We’ve all had this problem. A group of spammers from mail.ru are registering to your blog, but you want to keep registration open. How do you kill the spammers without bothering your clientele? While you could edit your functions.php and block the domain, once you get past a few bad eggs, you have to escalate.
Ban Hammer does that for you, preventing unwanted users from registering.
Instead of using its own database table, Ban Hammer pulls from your list of blacklisted emails from the Comment Blacklist feature, native to WordPress. Since emails never equal IP addresses, it simply skips over and ignores them. This means you only have ONE place to update and maintain your blacklist. When a blacklisted user attempts to register, they get a customizable message that they cannot register.
In addition, Ban Hammer has built in support for StopForumSpam.com which can be turned on or off as desired.
Download
Latest version: Download Ban Hammer v1.7 [zip]
Installation
- Unpack the zip file and extract the
/ban-hammer/folder and the files. - Using an FTP program, upload the full
/ban-hammer/folder to your WordPress plugins directory (Example:/wp-content/plugins/). - Go to Plugins > Installed and activate the plugin.
- Go to Tools > Ban Hammer to customize the error message (and banned emails, but it’s the same list from your comment moderation so…).
FAQ
Q. If I change the blacklist via Ban Hammer, will it change the Comment Blacklist?
A. Yes! They are the exact same list, they use the same fields and they update the same data. The only reason I put it there was I felt having an all-in-one place to get the data would be better.
Q. Does this list the rejected registers?
A. No. Since WordPress doesn’t list rejected comments (your blacklist goes to a blackhole), I didn’t bother with trying to do that here. If enough people think it’s a need, I may consider it.
Q. It breaks when I turn on StopForumSpam checking. Why?
A. At a guess, you don’t have cURL support. You may need to check with your webhost about that. If they do have cURL setup, share the error with me and I’ll try to debug!
Q. Will you add other spam lists?
A. Sure. Or at least I’ll try. I’m not a genius so I may need help with APIs and the right PHP calls.
Q. Does this work on MultiSite?
A. No, and it’s not supported. It won’t even run. No, I have no plans to MultiSite this.
Q. Does this work on BuddyPress?
A. Yes, yes it does. But only single site.
Q. Why doesn’t this work AT ALL on my site!?
A. I’m not sure. I’ve gotten a handful of reports from people where it’s not working, and for the life of me, I’m stumped. So far, it looks like Zend and/or eAccelerator aren’t agreeing with this. If it’s failing, please post on the wp.org forums with your server specs (PHP info, server type, etc) and any plugins you’re running.
Changelog
1.7
- 24 April, 2012 by Ipstenu
- Proper uninstallation.
1.6.1
- 17 April, 2012 by Ipstenu
- Cleanup. Nothing major here, just documentation and all.
1.6
- 05 August, 2011 by Ipstenu
- Internationalization.
1.5.2
- 09 March, 2011 by Ipstenu
- Bugfix. Typo made it NOT enableable.
1.5
- 08 March, 2011 by Ipstenu
- Allows for deletion of spammers from the User List (credit mario_7)
- Added optional functionality to show spammer status on the normal users list.
- Moved Ban Hammer Users to the USERS menu (now called ‘Ban Hammered’)
- Works on BuddyPress!
1.4
- 16 August, 2010 by Ipstenu
- Checks for presence of the cURL extension. If not found, the option to use StopForumSpam is removed. (using http://cleverwp.com/function-curl-php-extension-loaded/ as recommended by kmaisch )
1.3
- 08 July, 2010 by Ipstenu
- Pulling out the WPMU stuff that’s never going to happen now that it’s MultiSite and doesn’t work.
1.2
- 08 November, 2009 by Ipstenu
- This lists all users marked by StopForumSpam as spammers, if you’re using that option (and not if not). (Thanks to obruchez for the suggestion!).
1.1
- 03 May, 2009 by Ipstenu
- Subversion before coffee = BAD.
1.0
- 03 May, 2009 by Ipstenu
- First public version.
0.3
- 30 March, 2009 by Ipstenu
- The error message is customizable.
