Ban Hammer - Stop. Hammer Time.

Ban Hammer

We’ve all had this problem: a group of spammers from mail.ru are registering to your blog, but you want to keep registration open. How do you kill the spammers without bothering your clientele? While you could edit your theme’s functions.php and block the domain, once you get past a few bad eggs, you have to escalate.

Ban Hammer helps you do that by preventing unwanted users from registering.

On a single install of WordPress, instead of using its own database table, Ban Hammer pulls from your list of prohibited emails from the Disallowed Comment Keys feature, native to WordPress. Since emails never equal IP addresses, it simply skips over and ignores them.

On a network instance, there’s a network wide setting for banned emails and domains. This means you only have one place to update and maintain your blocked list. When a listed user attempts to register, they get a customizable message that they cannot register.

For advanced documentation, including how to use on WooCommerce, please visit the Ban Hammer Wiki.

Privacy Policy

This plugin does not track data outside of what WordPress already collects. It utilizes the submitted email address to validate the domain and compares it to the list of prohibited domains and emails. No additional data is processed.

Credits

Ban Hammer is a very weird fork of Philippe Paquet’s No Disposable Email plugin. The original plugin was a straight forward .dat file that listed all the bad emails (generally ones like mailinator that are disposable) and while Ban Hammer doesn’t do that, this would not have been possible without that which was done before.

Many thanks are due to WP-Deadbolt, for making me think about SQL and TTC for StopForumSpam integration. MASSIVE credit to Travis Hamera for the StopForumSpam/cURL fix! And then props to Helen Hou-SandΓ­ for not using curl at all. Protip? Use WP_http instead!

Download

Latest version: Download Ban Hammer v3.1.2 [zip]

Installation

Single Site (Traditional) Install

After installation, go to Tools > Ban Hammer to customize the error message (and banned emails, but it’s the same list from your comment moderation so…).

Multisite

After installation, go to Network Admin > Settings > Ban Hammer to customize the error message and banned email list. This will ban users network wide.

Changelog

3.1

  • November 2022 by Ipstenu
  • Fix issue with saving on PHP 8
  • Removed unnecessary options

3.0

  • March 2021 by Ipstenu
  • Remove support for WP 5.4 and older (blacklist_keys no longer supported)
  • Remove checks for if registration is active and filters for that

Screenshots

  1. Default Error message

    Default Error message

  2. Admin screen

    Admin screen

  3. Ban Hammer Users

    Ban Hammer Users

chevron_right

Join the conversation

comment 37 comments
  • RT Cunningham

    I don’t have registrations open, but I would love something like this for comments. 99% of my spam comes from web hosts, not real people.

    • Ipstenu

      You may want to look at AVH First Defense Against Spam, which can handle a lot of that (though not on MultiSite anymore than mine works on MultiSite).

      Personally I have a lot of success with Bad Behavior which works great πŸ™‚

  • RT Cunningham

    Since I get a lot of valid traffic from India and Bad Behavior always flags them as false positives, I don’t use that.

    I tried AVH First Defense, but it stopped working for me. I have one multi-site domain but it started having issues before I upgraded to it.

    I tried to write a plugin that would override the comments blacklist settings, making it a true blacklist, but all I ended up getting when I tested it was a white screen of death.

    In my opinion, if I’m running Akismet, the comment blacklist as-is is about useless.

    • Ipstenu

      I would report that behavior about … Bad Behavior. The only time I caught false positives was with IE 5 and older, crappier, browsers.

      MultiSite is a little (okay a lot) more complicated than Single, which is why Ban Hammer doesn’t work on it. Also it’s SUPPOSED to have a registration Blacklist, but that’s a known issue and related to other things, like BuddyPress, in my case.

      In my opinion, if I’m running Akismet, the comment blacklist as-is is about useless.

      Why? I mean, Akismet is not meant to be the be-all/end-all, any more than Ban Hammer and the built in blacklist are. Simply, they are SOME tools that will help. Akismet will (eventually) learn someone is spam, and until it does, the blacklist (or the mod list) will let you stop them from trashing your site until they do. There’s a reason the blacklist sticks around πŸ™‚ It does work. It’s just not the prettiest thing and, personally, I want a white list!

  • TonyG

    Almost all of my spam comes from people/bots with the following pattern:
    1) Email domain is “mail15.com”.
    2) The address looks valid, like “johnsmith@…” but the name associated with it is completely different, like “Samantha Moore” for a johnsmith@ address.

    If I can blacklist mail15.com from even registering, I would eliminate virtually all of my blog comment spam.

    I’m also disturbed that WordPress doesn’t simply send me an email for new registrations so that I can spam/trash the registration – before the new user gets to post a spam comment. Right now I’m forced to manually delete the spam and delete the bogus user.

    Can Ban Hammer help with this? am I missing a built-in management function? Any other recommended plugins?

    Thanks!

