Over the last few weeks, I started receiving support requests from users having a problem with unsolicited Ad postings e.g. SPAM submissions.
At first, these were just a few sites, it always turned out that there was some page with [adverts_add] shortcode available to anyone (including spambots), so I helped the users secure the page, but the number of similar requests started to grow, some users even claimed their websites were hacked but in the end, it always turned out that this was “only” an unsecured page with the [adverts_add] shortcode.
Since version 1.0 WPAdverts had a 3 step Ad publication system (Form -> Preview -> Publish) and this was enough to stop the spambots as the bots went to preview only and never “clicked” the “Publish Listing” button, so the 3 step system worked as a simple yet effective anti-spam system.
This year it looks like the spambots became smarter and they can now get past it, so the arms race continues, spambots creators make them able to complete complex forms and the site creators need to think of more effective ways to prevent spam.
3 New Features To Prevent SPAM
This release focuses on 3 new features that will help you eliminate spam without installing some captcha integration.
One important note here. The first two features are enabled by default in the [adverts_add] shortcode and in the Contact Form submission form. To make sure everything is working smoothly after the update it is a good idea to submit one new Ad and send one message via contact form.
This technique adds a new field to the form but hides the field from the user (via CSS) so the user cannot see and fill it, while the bot reading the page HTML source will find and fill the honeypot field. When the field is filled WPAdverts knows that only the bot could fill it and stops the submission.
By default, the field is named website_address as the bots love entering URLs (hoping they will be shown on the website), but to make it harder for them you can customize the Honeypot field name and title from wp-admin / Classifieds / Options / Core / Spam panel.
This method inserts a hidden input into the form and fills the field value with encrypted current date and time. On submission, WPAdverts decodes it and compares the value to the current date and time.
If the result is smaller than 5 seconds then the submission is denied as it is extremely unlikely that a person can load the page, fill the form and submit it within 5 seconds.
That being said if you have some special case where the time could be shorter you can adjust this value in wp-admin / Classifieds / Options / Core / Spam panel.
The user filling the form too fast will see an error message like on the image below
The above two features are enabled by default, this one requires some configuration and fine-tuning to your needs.
Go to wp-admin / Classifieds / Options / Core / Spam panel, you will see the form as on the screenshot below
The first field “Max. Links In The Content” allows you to enter the maximum number of links the user can enter in the description field (and in the contact message). Bots like to post multiple links at once so probably a value of 3 or 4 will catch quite a lot of spam.
The “Blacklisted Phrases” field is basically a list of phrases that will prevent a user from posting an Ad if he will use a blacklisted phrase in the content. There is a great list of common spam phrases created by Jeff Starr from Perishable Press, but I am not prefilling the “Blacklisted Phrases” field as we do have customers in adult and gambling niches and the list could disallow their customers to post ads.
One tip I can give you is to add a [/url] to blacklisted phrases as many spambots are trying to post BBCode formatted URLs and this will instantly stop them.
Now, if a real user will enter too many links or will use spam words he will see an error message and would be able to correct his text – well technically spambot will be able to do that as well but I think we are still far away from the day when the spambots will be able to read and understand the error messages.
Anything else I can do to fight the SPAM?
Secure the wp-login.php page
First and most important of all is to check if you are allowing users to register via the default WordPress registration form (the one on wp-login.php), you do that by checking if the “Anyone can register” option in the wp-admin / Settings / General panel is checked.
If it is then consider securing the registration page somehow, the most common method would be to use some captcha plugin, you can find quite a lot of them in the WordPress Plugins directory.
Consider a website firewall
There are services that will discard the spam requests before they will even reach your site, one that works well and that I use on one of my sites is Sucuri.net, unfortunately, it is quite expensive, an alternative is the free WordFence plugin, but I do not use it personally, so cannot tell if it stops the WPAdverts spam, maybe someone using both WordFence and WPAdverts on a site can comment on that?
One more option is to use a hosting company that comes with some kind of protection built-in, for example, i am using the SiteGround to host my sites including the WPAdverts demo, and the demo site did not get a single spam submission so far.
Sure the SiteGround is a bit more expensive than other hosts but if you consider the additional features it adds and the WP support I think this is the best WordPress hosting at least in terms of features&performance/price ratio.
Moving on …
Click To Reveal Phone Number
This is another new feature in WPAdverts, it is loosely related to spam and security. Personally, I do not think spammers are actively scanning the websites for phone numbers (since there are other ways to get them), but we had some demand for this functionality so here it is.
Anyway, in version 1.5.5 you can go to wp-admin / Classifieds / Options / Contact Form panel and check the “User needs to click a link to reveal a phone number” checkbox.
Once you do that, the phone number should display on the Ad details pages like on the image below
We have a dedicated article in our docs that covers the classifieds spam submissions, after the 1.5.5 release it needs an update but generally, the idea is that this will be a go-to article for solving all your spam-related problems.
One thing that I forgot to mention is that if you are already using our reCAPTCHA integration, then you might not be even aware of the spam problem as (at least as far as I know) the integration was 100% successful in stopping the automated spam entries.
Finally, I promised earlier an update on the WPAdverts 2.0, unfortunately, the problem with spam entries came up and I needed to focus on that, but I am hoping the update on the 2.0 version will be available soon.