- Added support for StopForumSpam.com
- Added in checkbox to use StopForumSpam (default to NO).
- Cleans up after itself on deactivation (deletes the banhammer_foo values from the wp_options table because I HATE when plugins leave themselves).
0.2
- 29 March, 2009 by Ipstenu
- Shifted to use the WordPress comment blacklist as source. This was pretty much an 80% re-write from NDE’s basis, keeping only the basic check at registration code.
0.1
- 28 March, 2009 by Ipstenu
- First release using No Disposable Email’s .dat file as a source.
Screenshots
-
Default Error message
-
Admin screen
-
Ban Hammer Users
-
Users Menu, with Spammer Flag on
-
BuddyPress Error message
I don’t have registrations open, but I would love something like this for comments. 99% of my spam comes from web hosts, not real people.
You may want to look at AVH First Defense Against Spam, which can handle a lot of that (though not on MultiSite anymore than mine works on MultiSite).
Personally I have a lot of success with Bad Behavior which works great
Since I get a lot of valid traffic from India and Bad Behavior always flags them as false positives, I don’t use that.
I tried AVH First Defense, but it stopped working for me. I have one multi-site domain but it started having issues before I upgraded to it.
I tried to write a plugin that would override the comments blacklist settings, making it a true blacklist, but all I ended up getting when I tested it was a white screen of death.
In my opinion, if I’m running Akismet, the comment blacklist as-is is about useless.
I would report that behavior about … Bad Behavior. The only time I caught false positives was with IE 5 and older, crappier, browsers.
MultiSite is a little (okay a lot) more complicated than Single, which is why Ban Hammer doesn’t work on it. Also it’s SUPPOSED to have a registration Blacklist, but that’s a known issue and related to other things, like BuddyPress, in my case.
Why? I mean, Akismet is not meant to be the be-all/end-all, any more than Ban Hammer and the built in blacklist are. Simply, they are SOME tools that will help. Akismet will (eventually) learn someone is spam, and until it does, the blacklist (or the mod list) will let you stop them from trashing your site until they do. There’s a reason the blacklist sticks around
It does work. It’s just not the prettiest thing and, personally, I want a white list!
Almost all of my spam comes from people/bots with the following pattern:
1) Email domain is “mail15.com”.
2) The address looks valid, like “johnsmith@…” but the name associated with it is completely different, like “Samantha Moore” for a johnsmith@ address.
If I can blacklist mail15.com from even registering, I would eliminate virtually all of my blog comment spam.
I’m also disturbed that WordPress doesn’t simply send me an email for new registrations so that I can spam/trash the registration – before the new user gets to post a spam comment. Right now I’m forced to manually delete the spam and delete the bogus user.
Can Ban Hammer help with this? am I missing a built-in management function? Any other recommended plugins?
Thanks!
YES, Ban Hammer should be able to help you. Just put @mail15.com in your black list and it will stop them from being able to register. If, for some reason, Ban Hammer isn’t working (I’ve run into a couple weird places where it doesn’t like ZEND optomizer), you can use this snippit Otto made that I call Ban Whack a Mole. It works great for one domain
To help slow them down some, I would suggest you do what I do. Make all first time comments require approval. That catches most of my spammers and, more common for me, my trolls. That and always use Akismet. It really does help.
By the way, WordPress should be emailing you when new users register. I don’t have a single-site with open registration, but I seem to recall getting emailed every time someone registered back when I did. On MultiSite you have the option to turn it off (under Super Admin -> Options there’s ‘Send the network admin an email notification every time someone registers a site or user account.’)
WordPress does email me on a new registration. I get that email simultaneously with the email that a comment has been posted to any of my postings. Of course the comments aren’t public. I can spam or trash the comments but this is a manual operation after I go to WP admin. I can then search for and manually delete the offending user. This is all just a waste of my time. I’ll take Ban Hammer for a spin and post back with a comment the next time some event reminds me about it.
Apropos of none of this, Ban Hammer got an upgrade this morning. Version 1.4 now checks for cURL and, if it doesn’t exist, won’t let you use StopForumSpam. So there’s that. Look for it as soon as the SVN repo catches up.
