Ban Hammer

Ban Hammer block people on your blacklist from registering on your site.

We’ve all had this problem: a group of spammers from mail.ru are registering to your blog, but you want to keep registration open. How do you kill the spammers without bothering your clientele? While you could edit your theme’s functions.php and block the domain, once you get past a few bad eggs, you have to escalate.

Ban Hammer helps you do that by preventing unwanted users from registering.

On a single install of WordPress, instead of using its own database table, Ban Hammer pulls from your list of prohibited emails from the Disallowed Comment Keys feature, native to WordPress. Since emails never equal IP addresses, it simply skips over and ignores them.

On a network instance, there’s a network wide setting for banned emails and domains. This means you only have one place to update and maintain your blocked list. When a listed user attempts to register, they get a customizable message that they cannot register.

For advanced documentation, including how to use on WooCommerce, please visit the Ban Hammer Wiki.

Privacy Policy

This plugin does not track data outside of what WordPress already collects. It utilizes the submitted email address to validate the domain and compares it to the list of prohibited domains and emails. No additional data is processed.

Credits

Ban Hammer is a very weird fork of Philippe Paquet’s No Disposable Email plugin. The original plugin was a straight forward .dat file that listed all the bad emails (generally ones like mailinator that are disposable) and while Ban Hammer doesn’t do that, this would not have been possible without that which was done before.

Many thanks are due to WP-Deadbolt, for making me think about SQL and TTC for StopForumSpam integration. MASSIVE credit to Travis Hamera for the StopForumSpam/cURL fix! And then props to Helen Hou-SandΓ­ for not using curl at all. Protip? Use WP_http instead!

Download

Latest version: Download Ban Hammer v2.8 [zip]

Installation

Single Site (Traditional) Install

After installation, go to Tools > Ban Hammer to customize the error message (and banned emails, but it’s the same list from your comment moderation so…).

Multisite

After installation, go to Network Admin > Settings > Ban Hammer to customize the error message and banned email list. This will ban users network wide.

Changelog

2.8

  • February 2021 by Ipstenu
  • Removing check for if registration is active

Screenshots

  1. Default Error message

    Default Error message

  2. Admin screen

    Admin screen

  3. Ban Hammer Users

    Ban Hammer Users

37 Comments

  1. I don’t have registrations open, but I would love something like this for comments. 99% of my spam comes from web hosts, not real people.

  2. Since I get a lot of valid traffic from India and Bad Behavior always flags them as false positives, I don’t use that.

    I tried AVH First Defense, but it stopped working for me. I have one multi-site domain but it started having issues before I upgraded to it.

    I tried to write a plugin that would override the comments blacklist settings, making it a true blacklist, but all I ended up getting when I tested it was a white screen of death.

    In my opinion, if I’m running Akismet, the comment blacklist as-is is about useless.

    • I would report that behavior about … Bad Behavior. The only time I caught false positives was with IE 5 and older, crappier, browsers.

      MultiSite is a little (okay a lot) more complicated than Single, which is why Ban Hammer doesn’t work on it. Also it’s SUPPOSED to have a registration Blacklist, but that’s a known issue and related to other things, like BuddyPress, in my case.

      In my opinion, if I’m running Akismet, the comment blacklist as-is is about useless.

      Why? I mean, Akismet is not meant to be the be-all/end-all, any more than Ban Hammer and the built in blacklist are. Simply, they are SOME tools that will help. Akismet will (eventually) learn someone is spam, and until it does, the blacklist (or the mod list) will let you stop them from trashing your site until they do. There’s a reason the blacklist sticks around πŸ™‚ It does work. It’s just not the prettiest thing and, personally, I want a white list!

  3. Almost all of my spam comes from people/bots with the following pattern:
    1) Email domain is “mail15.com”.
    2) The address looks valid, like “johnsmith@…” but the name associated with it is completely different, like “Samantha Moore” for a johnsmith@ address.

    If I can blacklist mail15.com from even registering, I would eliminate virtually all of my blog comment spam.

    I’m also disturbed that WordPress doesn’t simply send me an email for new registrations so that I can spam/trash the registration – before the new user gets to post a spam comment. Right now I’m forced to manually delete the spam and delete the bogus user.

    Can Ban Hammer help with this? am I missing a built-in management function? Any other recommended plugins?

    Thanks!

