Categories
How It Is How To

Ban Hammer

Ban Hammer block people on your blacklist from registering on your site.

We’ve all had this problem: a group of spammers from mail.ru are registering to your blog, but you want to keep registration open. How do you kill the spammers without bothering your clientele? While you could edit your theme’s functions.php and block the domain, once you get past a few bad eggs, you have to escalate.

Ban Hammer helps you do that by preventing unwanted users from registering.

On a single install of WordPress, instead of using its own database table, Ban Hammer pulls from your list of prohibited emails from the Comment Blacklist feature, native to WordPress. Since emails never equal IP addresses, it simply skips over and ignores them.

On a network instance, there’s a network wide setting for banned emails and domains. This means you only have one place to update and maintain your blocked list. When a listed user attempts to register, they get a customizable message that they cannot register.

For advanced documentation, including how to use on WooCommerce, please visit the Ban Hammer Wiki.

Privacy Policy

This plugin does not track data outside of what WordPress already collects. It utilizes the submitted email address to validate the domain and compares it to the list of prohibited domains and emails. No additional data is processed.

Credits

Ban Hammer is a very weird fork of Philippe Paquet’s No Disposable Email plugin. The original plugin was a straight forward .dat file that listed all the bad emails (generally ones like mailinator that are disposable) and while Ban Hammer doesn’t do that, this would not have been possible without that which was done before.

Many thanks are due to WP-Deadbolt, for making me think about SQL and TTC for StopForumSpam integration. MASSIVE credit to Travis Hamera for the StopForumSpam/cURL fix! And then props to Helen Hou-SandΓ­ for not using curl at all. Protip? Use WP_http instead!

Download

Latest version: Download Ban Hammer v2.6.2 [zip]

Installation

Single Install

After installation, go to Tools > Ban Hammer to customize the error message (and banned emails, but it’s the same list from your comment moderation so…).

Multisite

After installation, go to Network Admin > Settings > Ban Hammer to customize the error message and banned email list. This will ban users network wide.

FAQ

Q. If I change the blacklist via Ban Hammer, will it change the Comment Blacklist?
A. On single site installs, yes. They are the exact same list, they use the same fields and they update the same data. The only reason I put it there was I felt having an all-in-one place to get the data would be better.

Q. Does this list the rejected registers?
A. No. Since WordPress doesn’t list rejected comments (your blacklist goes to a blackhole), the rejected users are similarly lost forever.

Q. Where did Stop Forum Spam go?
A. This plugin no longer uses Stop Forum Spam. If you need that feature, please use Stop Spammer Registrations instead. They did it way better.

Q. Does this work on MultiSite?
A. Yes it does, but a little differently If you’re using multisite, instead of pulling from the comment blacklist (which is per site), you have a separate list off Network Admin -> Settings. This is because you only want to have the network admins determining who can register on the network.

Q. Does this work on BuddyPress?
A. Currently yes.

Q. Does this work on WooCommerce?
A. You have to make your own hook because WooCommerce doesn’t use the normal registration functions. Don’t panic. I have directions here.

Q. Can I block partials?
A. Yes but not wildcards. If you put in viagra for example, you will block viagrajones@gmail.com and john@viagra.com so please use this carefully. If you put in cookie then you’ll block cookiemonster@sesamestreet.edu and everyone would be sad.
If you want to block everyone from all subdomains (like joe@bar.example.com) then you can block .example.com and that will block all the subdomains.

Changelog

2.6.1

  • January 2018 by Ipstenu
  • Formatting changes
  • Stopped non-admins from seeing settings links and notifications

2.6

  • February 2017 by Ipstenu
  • Allow redirection to custom URLs on failed login.
  • Move plugin to Settings API
  • Combine options
  • Fixed BuddyPress
  • Optimized multisite
  • Removed check for WP 3.4 (only 4.0 and up get updates anyway)

Screenshots

  1. Default Error message

    Default Error message

  2. Admin screen

    Admin screen

  3. Ban Hammer Users

    Ban Hammer Users

37 replies on “Ban Hammer”

Since I get a lot of valid traffic from India and Bad Behavior always flags them as false positives, I don’t use that.

I tried AVH First Defense, but it stopped working for me. I have one multi-site domain but it started having issues before I upgraded to it.

I tried to write a plugin that would override the comments blacklist settings, making it a true blacklist, but all I ended up getting when I tested it was a white screen of death.

In my opinion, if I’m running Akismet, the comment blacklist as-is is about useless.

I would report that behavior about … Bad Behavior. The only time I caught false positives was with IE 5 and older, crappier, browsers.

MultiSite is a little (okay a lot) more complicated than Single, which is why Ban Hammer doesn’t work on it. Also it’s SUPPOSED to have a registration Blacklist, but that’s a known issue and related to other things, like BuddyPress, in my case.