Hey, I just wrote a post here, and got a blank page after the Submit, which usually means a PHP error in the comment plugin you are using.
But, I’ll try my question again.
I have a plugin that collects names and e-mails. I’d like to be able to check the e-mails against a black list (which Ban Hammer does for registrations). Do you have any way to call your plugin to run a true/false check for an e-mail address? I’d like to use Ban Hammer to do the work, and it seems it would be simple to have such a call.
Thanks.
No idea why it crashed. I’m not using any comment plugins really save Akismet and Impostercide.
Anyway. You can grab the source code for Ban Hammer and steal it. Right now it checks the email in a boolean (aka T/.F) for existence in the ban hammer list, which is a field in the DB. It USED to use the method in http://wordpress.org/extend/plugins/no-disposable-email/ where it read a .DAT file. You could snag that to check for an email from a text file.
Depends which way you want to grab it. But the code is open source, so it’s there for the taking
I apologize – I should have looked at the plugin code first. It was very simple to add a call to ‘banhammer’ directly. And it works great! Thanks for the plugin.
Not a problem! Had it not been easy, I;’d have taken a look later tonight, but today is all about that job that pays me.
Hello,
First of all thank you for this usefull plugin. I have a web site wordpress 2.3 version and i can not upgrade wordpress version.
I want to ask that if it is possible to use ban-hammer on wordpress 2.3 version?
Thanks.
Theoretically, yes. It’s got some pre 2.6 code in there, so it may work. That said, I’m not supporting it if it doesn’t, so this is a ‘Try it and if it works, great!’
And really? You should find a way to upgrade, even if it means moving to a new host. 2.3 is really old, and not many people will be making plugins for it.
“Sorry, but this plugin is no longer supported on pre-3.0 WordPress installs.”
Is the message I got during the latest update, but I’m using 3.1
Augh. Checked in the wrong file! It was fixed in trunk, of course. Okay, pushing a new version ASAFP.
To fix right now, add this:
global $wp_version;just below the commented out copyright info. Or wait about 5-10 minutes for SVN and the repo to sync.
Thanks to my SVN app being an idiot, 1.5.2 is the version you want.
http://downloads.wordpress.org/plugin/ban-hammer.1.5.2.zip
I really hate Windows today! It updated the wrong code!
Hi there, does this plugin allow banning by IP addresses or blocks of IP addresses as well as emails? I have been featured on a “showcase” site and get a *TON* of ‘overseas’ traffic but my website is 99% US based. I don’t mind the traffic but when they start registering and posting “test” posts and filling up my Live website with unrelated junk “just to see how it works” its really annoying. Especially when those posts get sent to different RSS feeders and things and then CAN’T be deleted. (Thanks Google Reader.) Anyway, I’d like to allow them to still visit the site but block their registration by IP since I have no way to know what email they’re using since this isn’t technically “spam” email (as in, automated bots). Thanks.
I think it actually ‘accidentally’ blocks by IP but no, not by IP range. Honestly, I don’t advocate blocking IPs in general. It’s such an inexact science it hardly does any good. Ban Hammer is aimed at stopping the repeat offenders per-person, not the idiots en masse.
If you have to keep registration open (I’m assuming the site has membership so you need that), I’d do two things:
1) Install New User Approve – It’ll be a pain to get all the registration approved all the time, but on the other hand, that’s the best way to keep ‘em out.
2) Install Stop Spammer Registrations. Some of what you think are people testing actually ARE bots! They program them to do that :/
Moments ago installed Ban Hammer and it works like a freaking charm. Just wanted to say THANK YOU! And also thank you.
Cheers,
Sean
You’re very welcome
… and perhaps ironically StopForumSpam.com seems to have been knocked off the net for the moment. Either by legitimate demand for their feed, but perhaps by some disgruntled spammers launching a DOS making it impossible for your plugin and others to access the live feed.