    • YES, Ban Hammer should be able to help you. Just put @mail15.com in your black list and it will stop them from being able to register. If, for some reason, Ban Hammer isn’t working (I’ve run into a couple weird places where it doesn’t like ZEND optomizer), you can use this snippit Otto made that I call Ban Whack a Mole. It works great for one domain πŸ™‚

      To help slow them down some, I would suggest you do what I do. Make all first time comments require approval. That catches most of my spammers and, more common for me, my trolls. That and always use Akismet. It really does help.

      By the way, WordPress should be emailing you when new users register. I don’t have a single-site with open registration, but I seem to recall getting emailed every time someone registered back when I did. On MultiSite you have the option to turn it off (under Super Admin -> Options there’s ‘Send the network admin an email notification every time someone registers a site or user account.’)

  4. WordPress does email me on a new registration. I get that email simultaneously with the email that a comment has been posted to any of my postings. Of course the comments aren’t public. I can spam or trash the comments but this is a manual operation after I go to WP admin. I can then search for and manually delete the offending user. This is all just a waste of my time. I’ll take Ban Hammer for a spin and post back with a comment the next time some event reminds me about it. πŸ˜‰

  5. Apropos of none of this, Ban Hammer got an upgrade this morning. Version 1.4 now checks for cURL and, if it doesn’t exist, won’t let you use StopForumSpam. So there’s that. Look for it as soon as the SVN repo catches up. πŸ‘Ώ

  6. Hey, I just wrote a post here, and got a blank page after the Submit, which usually means a PHP error in the comment plugin you are using.

    But, I’ll try my question again.

    I have a plugin that collects names and e-mails. I’d like to be able to check the e-mails against a black list (which Ban Hammer does for registrations). Do you have any way to call your plugin to run a true/false check for an e-mail address? I’d like to use Ban Hammer to do the work, and it seems it would be simple to have such a call.

    Thanks.

    • No idea why it crashed. I’m not using any comment plugins really save Akismet and Impostercide.

      Anyway. You can grab the source code for Ban Hammer and steal it. Right now it checks the email in a boolean (aka T/.F) for existence in the ban hammer list, which is a field in the DB. It USED to use the method in http://wordpress.org/extend/plugins/no-disposable-email/ where it read a .DAT file. You could snag that to check for an email from a text file.

      Depends which way you want to grab it. But the code is open source, so it’s there for the taking πŸ™‚

  7. I apologize – I should have looked at the plugin code first. It was very simple to add a call to ‘banhammer’ directly. And it works great! Thanks for the plugin.

    • Not a problem! Had it not been easy, I;’d have taken a look later tonight, but today is all about that job that pays me. πŸ™„

  8. Hello,
    First of all thank you for this usefull plugin. I have a web site wordpress 2.3 version and i can not upgrade wordpress version.

    I want to ask that if it is possible to use ban-hammer on wordpress 2.3 version?

    Thanks.

    • Theoretically, yes. It’s got some pre 2.6 code in there, so it may work. That said, I’m not supporting it if it doesn’t, so this is a ‘Try it and if it works, great!’

      And really? You should find a way to upgrade, even if it means moving to a new host. 2.3 is really old, and not many people will be making plugins for it.

  9. “Sorry, but this plugin is no longer supported on pre-3.0 WordPress installs.”

    Is the message I got during the latest update, but I’m using 3.1

  10. Hi there, does this plugin allow banning by IP addresses or blocks of IP addresses as well as emails? I have been featured on a “showcase” site and get a *TON* of ‘overseas’ traffic but my website is 99% US based. I don’t mind the traffic but when they start registering and posting “test” posts and filling up my Live website with unrelated junk “just to see how it works” its really annoying. Especially when those posts get sent to different RSS feeders and things and then CAN’T be deleted. (Thanks Google Reader.) Anyway, I’d like to allow them to still visit the site but block their registration by IP since I have no way to know what email they’re using since this isn’t technically “spam” email (as in, automated bots). Thanks.

    • I think it actually ‘accidentally’ blocks by IP but no, not by IP range. Honestly, I don’t advocate blocking IPs in general. It’s such an inexact science it hardly does any good. Ban Hammer is aimed at stopping the repeat offenders per-person, not the idiots en masse.

      If you have to keep registration open (I’m assuming the site has membership so you need that), I’d do two things:
      1) Install New User Approve – It’ll be a pain to get all the registration approved all the time, but on the other hand, that’s the best way to keep ’em out.
      2) Install Stop Spammer Registrations. Some of what you think are people testing actually ARE bots! They program them to do that :/

  11. Moments ago installed Ban Hammer and it works like a freaking charm. Just wanted to say THANK YOU! And also thank you.

