There are three options for checking comments for spam: Akismet, reCAPTCHA and spam words filtering. You may use none or any of the three in any combination.
Suggested settingsThe settings I use on all of my sites, except for the TalkBack demo, are: Akismet enabled, reCAPTCHA disabled, maximum permitted links = 0, discard spam enabled.
In 1½ years I had over 100,000 spam comments but never had a false positive (a real comment flagged as spam). I do get some occasional false negatives (spam not caught). So these settings provide rock solid protection against spam and minimize the number of spam comments I have to delete.
I don’t use the captcha because (1) it is an irritent to visitors and (2) Akismet does a good enough job by itself.
Setting maximum links to 0 causes any spam not caught by Akismet to be held for approval. The one common characteristic of all spam is that there is always at least one link in the comment text.
I turned discard spam on after I got tired of reviewing the spam comments list each day without finding any false positives (real comments). If you get only a few spam comments each day this setting doesn’t really matter. But if you are receiving hundreds, reviewing them is a PITA.
If enabled via the admin configuration settings panel, TalkBack will submit comments to the Akisment spam checking service. If Akismet flags a comment as spam it is either discarded or held for your approval depending on configuration settings.
Why a service instead of spam checking code on your local server? Because: Akismet produces better results than any solution that is installed locally; there have been no reliablity problems with Akismet so a local solution provides no better up time; the Akismet algorithms are constantly being refined so it will dynamically keep up with new tricks by spammers; response time from the Akismet servers is negligible. If the Akismet server should go down, TalkBack will flag comments for your approval.
To enable Akismet obtain an API key by signing up at Wordpress. Check the "Just a username, please" button. Enter the key into the TalkBack admin > maintenance > configuration settings.
When testing Akisment, I recommend setting a “test IP” in the admin configuration settings panel. This will prevent Akismet from flagging your IP. Use any invalid IP address such as “255.255.255.256”. When you are finished testing, be sure to clear the test IP field in configuration settings.
You can easily test Akismet after enabling it. Enter a comment with an author name of “viagra-test-123”. If Akismet is working the script will display a message panel saying the comment is being held for approval and the comment will show up in the admin panel spam listing.
To enable the captcha, signup at reCAPTCHA to get your public and private keys. Enter those keys into the TalkBack admin > maintenance > configuration settings.
Why a service instead of captcha code on your local server? Less workload on your server (creating images consumes resources); I expect that, like Akismet, the reCAPTCHA team will keep up with spammers much faster than the authors of any other solutions; response time from the reCAPTCHA servers is negligible.
If enabled via the admin configuration settings panel, TalkBack will obtain a captcha from the reCAPTCHA captcha server. When the comment is submitted reCAPTCHA checks to be sure the words were entered correctly.
If the visitor has Javascript turned off, the default “red” captcha inside an Iframe with an “I’m a human” button will be displayed. It’s not very elegant but nothing can be done to style it diffferently.
There are four standard captcha themes {examples}: red, white, clean and blackglass (created by recaptcha.net) and one custom theme (created by me). The theme is specified at the time TalkBack is initiated (see adding comments to your pages.
You can also create your own custom theme. Go to reCAPTCHA API documentation. Scroll down to "Custom theming".
Below is the default TalkBack custom theme in captcha.php. You can move things around, change the css, add background image, etc. But leve the id's and classes as is. The javascript uses the id's and the css uses the classes.
if ($captcha_theme == 'custom') {
print "
<!-- Captcha checking -->
<script type='text/javascript'>
var RecaptchaOptions = {
theme: 'custom',
lang: 'en',
custom_theme_widget: 'recaptcha_widget'
};
</script>
<div id='recaptcha_widget' class='recaptcha_widget' style='display:none'>
<div id='recaptcha_image' class='recaptcha_image'></div>
<div id='captcha_actions' class='captcha_actions'>
<div><a href='javascript:Recaptcha.reload()'><img src='images/captcha-reload.png' width='25' height='18' alt='' /></a></div>
<div class='recaptcha_only_if_image'><a href=\"javascript:Recaptcha.switch_type('audio')\"><img src='images/captcha-audio.png' width='25' height='15' alt='' /></a></div>
<div class='recaptcha_only_if_audio'><a href=\"javascript:Recaptcha.switch_type('image')\"><img src='images/captcha-text.png' width='25' height='15' alt='' /></a></div>
<div><a href='javascript:Recaptcha.showhelp()'><img src='images/captcha-help.png' width='25' height='16' alt='' /></a></div>
</div>
<div id='response_line' class='response_line'>
<span class='recaptcha_only_if_image'>{$lang['captcha_visual_prompt']}</span>
<span class='recaptcha_only_if_audio'>{$lang['captcha_audio_prompt']}</span>
<input type='text' id='recaptcha_response_field' class='recaptcha_response_field' name='recaptcha_response_field' />
</div>
<script type='text/javascript' src='http://api.recaptcha.net/challenge?k={$config['captcha_public']}&lang=en'></script>
<div class='recaptcha_only_if_incorrect_sol' style='color:red'>Incorrect please try again</div>
<script type='text/javascript'>
window.onload = function() {
Recaptcha.focus_response_field();
}
</script>
</div>";
} else {
I believe the only use for this is if Akismet is not catching some spam comments and those comments have certain words in common. You could enable spam words filtering to reject comments with those words. Rejected comments are held for your approval. To use spam words filtering:
Check “Enable spam words checking” in the configuration settings panel.
Copy spamwords.php and name it my-spamwords.php.
Open my-spamwords.php. A partial list of it’s contents:
// Email field words/phrases // $sw_email[] = ''; // Subject field words/phrases // $sw_subject[] = ''; // Author name field words/phrases // $sw_name[] = ''; // Comment text area words/phrases $spamword[] = '$$$'; $spamword[] = '[url'; // catches comments that have bbcode format links $spamword[] = 'adipren'; $spamword[] = 'adult'; $spamword[] = 'ambian'; $spamword[] = 'ambiian'; $spamword[] = 'barely legal';
Add/delete entries in the $spamword table as needed. If you want to optimize efficiency after using it for a while, put phrases which are found most often at the top of the table.
To do spam word checking on email, subject and/or author name fields, uncomment (remove the preceeding //) the respective table and add entries.