Super long URL’s are a sure fire sign the comment is spammy. This will mark comments with URL’s (as the author URL, not just in the text) longer than 50 characters as spam, otherwise leave their state the way it is.
<?php
function rkv_url_spamcheck( $approved , $commentdata ) {
return ( strlen( $commentdata['comment_author_url'] ) > 50 ) ? 'spam' : $approved;
}
add_filter( 'pre_comment_approved', 'rkv_url_spamcheck', 99, 2 );
?>
The URL for this page is 74 characters long.
So using this snippet, if a user were to leave it as their author URL in a comment, it would be marked as spam.
Oh, only for the author URL – I see.
I read “not just in the text” as “not only in the text”. My mistake – although I suspect other people might trip over this, too. Perhaps it would be clearer if you mentioned “author URLs” in the headline or the first sentence as well?
I’ve just found out that WordPress seems to accept a working script in a comment. This seems like a big no-no based on other things I’ve read about sanitizing user input before spitting it back out again. I’ll try it here and see if it works on your site too: alert(‘really?!?’).
If your site it like mine, this page will now alert “really?!?” every time it is refreshed. On the other hand, if you have prevented this from happening, I’d hope to learn an effective approach to doing so on my site.
If this little script does play here — and probably on millions of other WP sites — I’d sure love to hear your take on the safety of this.
Thanks,
Dave
I see that your comment form has stripped out the script tags and just left the innocuous string as a part of the message. Very nice.
I put a question about this on the WordPress.org support forum yesterday, and the response I got was “Try blocking the keywords usually used in scripts such as script, type, javascript, etc. in comment blacklist by going to your discussion settings (dashboard).” This didn’t seem particularly reassuring to me.
Can you please give me a pointer the best way to tighten up the comments form on my site?
Thanks again,
Dave
Actually, you can use Regex.
First, you should use filter_var($url, FILTER_VALIDATE_URL) than regex. For regex you can try examples from regexr.com