Sad… but was still able to scrape this minimal list together that others can drop into Ban Hammer directly:
10minutemail.com
20minutemail.com
anonymbox.com
beefmilk.com
bsnow.net
bugmenot.com
deadaddress.com
despam.it
disposeamail.com
dodgeit.com
dodgit.com
dontreg.com
e4ward.com
emailias.com
emailwarden.com
enterto.com
gishpuppy.com
goemailgo.com
greensloth.com
guerrillamail.com
guerrillamailblock.com
hidzz.com
incognitomail.net
jetable.org
kasmail.com
lifebyfood.com
lookugly.com
mailcatch.com
maileater.com
mailexpire.com
mailin8r.com
mailinator.com
mailinator.net
mailinator2.com
mailmoat.com
mailnull.com
meltmail.com
mintemail.com
mt2009.com
myspamless.com
mytempemail.com
mytrashmail.com
netmails.net
odaymail.com
pookmail.com
shieldedmail.com
smellfear.com
sneakemail.com
sogetthis.com
soodonims.com
spam.la
spamavert.com
spambox.us
spamcero.com
spamex.com
spamfree24.com
spamfree24.de
spamfree24.eu
spamfree24.info
spamfree24.net
spamfree24.org
spamgourmet.com
spamherelots.com
spamhole.com
spaml.com
spammotel.com
spamobox.com
spamspot.com
tempemail.net
tempinbox.com
tempomail.fr
temporaryinbox.com
tempymail.com
thisisnotmyrealemail.com
trash2009.com
trashmail.net
trashymail.com
tyldd.com
yopmail.com
zoemail.com
Amusingly … because you used those domains in your comment, it was caught as spam
Yeah, I don’t know what happened to SFS
Thankfully I also use Project Honeypot and Bad Behavior!
Add main15.com and mail313.com to that list ā MAJOR sources of forum and comment spam.
Hi,
I run a service called block-disposable-email.com which collects new trash-domains to make it avaliable via an api. Currently about 2.800 domains are beeing detected.
Maybe this would be an option to integrate to Ban Hammer (there is already an cooperation with the mentioned SFS).
Would be nice hearing from you,
Gerold
I’ll look at it. I’m interested to know how you collect those emails and determine they’re, indeed, disposable. StopForumSpam works as well as it does because of peer review.
Every domain that appears for the first time (first time queried by one of the api users) is checked for several things, eg. by analysing the content and will be stated as “OK” or “BLOCK” depending on the findings.
Additionally I always do a review manually to ensure not to produce false positives.
What kind of services are beeing blocked is described at http://www.block-disposable-email.com/faq.php#1
Really wonderful capability. However, the plugin uses has_cap, and I use the latest WordPress installation(3.2). Perhaps, in your next upgrade, you would use Roles and Capabilities, right?
Well, thanks again for this plugin!
Hmm. I will clean it up to the current standards, but I’m still going to lock it down the same way the comment blacklist is. No point in giving someone access to Ban Hammer if they’ve not got access to comment moderation options.
You are right! Locking is important. Not everybody needs to moderate Comment Blacklist.
My regards!
Hello,
First of all thank you for this usefull plugin. I would like to localize WordPress 3.2.1 below, but unfortunately it did not detect the localization program is not compatible with it. The localization program names: WordPress Plugin: Localization Codestyling so you do not see it unfortunately. I wanted to promote this plugin on my website. I know I could write over the code, but better to have the developer tools that item.
I didn’t localize it cause no one asked.
I’ll get on that and (hopefully) get it done this weekend.
OKAY!
First pass is done. It still works in English, which is my first goal. If you’d like to test it, please go to http://wordpress.org/extend/plugins/ban-hammer/download/ and download the Development Version. Please let me know if I’m missing anything or screwed it up royally.
What if I am being treated like Spam but I am not spam? How do I get the ban to stop?
Funny you should say that, you’re being caught as spam by Akismet. Go to http://akismet.com/contact/ and report it there.
Just wanted to let you know this plugin is exactly what I’m looking for. I think that WordPress core should offer this functionality. Thank you.
I used to think this should be in core, but when you add up the people with open registration and the people on single site WP (Multisite has this built in), the numbers drop a lot. I’d much rather see the Multisite option just made standard, but most people using single site don’t need this. So … I think it’s okay it’s not in core