    • Ipstenu

      YES, Ban Hammer should be able to help you. Just put @mail15.com in your black list and it will stop them from being able to register. If, for some reason, Ban Hammer isn’t working (I’ve run into a couple weird places where it doesn’t like ZEND optomizer), you can use this snippit Otto made that I call Ban Whack a Mole. It works great for one domain πŸ™‚

      To help slow them down some, I would suggest you do what I do. Make all first time comments require approval. That catches most of my spammers and, more common for me, my trolls. That and always use Akismet. It really does help.

      By the way, WordPress should be emailing you when new users register. I don’t have a single-site with open registration, but I seem to recall getting emailed every time someone registered back when I did. On MultiSite you have the option to turn it off (under Super Admin -> Options there’s ‘Send the network admin an email notification every time someone registers a site or user account.’)

  • TonyG

    WordPress does email me on a new registration. I get that email simultaneously with the email that a comment has been posted to any of my postings. Of course the comments aren’t public. I can spam or trash the comments but this is a manual operation after I go to WP admin. I can then search for and manually delete the offending user. This is all just a waste of my time. I’ll take Ban Hammer for a spin and post back with a comment the next time some event reminds me about it. πŸ˜‰

  • Ipstenu

    Apropos of none of this, Ban Hammer got an upgrade this morning. Version 1.4 now checks for cURL and, if it doesn’t exist, won’t let you use StopForumSpam. So there’s that. Look for it as soon as the SVN repo catches up. πŸ‘Ώ

  • Bruce

    Hey, I just wrote a post here, and got a blank page after the Submit, which usually means a PHP error in the comment plugin you are using.

    But, I’ll try my question again.

    I have a plugin that collects names and e-mails. I’d like to be able to check the e-mails against a black list (which Ban Hammer does for registrations). Do you have any way to call your plugin to run a true/false check for an e-mail address? I’d like to use Ban Hammer to do the work, and it seems it would be simple to have such a call.

    Thanks.

    • Ipstenu

      No idea why it crashed. I’m not using any comment plugins really save Akismet and Impostercide.

      Anyway. You can grab the source code for Ban Hammer and steal it. Right now it checks the email in a boolean (aka T/.F) for existence in the ban hammer list, which is a field in the DB. It USED to use the method in http://wordpress.org/extend/plugins/no-disposable-email/ where it read a .DAT file. You could snag that to check for an email from a text file.

      Depends which way you want to grab it. But the code is open source, so it’s there for the taking πŸ™‚

  • Bruce

    I apologize – I should have looked at the plugin code first. It was very simple to add a call to ‘banhammer’ directly. And it works great! Thanks for the plugin.

    • Ipstenu

      Not a problem! Had it not been easy, I;’d have taken a look later tonight, but today is all about that job that pays me. πŸ™„

  • Burakula

    Hello,
    First of all thank you for this usefull plugin. I have a web site wordpress 2.3 version and i can not upgrade wordpress version.

    I want to ask that if it is possible to use ban-hammer on wordpress 2.3 version?

    Thanks.

    • Ipstenu

      Theoretically, yes. It’s got some pre 2.6 code in there, so it may work. That said, I’m not supporting it if it doesn’t, so this is a ‘Try it and if it works, great!’

      And really? You should find a way to upgrade, even if it means moving to a new host. 2.3 is really old, and not many people will be making plugins for it.

  • Karl Blessing

    “Sorry, but this plugin is no longer supported on pre-3.0 WordPress installs.”

    Is the message I got during the latest update, but I’m using 3.1

    • Ipstenu

      Augh. Checked in the wrong file! It was fixed in trunk, of course. Okay, pushing a new version ASAFP.

      To fix right now, add this:
      global $wp_version;

      just below the commented out copyright info. Or wait about 5-10 minutes for SVN and the repo to sync.

  • Ramsey

    Hi there, does this plugin allow banning by IP addresses or blocks of IP addresses as well as emails? I have been featured on a “showcase” site and get a *TON* of ‘overseas’ traffic but my website is 99% US based. I don’t mind the traffic but when they start registering and posting “test” posts and filling up my Live website with unrelated junk “just to see how it works” its really annoying. Especially when those posts get sent to different RSS feeders and things and then CAN’T be deleted. (Thanks Google Reader.) Anyway, I’d like to allow them to still visit the site but block their registration by IP since I have no way to know what email they’re using since this isn’t technically “spam” email (as in, automated bots). Thanks.

    • Ipstenu

      I think it actually ‘accidentally’ blocks by IP but no, not by IP range. Honestly, I don’t advocate blocking IPs in general. It’s such an inexact science it hardly does any good. Ban Hammer is aimed at stopping the repeat offenders per-person, not the idiots en masse.

      If you have to keep registration open (I’m assuming the site has membership so you need that), I’d do two things:
      1) Install New User Approve – It’ll be a pain to get all the registration approved all the time, but on the other hand, that’s the best way to keep ’em out.
      2) Install Stop Spammer Registrations. Some of what you think are people testing actually ARE bots! They program them to do that :/

  • Sean Conner

    Moments ago installed Ban Hammer and it works like a freaking charm. Just wanted to say THANK YOU! And also thank you.

