“There’s nothing in your spam queue at the moment” is a magic phrase when it’s about moderating comments of a WordPress blog.
The plugin Akismet offers some protection against spam, however it’s never been as efficient as I wish it could be. Though I activated the option “Silently discard the worst and most pervasive spam so I never see it.”, there was always ridiculously obvious spams in the moderation queue.
I started looking for ways to add Google reCaptcha to the blog’s comment form after I noticed that there wasn’t spam from the contact form reaching my mailbox, it happened after I started to use Google’s reCaptcha. I know there are plugins to do it, but I decided to take the challenge to find a solution.
The mu-plugin resulting from this challenge is available in this Github repository: WP Google reCaptcha for comments.
This solution works against spam bots, because it checks catpcha’s response after the comment form is submitted, and it relies on the efficiency of Google reCaptcha. Since January 11, when I last cleared the spam queue, my dashboard continues displaying the message I highlighted in the image above that says no spam.
How to install
Upload the files to the folder
wp-content/mu-plugins and edit your
.htaccess to include the following lines:
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-comments-post\.php$ wp-content/mu-plugins/tps-google-recatpcha/wp-comments-post.php [NC,L] </IfModule>
It’s the RewriteRule that redirects the processing of the comment to the mu-plugin’s file
tps-google-recatpcha/wp-comments-post.php instead of the default WordPress’ /wp-comments-post.php located in the root directory of WordPress.
How it works
When a comment is submitted without a valid reCaptcha response, the mu-plugin redirects back to the post URL without allowing WordPress to be aware about the new comment, because it starts processing comments in the function
wp_handle_comment_submission(). On the other hand the mu-plugin handles the new comment to WordPress when reCaptcha is solved correctly.
ReCaptcha is not included when a user is logged in the website. And the mu-plugin uses a validation with jQuery Validate to keep people from sending a comment without solving the reCaptcha.