We’ve all had this problem: a group of spammers from
mail.ru are registering to your blog, but you want to keep registration open. How do you kill the spammers without bothering your clientele? While you could edit your theme’s
functions.php and block the domain, once you get past a few bad eggs, you have to escalate.
Ban Hammer helps you do that by preventing unwanted users from registering.
On a single install of WordPress, instead of using its own database table, Ban Hammer pulls from your list of prohibited emails from the Disallowed Comment Keys feature, native to WordPress. Since emails never equal IP addresses, it simply skips over and ignores them.
On a network instance, there’s a network wide setting for banned emails and domains. This means you only have one place to update and maintain your blocked list. When a listed user attempts to register, they get a customizable message that they cannot register.
For advanced documentation, including how to use on WooCommerce, please visit the Ban Hammer Wiki.
This plugin does not track data outside of what WordPress already collects. It utilizes the submitted email address to validate the domain and compares it to the list of prohibited domains and emails. No additional data is processed.
Ban Hammer is a very weird fork of Philippe Paquet’s No Disposable Email plugin. The original plugin was a straight forward .dat file that listed all the bad emails (generally ones like mailinator that are disposable) and while Ban Hammer doesn’t do that, this would not have been possible without that which was done before.
Many thanks are due to WP-Deadbolt, for making me think about SQL and TTC for StopForumSpam integration. MASSIVE credit to Travis Hamera for the StopForumSpam/cURL fix! And then props to Helen Hou-Sandí for not using curl at all. Protip? Use WP_http instead!
Latest version: Download Ban Hammer v3.1.2 [zip]
Single Site (Traditional) Install
After installation, go to Tools > Ban Hammer to customize the error message (and banned emails, but it’s the same list from your comment moderation so…).
After installation, go to Network Admin > Settings > Ban Hammer to customize the error message and banned email list. This will ban users network wide.
- November 2022 by Ipstenu
- Fix issue with saving on PHP 8
- Removed unnecessary options
- March 2021 by Ipstenu
- Remove support for WP 5.4 and older (
blacklist_keysno longer supported)
- Remove checks for if registration is active and filters for that
37 replies on “Ban Hammer”
I don’t have registrations open, but I would love something like this for comments. 99% of my spam comes from web hosts, not real people.
You may want to look at AVH First Defense Against Spam, which can handle a lot of that (though not on MultiSite anymore than mine works on MultiSite).
Personally I have a lot of success with Bad Behavior which works great 🙂
Since I get a lot of valid traffic from India and Bad Behavior always flags them as false positives, I don’t use that.
I tried AVH First Defense, but it stopped working for me. I have one multi-site domain but it started having issues before I upgraded to it.
I tried to write a plugin that would override the comments blacklist settings, making it a true blacklist, but all I ended up getting when I tested it was a white screen of death.
In my opinion, if I’m running Akismet, the comment blacklist as-is is about useless.
I would report that behavior about … Bad Behavior. The only time I caught false positives was with IE 5 and older, crappier, browsers.
MultiSite is a little (okay a lot) more complicated than Single, which is why Ban Hammer doesn’t work on it. Also it’s SUPPOSED to have a registration Blacklist, but that’s a known issue and related to other things, like BuddyPress, in my case.
Why? I mean, Akismet is not meant to be the be-all/end-all, any more than Ban Hammer and the built in blacklist are. Simply, they are SOME tools that will help. Akismet will (eventually) learn someone is spam, and until it does, the blacklist (or the mod list) will let you stop them from trashing your site until they do. There’s a reason the blacklist sticks around 🙂 It does work. It’s just not the prettiest thing and, personally, I want a white list!
Almost all of my spam comes from people/bots with the following pattern:
1) Email domain is “mail15.com”.
2) The address looks valid, like “johnsmith@…” but the name associated with it is completely different, like “Samantha Moore” for a johnsmith@ address.
If I can blacklist mail15.com from even registering, I would eliminate virtually all of my blog comment spam.