In my opinion, if I’m running Akismet, the comment blacklist as-is is about useless.

Why? I mean, Akismet is not meant to be the be-all/end-all, any more than Ban Hammer and the built in blacklist are. Simply, they are SOME tools that will help. Akismet will (eventually) learn someone is spam, and until it does, the blacklist (or the mod list) will let you stop them from trashing your site until they do. There’s a reason the blacklist sticks around πŸ™‚ It does work. It’s just not the prettiest thing and, personally, I want a white list!

Almost all of my spam comes from people/bots with the following pattern:
1) Email domain is “mail15.com”.
2) The address looks valid, like “johnsmith@…” but the name associated with it is completely different, like “Samantha Moore” for a johnsmith@ address.

If I can blacklist mail15.com from even registering, I would eliminate virtually all of my blog comment spam.

I’m also disturbed that WordPress doesn’t simply send me an email for new registrations so that I can spam/trash the registration – before the new user gets to post a spam comment. Right now I’m forced to manually delete the spam and delete the bogus user.

Can Ban Hammer help with this? am I missing a built-in management function? Any other recommended plugins?

Thanks!

YES, Ban Hammer should be able to help you. Just put @mail15.com in your black list and it will stop them from being able to register. If, for some reason, Ban Hammer isn’t working (I’ve run into a couple weird places where it doesn’t like ZEND optomizer), you can use this snippit Otto made that I call Ban Whack a Mole. It works great for one domain πŸ™‚

To help slow them down some, I would suggest you do what I do. Make all first time comments require approval. That catches most of my spammers and, more common for me, my trolls. That and always use Akismet. It really does help.

By the way, WordPress should be emailing you when new users register. I don’t have a single-site with open registration, but I seem to recall getting emailed every time someone registered back when I did. On MultiSite you have the option to turn it off (under Super Admin -> Options there’s ‘Send the network admin an email notification every time someone registers a site or user account.’)

WordPress does email me on a new registration. I get that email simultaneously with the email that a comment has been posted to any of my postings. Of course the comments aren’t public. I can spam or trash the comments but this is a manual operation after I go to WP admin. I can then search for and manually delete the offending user. This is all just a waste of my time. I’ll take Ban Hammer for a spin and post back with a comment the next time some event reminds me about it. πŸ˜‰

Apropos of none of this, Ban Hammer got an upgrade this morning. Version 1.4 now checks for cURL and, if it doesn’t exist, won’t let you use StopForumSpam. So there’s that. Look for it as soon as the SVN repo catches up. πŸ‘Ώ

Hey, I just wrote a post here, and got a blank page after the Submit, which usually means a PHP error in the comment plugin you are using.

But, I’ll try my question again.

I have a plugin that collects names and e-mails. I’d like to be able to check the e-mails against a black list (which Ban Hammer does for registrations). Do you have any way to call your plugin to run a true/false check for an e-mail address? I’d like to use Ban Hammer to do the work, and it seems it would be simple to have such a call.

Thanks.

No idea why it crashed. I’m not using any comment plugins really save Akismet and Impostercide.

Anyway. You can grab the source code for Ban Hammer and steal it. Right now it checks the email in a boolean (aka T/.F) for existence in the ban hammer list, which is a field in the DB. It USED to use the method in http://wordpress.org/extend/plugins/no-disposable-email/ where it read a .DAT file. You could snag that to check for an email from a text file.

Depends which way you want to grab it. But the code is open source, so it’s there for the taking πŸ™‚

I apologize – I should have looked at the plugin code first. It was very simple to add a call to ‘banhammer’ directly. And it works great! Thanks for the plugin.

Not a problem! Had it not been easy, I;’d have taken a look later tonight, but today is all about that job that pays me. πŸ™„

Hello,
First of all thank you for this usefull plugin. I have a web site wordpress 2.3 version and i can not upgrade wordpress version.

I want to ask that if it is possible to use ban-hammer on wordpress 2.3 version?

Thanks.

Theoretically, yes. It’s got some pre 2.6 code in there, so it may work. That said, I’m not supporting it if it doesn’t, so this is a ‘Try it and if it works, great!’

And really? You should find a way to upgrade, even if it means moving to a new host. 2.3 is really old, and not many people will be making plugins for it.

Augh. Checked in the wrong file! It was fixed in trunk, of course. Okay, pushing a new version ASAFP.

To fix right now, add this:
global $wp_version;

just below the commented out copyright info. Or wait about 5-10 minutes for SVN and the repo to sync.

Hi there, does this plugin allow banning by IP addresses or blocks of IP addresses as well as emails? I have been featured on a “showcase” site and get a *TON* of ‘overseas’ traffic but my website is 99% US based. I don’t mind the traffic but when they start registering and posting “test” posts and filling up my Live website with unrelated junk “just to see how it works” its really annoying. Especially when those posts get sent to different RSS feeders and things and then CAN’T be deleted. (Thanks Google Reader.) Anyway, I’d like to allow them to still visit the site but block their registration by IP since I have no way to know what email they’re using since this isn’t technically “spam” email (as in, automated bots). Thanks.

