Plugin Review – Spam Free WordPress

Update 7/31/2013—The following review is of an older version of the plugin. As of the newer 2.0 branch, many of the issues below have been resolved.

A friend of mine directed me to a new spam fighting plugin via a retweet today.

I’m always on the lookout for cool new software, and as I highly respect my friend’s opinion, I had to take a look.  Two things about the plugin download page immediately raised some red flags, so I wrote the plugin off and said so on Twitter.  The immediate response: that I was too quick to judge.

So here’s my full review of the plugin.

License

Refreshingly, the plugin itself is licensed under version 3 of the GPL (which is a requirement to live in the WordPress.org repository). However, there is a somewhat confusing IP disclaimer at the top of the plugin file:

Intellectual Property rights reserved by Todd Lahman, LLC as allowed by law incude, but are not limited to, the working concept, function, and behavior of this plugin, the logical code structure and expression as written. All WordPress functions, objects, and related items, remain the property of WordPress under GPLv2 (or later), and any WordPress core functions and objects in this plugin operate under the GPLv2 (or later) license.

While I am not a lawyer, this doesn’t appear to me to violate the GPL, as the GPL still requires a copyright notice to accompany any re-release of licensed software. It does, however, go above and beyond what is normally seen in plugins.

Readme

The readme file is what threw up my original red flags.

First of all, the plugin makes some truly interesting claims:

  1. Automatically blocks 100% of automated comment spam
  2. Local IP address blocklist for manual spam
  3. Almost zero database load under the heaviest spam conditions.
  4. Zero false positives

I use Akismet for most of my sites – which is also free. Akismet uses algorithms that help it automatically learn from its mistake, meaning every false-positive (or false-negative) helps to make the system smarter. Also, it runs on WordPress.com, meaning there are literally millions of data points available to help refine the spam catching system.

But even Akismet can’t guarantee 100% efficacy.  Nor can Akismet claim zero false-positives.

In my experience, when something sounds too good to be true, it probably is.

The more outrageous claim, though, is that the plugin has been tested up to WordPress 3.7.  For those keeping score at home, at the time of this writing, WordPress 3.6 is still in beta and 3.7 hasn’t even been scoped for development yet.

Compatibility

While the plugin might overstate its compatibility with WordPress, it does go to great lengths to be compatible with everything else on your site.  The plugin disables certain additions by Jetpack that override your comments. It also has hooks set up for several major themes’ comment areas so there’s a minimal amount of configuration needed on your part.

A cursory glance at the codebase shows explicit support for:

  • Suffusion
  • Genesis
  • Graphene
  • Thesis
  • Thematic

Internationalization

If you’re a native English speaker, and your WordPress backend is in English, then you won’t notice any problems. If, on the other hand, you administer your site in a language other than English (or want to use this plugin on a non-English client site), then you’ll be in for a surprise.

The plugin itself advertises language support for:

  • English
  • German – (de_DE)
  • Italian (it_IT)
  • French – fr_FR)
  • Hebrew – (he_IL)
  • Japanese – (ja)
  • Chinese – (zh_CN)
  • Hong Kong – (zh_HK)
  • Taiwan – (zh_TW)
  • Swedish – Svenska (sv_SE)
  • Norwegian – (norsk)

While these translations exist, and a large portion of the codebase uses WordPress’ built-in translation functions, a significant amount of UI code does not.

For example, certain parts of error messages are translated while others are not. Let’s say someone with a blocked IP address submits a comment. They will see an error message in the site’s I18N language equivalent to “Comment blocked by Spam Free WordPress because your IP address is in the local blocklist, or you forgot to type a comment.”

But the title of the error page – “Spam Blocked by Spam Free WordPress local blocklist” – will not be translated.

Certain options on the plugin’s settings pages are also not translated, as are portions of the plugin’s built-in comments template. This is an oversight that will affect both the back end and the front-end.

Security

The plugin makes fantastic use of nonces to secure its various actions.

When direct database calls are used, everything is properly sanitized and escaped. The funny thing, is that even hard-coded data is being run through $wpdb->prepare, which is unnecessary.  This is probably a holdover from some version of user input, though, and it doesn’t cause any issues.