I’m also disturbed that WordPress doesn’t simply send me an email for new registrations so that I can spam/trash the registration – before the new user gets to post a spam comment. Right now I’m forced to manually delete the spam and delete the bogus user.
Can Ban Hammer help with this? am I missing a built-in management function? Any other recommended plugins?
YES, Ban Hammer should be able to help you. Just put @mail15.com in your black list and it will stop them from being able to register. If, for some reason, Ban Hammer isn’t working (I’ve run into a couple weird places where it doesn’t like ZEND optomizer), you can use this snippit Otto made that I call Ban Whack a Mole. It works great for one domain 🙂
To help slow them down some, I would suggest you do what I do. Make all first time comments require approval. That catches most of my spammers and, more common for me, my trolls. That and always use Akismet. It really does help.
By the way, WordPress should be emailing you when new users register. I don’t have a single-site with open registration, but I seem to recall getting emailed every time someone registered back when I did. On MultiSite you have the option to turn it off (under Super Admin -> Options there’s ‘Send the network admin an email notification every time someone registers a site or user account.’)
WordPress does email me on a new registration. I get that email simultaneously with the email that a comment has been posted to any of my postings. Of course the comments aren’t public. I can spam or trash the comments but this is a manual operation after I go to WP admin. I can then search for and manually delete the offending user. This is all just a waste of my time. I’ll take Ban Hammer for a spin and post back with a comment the next time some event reminds me about it. 😉
Apropos of none of this, Ban Hammer got an upgrade this morning. Version 1.4 now checks for cURL and, if it doesn’t exist, won’t let you use StopForumSpam. So there’s that. Look for it as soon as the SVN repo catches up. 👿
Hey, I just wrote a post here, and got a blank page after the Submit, which usually means a PHP error in the comment plugin you are using.
But, I’ll try my question again.
I have a plugin that collects names and e-mails. I’d like to be able to check the e-mails against a black list (which Ban Hammer does for registrations). Do you have any way to call your plugin to run a true/false check for an e-mail address? I’d like to use Ban Hammer to do the work, and it seems it would be simple to have such a call.
No idea why it crashed. I’m not using any comment plugins really save Akismet and Impostercide.
Anyway. You can grab the source code for Ban Hammer and steal it. Right now it checks the email in a boolean (aka T/.F) for existence in the ban hammer list, which is a field in the DB. It USED to use the method in http://wordpress.org/extend/plugins/no-disposable-email/ where it read a .DAT file. You could snag that to check for an email from a text file.
Depends which way you want to grab it. But the code is open source, so it’s there for the taking 🙂
I apologize – I should have looked at the plugin code first. It was very simple to add a call to ‘banhammer’ directly. And it works great! Thanks for the plugin.
Not a problem! Had it not been easy, I;’d have taken a look later tonight, but today is all about that job that pays me. 🙄
First of all thank you for this usefull plugin. I have a web site wordpress 2.3 version and i can not upgrade wordpress version.
I want to ask that if it is possible to use ban-hammer on wordpress 2.3 version?
Theoretically, yes. It’s got some pre 2.6 code in there, so it may work. That said, I’m not supporting it if it doesn’t, so this is a ‘Try it and if it works, great!’
And really? You should find a way to upgrade, even if it means moving to a new host. 2.3 is really old, and not many people will be making plugins for it.
“Sorry, but this plugin is no longer supported on pre-3.0 WordPress installs.”
Is the message I got during the latest update, but I’m using 3.1
Augh. Checked in the wrong file! It was fixed in trunk, of course. Okay, pushing a new version ASAFP.
To fix right now, add this:
just below the commented out copyright info. Or wait about 5-10 minutes for SVN and the repo to sync.
Thanks to my SVN app being an idiot, 1.5.2 is the version you want.
I really hate Windows today! It updated the wrong code!
