DiggingIntoWordPress

by Chris Coyier & Jeff Starr

Stop Spammers with a Custom Comment Blacklist

Posted by on

I usually reserve most of my blacklisting content for Perishable Press, but after posting about using WordPress’ built-in tools to stop comment spam, several DiW readers have asked about a good custom blacklist that may be used for the “Comment Moderation” and/or “Comment Blacklist” features in the WordPress “Discussion Settings” screen. Over the years, I have built up an extensive custom blacklist of terms that has proven quite effective at keeping spam and other garbage out of the comments section, even without using any anti-spam plugins such as Akismet. It’s strictly plug-n-play, and should help protect your site (and reputation) against all sorts of malicious nonsense. So without further ado..

(Caution: the blacklist contains several instances of profanity in order to keep vile language out of your comments.)

Custom WordPress Comment Moderation Blacklist

The idea is simple: copy and paste this custom blacklist into the Comment Moderation field in your WordPress Admin area, which will look something like this:

[ The 'Comment Moderation' field in the WordPress 'Discussion Settings' Area ]
The ‘Comment Moderation’ field in the WordPress ‘Discussion Settings’ Area

Here is the list, in all of its offensive pharmaceutical, gambling, sex-industry glory (see notes afterward for more information on usage and functionality):

д
и
ж
Ч
Б
. ,
? ,
[url=
[/url]
thx
sex
byob
nude
loan
debt
poze
bdsm
soma
visa
hotel
paxil
anime
naked
poker
coolhu
cialis
incest
casino
dating
payday
rental
ambien
holdem
cialis
adipex
booker
youtube
myspace
advicer
flowers
finance
freenet
-online
shemale
meridia
cumshot
trading
adderall
gambling
roulette
top-site
mortgage
pharmacy
dutyfree
ownsthis
duty-free
insurance
ringtones
insurance
blackjack
hair-loss
bllogspot
baccarrat
thorcarlson
jrcreations
credit card
macinstruct
hydrocodone
leading-site
slot-machine
carisoprodol
ottawavalleyag
cyclobenzaprine
discreetordering
aceteminophen
augmentation
enhancement
phentermine
doxycycline
citalopram
cephalaxin
vicoprofen
lorazepam
oxycontin
oxycodone
percocet
propecia
tramadol
propecia
percocet
cymbalta
lunestra
fioricet
lesbian
lexapro
valtrex
titties
xenical
meridia
levitra
vicodin
ephedra
lipitor
breast
cyclen
viagra
valium
hqtube
ultram
clomid
cyclen
vioxx
zolus
pussy
porno
xanax
bitch
penis
pills
male
porn
dick
cock
tits
fuck
shit
gay
ass
gdf
gds

As mentioned, to use this list, just copy/paste into your Comment Moderation field and you’re done. Along the way, you may find that additional terms are needed, or that certain terms need removed. Feel free to tweak according to the specific needs of your site. It’s all good :)

A couple of notes about this blacklist:

  • The first five or so characters are effective at blocking 99% of nonsensical Russian spam.
  • The period/comma entries block a recent rash of spam that included these particular strings.
  • Most of the terms are highly specific to spam comments and should keep false positives at a minimum.
  • Even so, it is recommended that this custom blacklist be used as a “Comment Moderation” list and not as a “Comment Blacklist” in order to retain your ability to screen for false positives.
  • Additional terms are easily added by appending the list with the character string on its own line.
  • It would be great to build this blacklist up a little further. If you have your own distinct collection of terms, let me know and I will add them to the list.

Any questions/comments/concerns welcome in the comments area.

14 Responses

  1. Marcos Cesar February 15, 2010

    Oh great! It’s very util. Thank you. I’ll put this custom blacklist in my website.

  2. Some words in your list are really generic. They can appear in spam but can appear in legit comments just as easily.

    It might fit moderation blacklist, but I prefer to moderate everything (known commenters are whitelisted) and use word list to sent straight to spam comments with certain spammy words.

    As for suggestions – common bbcode forum tags work well, plenty bots use those instead of HTML tags that WP supports in comments.

    • Jeff Starr

      There are a few generic words, but most of them are specific phrases associated with gambling, pharmaceuticals and porn. As mentioned, feel free to remove/add anything to suit your specific needs.

      Thanks for the tip on the bbcode forum tags — once I figure out what those are, I will include them in the list.

  3. Would this just put comments with those words in the spam folder for moderation? I’m using akismet and it already does a great job of catching all of these types of posts in the spam folder. Not sure if larger sites have a bigger problem, but (knock on wood) I haven’t had any spam comments go through akismet yet.

    • Jeff Starr

      Yes, when placed in the Comment Moderation field, any matching comments are moved to the moderation queue for your approval/rejection.

      If Akismet is working for you, then there is probably no need to worry about this blacklist.

  4. thanks! logged in to 76 spam comments from the weekend, even with Akismet. So I will employ this now. Grazie.

  5. heh. My comment was eaten by the spam list I guess.

    What I was saying was:
    (/url)” scores better than “(url=” because sometimes you get comments with links like “(url)somelink(/url)
    (replace parenthesis with brackets)

    • Jeff Starr

      Actually not using the spam list here at digwp.com, but good suggestion nonetheless. Will add [/url] to the list. Thanks :)

  6. Jeff, great list. I don’t have a better one to share with you but I’ll be sure to pass the word around and hopefully we can help others defend their blogs some from these jerks.

  7. Thanks for this Jeff! I closed down my MT website to comments years ago, and a blog without comments is simple talking to myself. Just this week I starting migrating it over to WP, and these spam tips came at a good time for me as I really want to run as few plugins as necessary.

  8. Good Tips! Thanks much.

Comments are closed. Contact us with any critical information. Thank you!

Code is poetry