Broken Functionality

This is the biggest bone I have to pick with the plugin. Huge swaths of functionality are disabled unless you enter an API key.  This includes:

  • The local spam IP blocklist
  • The option to customize the comment form message
  • Local cron jobs to clean the database

None of these features requires a remote connection, but they’re crippled in the plugin unless you validate an API key against the author’s server. For the record, this is explicitly against the WordPress.org repository guidelines:

All code hosted by WordPress.org servers must be free and fully-functional.

The only part of the plugin that requires remote access is the part that actually validates the API key. Comments are not validated against an external API or blocklist at all, and no web services are involved to enhance the functionality of the plugin.

Conclusions

This is not a plugin I could ever recommend using on your site.

If you already have it installed and love the functionality, feel free to keep on trucking. But the fact that the plugin requires you dial in to an external server for no other reason than the author wants to know who installed the software and where is an even bigger flag in my book than overstated efficacy or overconfident compatibility claims.

With this said, what do you look for in a plugin as a solid go-nogo for making a recommendation?  What other features would you like to see covered in a review before making a decision one way or the other?

Comments

  1. says

    Love this review, thanks for quoting me also =).

    To be honest, I wasn’t even thinking of half the things you mentioned. I just needed a working spam solution and askismet wasn’t cutting it. I just kept getting spam comments coming through as well as constant ping backs!

    I tried a few different plugin to get it to stop including adding a captcha field to the comments, then switching to disqus, then adding askismet, etc, and it still wasn’t working.

    I don’t know what this plugin does/did different but it worked, though the whole license thing was incredibly annoying. If there are other recommendations, I’d love to hear about ‘em.

    • says

      For merely blocking bots (automated spam), a solid solution is to use a honeypot. I’ll write up a tutorial about the approaches I like best, but basically it’s a two-pronged approach:

      1. Make two email inputs, but hide one either through CSS or JS. The bot will still see it and fill it out. On the server, if the invisible one is filled in, reject the comment.
      2. Add a hidden input containing the UNIX timestamp the form was generated. Check this against the current time on the server when the form was submitted. If it’s been less than ~3 seconds, then it’s likely not a human who submitted the form.

      Honeypots, paired with a contextual (smart) scanning tool like Akismet, should keep you almost entirely spam free.

  2. says

    Did you get a chance to look out how the plug-in detected spam? A ‘local’ analysis of a specific site’s spam & ham to calculate a probability of a given message being spam may actually perform better than a cross-site analysis a la Aksimet – precisely because it could learn what is (and just as importantly, what isn’t) spam for your site.

    But even then, such claims by the plug-in are at best misguided.

    And given the free, and redundant license key you are required to ‘purchase’ – I agree – keep clear.

    • says

      There are a variety of techniques involved, including noncing the comment form and producing a limited-use-per-IP password for visitors (to prevent rapid form (re)submission by bots). Aside from a scan of the local IP block table, there isn’t any scanning going on to detect spam vs ham. So it’s not contextually based, but specifically built to prevent bots.

  3. says

    Hi Mike,

    I certainly appreciate the plugin review and your time, although it would have been better if you’d tried using the plugin to verify the claims before passing judgement in a public forum. Seeing is believing, but I see you are using Jetpack comments, so you could not try my plugin without disabling Jetpack comments.

    I have made a note of your comments, which should help improve the plugin going forward. The claim that the plugin is compatible up to 3.7 comes from my expectation that there won’t be any major changes that would cause a problem with my plugin, although I will not be using such a forward looking compatibility number in the future after seeing how it can cause confusion.

    The claim made is that 100% of AUTOMATED spam is blocked. This is a fact. Akismet FILTERS both automated and manual spam, there is a difference. Why no false positives? if you read the code you’d know that Spam Free WordPress security is based on authentication of the comment form, not filtering of comments, which is either pass or fail. If it fails the comment is blocked 100% of the time. The only way to pass the test is to manually submit spam using the comment form, and manual spam is not automated spam, so you are confusing how my plugin works, and how Akismet works. For manual spam the plugin provides an IP blocklist, which is activated with the free license key. Very few blog owners need the IP blocklist, because spammers are lazy, and it is rare to get more than a handful of manual spam in a given week for the vast majority of blogs.

