in the following function in the 11th line:

Good. Now we know when to add the spam test and validate the answer provided by the user before sending a message.

Embed fields into form:

Now we will add the fields for the spam check into the conversation input form. Remember, you can go for any quiz you want, just name it and validate the client provided solution (we’ll talk about this later) as you go.

We will hook into ‘bbpm_conversation_form_additional_fields’ tag which puts fields within the form:

Now we can see that the field is added to the form:

bbpress messages spam check form preview

Awesome! now let’s talk about the validation.

Validating the solution:

This is the last part where we will be verifying the form data to get our spam test user input. We’ll then see if the answer is correct or not, then allow sending if everything’s good.

I am not going to explain the code line by line because it depends on the type of quiz you implement. For this tutorial the user input is stored in an input named


and the form has a POST method so the way of getting the value is through


and there we validate the answer.

We’ll hook into ‘bbpm_bail_sending_message’ this time to filter whether to bail sending the current message or not. When the captcha answer is wrong then we bail:

As we bail sending, an error will be added to the user interface in the front-end telling the user that something went wrong.. That means the spam quiz was not completed successfully..

To conclude, I have put the full code into a Github gist and you can add it to your child theme’s functions file in order for this process to work, after making your modifications:

I have fully tested it and it works great on my installations. If anything went wrong or you need help with your code, feel free to discuss below ( no wonder how much spam would this topic attract ;~) )

© 2017 Samuel Elh - Powered by WordPress, DigitalOcean & NameCheap

Theme by Anders NorenUp ↑

Subscribe to our mailing list

Sign up to receive updates about WordPress, free and premium plugins and themes in general and tips and tricks

* indicates required