Hi there, does this plugin allow banning by IP addresses or blocks of IP addresses as well as emails? I have been featured on a “showcase” site and get a *TON* of ‘overseas’ traffic but my website is 99% US based. I don’t mind the traffic but when they start registering and posting “test” posts and filling up my Live website with unrelated junk “just to see how it works” its really annoying. Especially when those posts get sent to different RSS feeders and things and then CAN’T be deleted. (Thanks Google Reader.) Anyway, I’d like to allow them to still visit the site but block their registration by IP since I have no way to know what email they’re using since this isn’t technically “spam” email (as in, automated bots). Thanks.
I think it actually ‘accidentally’ blocks by IP but no, not by IP range. Honestly, I don’t advocate blocking IPs in general. It’s such an inexact science it hardly does any good. Ban Hammer is aimed at stopping the repeat offenders per-person, not the idiots en masse.
If you have to keep registration open (I’m assuming the site has membership so you need that), I’d do two things:
1) Install New User Approve – It’ll be a pain to get all the registration approved all the time, but on the other hand, that’s the best way to keep ’em out.
2) Install Stop Spammer Registrations. Some of what you think are people testing actually ARE bots! They program them to do that :/
Moments ago installed Ban Hammer and it works like a freaking charm. Just wanted to say THANK YOU! And also thank you.
You’re very welcome 😀
… and perhaps ironically StopForumSpam.com seems to have been knocked off the net for the moment. Either by legitimate demand for their feed, but perhaps by some disgruntled spammers launching a DOS making it impossible for your plugin and others to access the live feed.
Sad… but was still able to scrape this minimal list together that others can drop into Ban Hammer directly:
Amusingly … because you used those domains in your comment, it was caught as spam 😉
Yeah, I don’t know what happened to SFS 🙁 Thankfully I also use Project Honeypot and Bad Behavior!
Add main15.com and mail313.com to that list — MAJOR sources of forum and comment spam.
I run a service called block-disposable-email.com which collects new trash-domains to make it avaliable via an api. Currently about 2.800 domains are beeing detected.
Maybe this would be an option to integrate to Ban Hammer (there is already an cooperation with the mentioned SFS).
Would be nice hearing from you,
I’ll look at it. I’m interested to know how you collect those emails and determine they’re, indeed, disposable. StopForumSpam works as well as it does because of peer review.
Every domain that appears for the first time (first time queried by one of the api users) is checked for several things, eg. by analysing the content and will be stated as “OK” or “BLOCK” depending on the findings.
Additionally I always do a review manually to ensure not to produce false positives.
What kind of services are beeing blocked is described at http://www.block-disposable-email.com/faq.php#1
Really wonderful capability. However, the plugin uses has_cap, and I use the latest WordPress installation(3.2). Perhaps, in your next upgrade, you would use Roles and Capabilities, right?
Well, thanks again for this plugin! 🙂
Hmm. I will clean it up to the current standards, but I’m still going to lock it down the same way the comment blacklist is. No point in giving someone access to Ban Hammer if they’ve not got access to comment moderation options.
You are right! Locking is important. Not everybody needs to moderate Comment Blacklist.
First of all thank you for this usefull plugin. I would like to localize WordPress 3.2.1 below, but unfortunately it did not detect the localization program is not compatible with it. The localization program names: WordPress Plugin: Localization Codestyling so you do not see it unfortunately. I wanted to promote this plugin on my website. I know I could write over the code, but better to have the developer tools that item.
I didn’t localize it cause no one asked. 😳
I’ll get on that and (hopefully) get it done this weekend.
First pass is done. It still works in English, which is my first goal. If you’d like to test it, please go to http://wordpress.org/extend/plugins/ban-hammer/download/ and download the Development Version. Please let me know if I’m missing anything or screwed it up royally.
What if I am being treated like Spam but I am not spam? How do I get the ban to stop?
Funny you should say that, you’re being caught as spam by Akismet. Go to http://akismet.com/contact/ and report it there.
Just wanted to let you know this plugin is exactly what I’m looking for. I think that WordPress core should offer this functionality. Thank you.
I used to think this should be in core, but when you add up the people with open registration and the people on single site WP (Multisite has this built in), the numbers drop a lot. I’d much rather see the Multisite option just made standard, but most people using single site don’t need this. So … I think it’s okay it’s not in core 🙂