I think it actually ‘accidentally’ blocks by IP but no, not by IP range. Honestly, I don’t advocate blocking IPs in general. It’s such an inexact science it hardly does any good. Ban Hammer is aimed at stopping the repeat offenders per-person, not the idiots en masse.

If you have to keep registration open (I’m assuming the site has membership so you need that), I’d do two things:
1) Install New User Approve – It’ll be a pain to get all the registration approved all the time, but on the other hand, that’s the best way to keep ’em out.
2) Install Stop Spammer Registrations. Some of what you think are people testing actually ARE bots! They program them to do that :/

… and perhaps ironically StopForumSpam.com seems to have been knocked off the net for the moment. Either by legitimate demand for their feed, but perhaps by some disgruntled spammers launching a DOS making it impossible for your plugin and others to access the live feed.

Sad… but was still able to scrape this minimal list together that others can drop into Ban Hammer directly:

10minutemail.com
20minutemail.com
anonymbox.com
beefmilk.com
bsnow.net
bugmenot.com
deadaddress.com
despam.it
disposeamail.com
dodgeit.com
dodgit.com
dontreg.com
e4ward.com
emailias.com
emailwarden.com
enterto.com
gishpuppy.com
goemailgo.com
greensloth.com
guerrillamail.com
guerrillamailblock.com
hidzz.com
incognitomail.net
jetable.org
kasmail.com
lifebyfood.com
lookugly.com
mailcatch.com
maileater.com
mailexpire.com
mailin8r.com
mailinator.com
mailinator.net
mailinator2.com
mailmoat.com
mailnull.com
meltmail.com
mintemail.com
mt2009.com
myspamless.com
mytempemail.com
mytrashmail.com
netmails.net
odaymail.com
pookmail.com
shieldedmail.com
smellfear.com
sneakemail.com
sogetthis.com
soodonims.com
spam.la
spamavert.com
spambox.us
spamcero.com
spamex.com
spamfree24.com
spamfree24.de
spamfree24.eu
spamfree24.info
spamfree24.net
spamfree24.org
spamgourmet.com
spamherelots.com
spamhole.com
spaml.com
spammotel.com
spamobox.com
spamspot.com
tempemail.net
tempinbox.com
tempomail.fr
temporaryinbox.com
tempymail.com
thisisnotmyrealemail.com
trash2009.com
trashmail.net
trashymail.com
tyldd.com
yopmail.com
zoemail.com

Amusingly … because you used those domains in your comment, it was caught as spam πŸ˜‰

Yeah, I don’t know what happened to SFS πŸ™ Thankfully I also use Project Honeypot and Bad Behavior!

Hi,

I run a service called block-disposable-email.com which collects new trash-domains to make it avaliable via an api. Currently about 2.800 domains are beeing detected.

Maybe this would be an option to integrate to Ban Hammer (there is already an cooperation with the mentioned SFS).

Would be nice hearing from you,
Gerold

I’ll look at it. I’m interested to know how you collect those emails and determine they’re, indeed, disposable. StopForumSpam works as well as it does because of peer review.

Every domain that appears for the first time (first time queried by one of the api users) is checked for several things, eg. by analysing the content and will be stated as “OK” or “BLOCK” depending on the findings.

Additionally I always do a review manually to ensure not to produce false positives.

What kind of services are beeing blocked is described at http://www.block-disposable-email.com/faq.php#1

Really wonderful capability. However, the plugin uses has_cap, and I use the latest WordPress installation(3.2). Perhaps, in your next upgrade, you would use Roles and Capabilities, right?
Well, thanks again for this plugin! πŸ™‚

Hmm. I will clean it up to the current standards, but I’m still going to lock it down the same way the comment blacklist is. No point in giving someone access to Ban Hammer if they’ve not got access to comment moderation options.

Hello,
First of all thank you for this usefull plugin. I would like to localize WordPress 3.2.1 below, but unfortunately it did not detect the localization program is not compatible with it. The localization program names: WordPress Plugin: Localization Codestyling so you do not see it unfortunately. I wanted to promote this plugin on my website. I know I could write over the code, but better to have the developer tools that item.

Just wanted to let you know this plugin is exactly what I’m looking for. I think that WordPress core should offer this functionality. Thank you.

I used to think this should be in core, but when you add up the people with open registration and the people on single site WP (Multisite has this built in), the numbers drop a lot. I’d much rather see the Multisite option just made standard, but most people using single site don’t need this. So … I think it’s okay it’s not in core πŸ™‚

Comments are closed.