    Cheers,
    Sean

  12. … and perhaps ironically StopForumSpam.com seems to have been knocked off the net for the moment. Either by legitimate demand for their feed, but perhaps by some disgruntled spammers launching a DOS making it impossible for your plugin and others to access the live feed.

    Sad… but was still able to scrape this minimal list together that others can drop into Ban Hammer directly:

    10minutemail.com
    20minutemail.com
    anonymbox.com
    beefmilk.com
    bsnow.net
    bugmenot.com
    deadaddress.com
    despam.it
    disposeamail.com
    dodgeit.com
    dodgit.com
    dontreg.com
    e4ward.com
    emailias.com
    emailwarden.com
    enterto.com
    gishpuppy.com
    goemailgo.com
    greensloth.com
    guerrillamail.com
    guerrillamailblock.com
    hidzz.com
    incognitomail.net
    jetable.org
    kasmail.com
    lifebyfood.com
    lookugly.com
    mailcatch.com
    maileater.com
    mailexpire.com
    mailin8r.com
    mailinator.com
    mailinator.net
    mailinator2.com
    mailmoat.com
    mailnull.com
    meltmail.com
    mintemail.com
    mt2009.com
    myspamless.com
    mytempemail.com
    mytrashmail.com
    netmails.net
    odaymail.com
    pookmail.com
    shieldedmail.com
    smellfear.com
    sneakemail.com
    sogetthis.com
    soodonims.com
    spam.la
    spamavert.com
    spambox.us
    spamcero.com
    spamex.com
    spamfree24.com
    spamfree24.de
    spamfree24.eu
    spamfree24.info
    spamfree24.net
    spamfree24.org
    spamgourmet.com
    spamherelots.com
    spamhole.com
    spaml.com
    spammotel.com
    spamobox.com
    spamspot.com
    tempemail.net
    tempinbox.com
    tempomail.fr
    temporaryinbox.com
    tempymail.com
    thisisnotmyrealemail.com
    trash2009.com
    trashmail.net
    trashymail.com
    tyldd.com
    yopmail.com
    zoemail.com

    • Amusingly … because you used those domains in your comment, it was caught as spam πŸ˜‰

      Yeah, I don’t know what happened to SFS πŸ™ Thankfully I also use Project Honeypot and Bad Behavior!

    • Add main15.com and mail313.com to that list β€” MAJOR sources of forum and comment spam.

    • Hi,

      I run a service called block-disposable-email.com which collects new trash-domains to make it avaliable via an api. Currently about 2.800 domains are beeing detected.

      Maybe this would be an option to integrate to Ban Hammer (there is already an cooperation with the mentioned SFS).

      Would be nice hearing from you,
      Gerold

    • I’ll look at it. I’m interested to know how you collect those emails and determine they’re, indeed, disposable. StopForumSpam works as well as it does because of peer review.

    • Every domain that appears for the first time (first time queried by one of the api users) is checked for several things, eg. by analysing the content and will be stated as “OK” or “BLOCK” depending on the findings.

      Additionally I always do a review manually to ensure not to produce false positives.

      What kind of services are beeing blocked is described at http://www.block-disposable-email.com/faq.php#1

  13. Really wonderful capability. However, the plugin uses has_cap, and I use the latest WordPress installation(3.2). Perhaps, in your next upgrade, you would use Roles and Capabilities, right?
    Well, thanks again for this plugin! πŸ™‚

    • Hmm. I will clean it up to the current standards, but I’m still going to lock it down the same way the comment blacklist is. No point in giving someone access to Ban Hammer if they’ve not got access to comment moderation options.

    • You are right! Locking is important. Not everybody needs to moderate Comment Blacklist.
      My regards!

  14. Hello,
    First of all thank you for this usefull plugin. I would like to localize WordPress 3.2.1 below, but unfortunately it did not detect the localization program is not compatible with it. The localization program names: WordPress Plugin: Localization Codestyling so you do not see it unfortunately. I wanted to promote this plugin on my website. I know I could write over the code, but better to have the developer tools that item.

  15. What if I am being treated like Spam but I am not spam? How do I get the ban to stop?

  16. Just wanted to let you know this plugin is exactly what I’m looking for. I think that WordPress core should offer this functionality. Thank you.

    • I used to think this should be in core, but when you add up the people with open registration and the people on single site WP (Multisite has this built in), the numbers drop a lot. I’d much rather see the Multisite option just made standard, but most people using single site don’t need this. So … I think it’s okay it’s not in core πŸ™‚

Comments are closed.