    To clarify a few comments, the option to generate a comment form is not disabled, even if no API key has been entered. All the features that are considered to be part of the core function of the plugin work without the API key. The API key is only required for two items: 1. advanced plugin functions, and 2. support (because support requires a login). The API key, advanced plugin functions, and support are all provided for free. I try to only provide support on my site, because of my busy schedule.

    The quote from the WordPress plugin guidelines: “All code hosted by WordPress.org servers must be free and fully-functional.” This quote can be a bit confusing, so it is better to use an example.

    Akismet, which you mentioned using, says upon first time activation:

    “Akismet is almost ready. You must enter your Akismet API key for it to work.”

    The Akismet plugin page says:

    “PS: You’ll need an Akismet.com API key to use it.”

    The Spam Free WordPress page says:

    “P.S. Free License Key required for plugin support, and to activate advanced plugin features.”

    On the Spam Free WordPress settings page it says under the License Key section:

    “PLUGIN SUPPORT, AND ADVANCED PLUGIN FEATURES, REQUIRE A FREE LICENSE KEY.”

    Akismet is completely crippled unless a free api key is used. To get that free api key the blog owner must create an account on WordPress.com, and have their server phone home to the Akismet servers to work. This might appear to be two violations of the plugin guidelines, but neither are. First the api key is free, even though an account that provides WordPress with personal information is required to obtain it, but it’s free so it is not a violation. Second, phoning home is okay, according to the guidelines, provided the blog owner has given their permission and is aware of this activity.

    Unlike Akismet, Spam Free WordPress does not cripple the core functions of the plugin to get the blog owner to obtain an API key, only to unlock the advanced features, and to get support, as the plugin plainly states.

    I am surprised that as a WordPress core contributor, the senior web engineer at 10UP, and a WordCamp speaker who speaks about building plugins, you did not draw any comparison to the API key requirement of my plugin, to the API key requirement of Akismet, before deciding to send an email claiming my plugin violated the WordPress plugin guidelines.

    My suggestion for future reviews would be to keep an open mind, and try the plugin out in a real world environment, before passing judgement.

    • says

      Thanks for taking the time to comment here! I really do appreciate it.

      I think our definitions of “automated” spam differ quite a bit. It’s true that a good portion of automated spam comes in the form of direct POSTs to a blog; your plugin will definitely block these. But there are several forms of automated spam that come in the form of scripted bots that load the page in a browser (headless or otherwise) and actually fill out the form to trigger the postback. There is little that distinguish these from regular comments besides the time it takes to complete the form, and the often gibberish-level content submitted. These spam comments are also “automated” but will make it past your plugin. Granted they are much more rare, but have proven to be an issue on many sites I’ve worked with.

      Yes, I use Jetpack comments on this site. But this is not the only site I run, and I never install plugins I’m testing or reviewing on my production websites. At the same time, I don’t write reviews about code I haven’t actually seen run. To review your plugin, I:

      1. Read through the WordPress.org pages (generated from the readme)
      2. Read through your separate site, which definitely had more detail
      3. Downloaded the source and walked through the code
      4. Installed it on a virtual machine running WordPress so I could see everything in context

      As for the disabled functionality. I misread a couple of parts of the settings page. On a vanilla installation, the following sections are listed with a large “THIS SECTION REQUIRES A FREE LICENSE KEY” message:

      • Spam IP Address Blacklist
      • Comment Form Message
      • Cleanup Comments

      With no additional context, I read the “comment form message” section as the same as the “generate comment form” section. My mistake, and corrected in the post.

      As for the plugin rules violation, I quoted the wrong portion of the guidelines. The section I should have referenced is on serviceware:

      “Serviceware” plugins are defined as plugins that merely act as an interface to some external third party service (eg. a video hosting site). Serviceware plugins ARE allowed in the repository, as long as the code in the plugin meets all other conditions. These are allowed even for pay services, as long as the service itself is doing something of substance. Creation of a “service” which does nothing but to provide keys or licenses or anything similar for the plugin, while the plugin does all the actual work, is prohibited. Moving arbitrary code into the service so that it can appear to do some work is also prohibited. This will be handled on a case by case basis and our judgment on any given case is final.