    Cheers,
    Sean

    • Ipstenu

      You’re very welcome πŸ˜€

  • Sean Conner

    … and perhaps ironically StopForumSpam.com seems to have been knocked off the net for the moment. Either by legitimate demand for their feed, but perhaps by some disgruntled spammers launching a DOS making it impossible for your plugin and others to access the live feed.

    Sad… but was still able to scrape this minimal list together that others can drop into Ban Hammer directly:

    10minutemail.com
    20minutemail.com
    anonymbox.com
    beefmilk.com
    bsnow.net
    bugmenot.com
    deadaddress.com
    despam.it
    disposeamail.com
    dodgeit.com
    dodgit.com
    dontreg.com
    e4ward.com
    emailias.com
    emailwarden.com
    enterto.com
    gishpuppy.com
    goemailgo.com
    greensloth.com
    guerrillamail.com
    guerrillamailblock.com
    hidzz.com
    incognitomail.net
    jetable.org
    kasmail.com
    lifebyfood.com
    lookugly.com
    mailcatch.com
    maileater.com
    mailexpire.com
    mailin8r.com
    mailinator.com
    mailinator.net
    mailinator2.com
    mailmoat.com
    mailnull.com
    meltmail.com
    mintemail.com
    mt2009.com
    myspamless.com
    mytempemail.com
    mytrashmail.com
    netmails.net
    odaymail.com
    pookmail.com
    shieldedmail.com
    smellfear.com
    sneakemail.com
    sogetthis.com
    soodonims.com
    spam.la
    spamavert.com
    spambox.us
    spamcero.com
    spamex.com
    spamfree24.com
    spamfree24.de
    spamfree24.eu
    spamfree24.info
    spamfree24.net
    spamfree24.org
    spamgourmet.com
    spamherelots.com
    spamhole.com
    spaml.com
    spammotel.com
    spamobox.com
    spamspot.com
    tempemail.net
    tempinbox.com
    tempomail.fr
    temporaryinbox.com
    tempymail.com
    thisisnotmyrealemail.com
    trash2009.com
    trashmail.net
    trashymail.com
    tyldd.com
    yopmail.com
    zoemail.com

    • Ipstenu

      Amusingly … because you used those domains in your comment, it was caught as spam πŸ˜‰

      Yeah, I don’t know what happened to SFS πŸ™ Thankfully I also use Project Honeypot and Bad Behavior!

    • John Counsel

      Add main15.com and mail313.com to that list β€” MAJOR sources of forum and comment spam.

    • Gerold

      Hi,

      I run a service called block-disposable-email.com which collects new trash-domains to make it avaliable via an api. Currently about 2.800 domains are beeing detected.

      Maybe this would be an option to integrate to Ban Hammer (there is already an cooperation with the mentioned SFS).

      Would be nice hearing from you,
      Gerold

    • Ipstenu

      I’ll look at it. I’m interested to know how you collect those emails and determine they’re, indeed, disposable. StopForumSpam works as well as it does because of peer review.

    • Gerold

      Every domain that appears for the first time (first time queried by one of the api users) is checked for several things, eg. by analysing the content and will be stated as “OK” or “BLOCK” depending on the findings.

      Additionally I always do a review manually to ensure not to produce false positives.

      What kind of services are beeing blocked is described at http://www.block-disposable-email.com/faq.php#1

  • Niraj Kumar

    Really wonderful capability. However, the plugin uses has_cap, and I use the latest WordPress installation(3.2). Perhaps, in your next upgrade, you would use Roles and Capabilities, right?
    Well, thanks again for this plugin! πŸ™‚

    • Ipstenu

      Hmm. I will clean it up to the current standards, but I’m still going to lock it down the same way the comment blacklist is. No point in giving someone access to Ban Hammer if they’ve not got access to comment moderation options.

    • Niraj Kumar

      You are right! Locking is important. Not everybody needs to moderate Comment Blacklist.
      My regards!

  • Szemcse

    Hello,
    First of all thank you for this usefull plugin. I would like to localize WordPress 3.2.1 below, but unfortunately it did not detect the localization program is not compatible with it. The localization program names: WordPress Plugin: Localization Codestyling so you do not see it unfortunately. I wanted to promote this plugin on my website. I know I could write over the code, but better to have the developer tools that item.

    • Ipstenu

      I didn’t localize it cause no one asked. 😳

      I’ll get on that and (hopefully) get it done this weekend.

    • Ipstenu

      OKAY!

      First pass is done. It still works in English, which is my first goal. If you’d like to test it, please go to http://wordpress.org/extend/plugins/ban-hammer/download/ and download the Development Version. Please let me know if I’m missing anything or screwed it up royally.

  • EBL

    What if I am being treated like Spam but I am not spam? How do I get the ban to stop?

  • Tayler

    Just wanted to let you know this plugin is exactly what I’m looking for. I think that WordPress core should offer this functionality. Thank you.

    • Ipstenu

      I used to think this should be in core, but when you add up the people with open registration and the people on single site WP (Multisite has this built in), the numbers drop a lot. I’d much rather see the Multisite option just made standard, but most people using single site don’t need this. So … I think it’s okay it’s not in core πŸ™‚

Comments are closed.