      None of the work your plugin does happens on a remote API. This is different from Akismet as everything Akismet does happens on Akismet’s servers. A blog receives a comment, marks it as pending, POSTs the comment data to Akismet, Akismet responds whether or not it’s spam, the comment is marked accordingly. The only part of Spam Free WordPress that requires access to a remote API is the part of the plugin that validates the API key. That by itself is a violation of the above quoted rule.

      At the same time, it’s an honest mistake. I once built a library called Elliot that I bundled with all of my plugins. It was an XML-RPC client that would post server configuration data (site URL, admin email, PHP/MySQL/WordPress versions) to one of my servers so I could keep track of compatibility information and alert users when they needed to upgrade. At the time, I was trying to make it easier to support my code so I could proactively warn users about conflicts, bugs, and upgrades while keeping support on my own site rather than wading through the forums. This tiny library broke all the rules that, at the time, I didn’t realize existed and I’ve long since removed it from all of my projects. So yes, I can see where you’re coming from in terms of support.

      But Spam Free WordPress by itself doesn’t need the API key callback. It doesn’t need to talk to the remote API at all. You could just as easily keep support on your site without the API key system – and I highly recommend that’s the direction you go. Forcing end users to sign up on your site for an API key in order to enable functionality that already exists in the plugin is not OK. That said, I will gladly help you revise the plugin to get past this hurdle and bring it in line with the WordPress.org guidelines if you want the help.

      • says

        I appreciate your offer to help bring the plugin into compliance with the WordPress.org repository guidelines. After talking with Otto I now understand the issue why a free license key without an external server service causes a violation, and also reading your own experience helped clarify this further. I do believe the serviceware section should be expanded to allow what I was doing, but that’s just my opinion, and it is WordPress.org that decides how their repository will be used.

        In the meantime, the plugin has been removed from the repository after about 450,000 downloads, and I am currently very busy so the plugin won’t be going back up until I’ve got some free time to modify a free version of the plugin that complies with the guidelines. My plugin helped a lot of folks, so I’m happy with the results, but I am also disappointed that WordPress.org pulled the plugin before giving me the opportunity to make the necessary changes. This action doesn’t appear, to me at least, to have served the WordPress.org community in a positive way. Although I bear full responsibility for not having provided a fully compliant plugin in the first place.

        • says

          Todd,
          I noticed from my broken link checker that your plugin was missing from wordpress.org. I look forward to trying out an updated version. :-)

          • says

            When a plugin is flagged as being in violation of the WordPress.org guidelines, it’s hidden from the public by the site maintainers. Once the plugin is updated and no longer in violation, it will reappear. I have every bit of confidence Todd will be able to get an updated free version pushed out soon.

    • says

      If you mean he should split the plugin into a free (hosted on WordPress.org) and premium (sold on his own website) versions, then I agree. If that’s not what you meant … then please explain.

  4. says

    RIP Spam Free WordPress, you were by far the best spam fighting plugin around. I am so incredibly sad to see you go.

    Akismet has some serious flaws IMHO. I’ve seen spam get through due to downed servers many times, I haven’t used it for many years but had problems with WP as well as vbulletin when I did.

    I just moved 5 WP sites from one server to another by hand and cleared 20mb of akismet commentmeta from each one. I think there were some housekeeping issues with older versions but I just don’t want to use it anymore…

    Thanks for the article Eric (I think) …

    • says

      You can likely still get the plugin from the author directly. Just not from the WordPress.org repository – yet. Todd has stated that he will eventually be able to bring the plugin back into alignment with the .org guidelines so you can grab it from there as well.

  5. says

    I used Spam Free WordPress on all of my sites and loved it. Going forward, what plugin would you recommend to use on new sites? I am looking for a free solution that is easy to setup/maintain.

    • says

      I would recommend that you keep using what already works. If the plugin works for you, you can keep using it even if it’s no longer in the WordPress.org repository.

      Alternatively, I’ve also taken the time to write up a tutorial on a couple of non-captcha, self-contained ways you can secure you comment and contact forms.

  6. Greg says

    Gee. Spam Free WordPress was great. I have it on several sites and just noticed a lot of spam on one that isn’t even strictly live yet. Went to add the plugin and was confused that it wasn’t showing up in the repository. Finally found this page on the net.
    I’ll end up FTPing it down from one of the other sites and back up to the spammed one.

    A real pain in the neck and trouble I wouldn’t go through if I didn’t find the tool so useful.

    • says

      If the plugin works for you, then by all means you shout use it. But until it comes back into compliance with the WordPress.org repository guidelines, it won’t be publicly listed there.

      Since your site still isn’t live yet, you might want to consider adding some proactive honeypot techniques to your entry forms. They’ll be nearly as effective as any plugin that blocks automated spam, but they’ll also be built in to your site from the beginning.

      • Greg says

        Yep. I have used honeypots in the past and they do work well. The downside is you have to code them and, whilst I do enjoy writing a website from the ground up, adding a plugin is a more productive use of my time.

        I like the server timestamp idea. It’s obvious now that you’ve mentioned it but it wasn’t beforehand. Thank you.

        Obviously the plugin needs to meet the guidelines to get into the repository. I was annoyed when the version came out that required registration; but relieved that it didn’t cost anything. I haven’t read through his code as you have for the review but if all it does is “phone home” it would have been better if he’d left it out. I find the plugin more useful than the annoyance. It was less annoying, slightly, when I realized I was allowed to use the same key on all sites and didn’t need to register each individually.

        I hope he makes the needed changes to get the plugin back into the repository. I find it very useful and miss it. It must also be frustrating for Todd to have to make changes to something he’s giving away for free so that he can continue to get nothing from it. Just to present the other side.

        Akismet seems fine but I don’t use it because I need to pay for commercial use. Cost isn’t a concern if you have a big, successful site; but it takes a while to get there and I’d rather not run at a loss in the meantime. It’s probably cheap but I tuned out and removed it as soon as it seemed I might violate the terms.

  7. says

    Looks like Todd released Simple Comments, a paid plugin, via his website and just published the new, license-free, Spam Free WordPress to the repository.

    Very glad to see it back there. I hope that Spam Free Comments also does well for the author.

  8. says

    Wow, I’m wondering if you are going to post an update or make a new post about this after the changes because this review was quite rough and now quite a lot of it including the whole section on Broken Functionality seems incorrect. I see the plugin is back up so the violations must have been cleared.

    If you still don’t like this one, do you have any plugins to recommend besides Akismet for this purpose? I don’t want to have to check through the spam messages looking for false positives if possible. I make it a point to check my site periodically for only the reason of not letting my spam build up to a ton of pages. I have a low traffic hobby site and feel that is a bit annoying. Also, I do a fair bit of programming, but I am making it a point not to do any custom work on my site, besides theme, to keep things easier for maintenance and backup, possible migration, etc.

  9. says

    Eric, you bothered to read the code (I am too lazy to do that) but you forgot to mention how exactly this plugin works. One of the plugin screenshots showing that the plugin cathes 100% spam does not explain anything. The principle is not mentioned in the Plugin Directory nor on the author’s page. I’ve tried to google this information but I just found something about captcha-like passwords.

    This information is more interesting than some other not really useful stuff about license and internationalization, which is mentioned in the post. I read everywhere how awesome this plugin is but clearly nobody has a clue how it works.

    • says

      Yes, I did read through the codebase. The techniques used for spam blocking vary, but include an IP blocklist and setting nonces in the comment form. My review was more to call out areas for improvement with the plugin rather than to explain the intricacies of how it works. If you want that kind of information, I recommend you go to the code.

  10. says

    That’s what I wanted to know, thanks.

    Well, I think that the description of the plugin also needs to be improved. It is basically a black box from users’ point of view. They don’t know what exactly it is doing and thus can’t be sure if it is really suitable for them.

    Todd, if you are still monitoring this discussion, please add this information to readme.txt.

Trackbacks

Leave a Reply