@madpilot makes

Image verification for comments in WordPress 2.0

I’m sick of blog spam. It is such a pain to have to mark it all as spam (And what exactly does that function do? I’ve seen the same spam come through many times, so it doesn’t seem to learn…)

Anyways, here is my quick and dirty hack to add a image verification box on the comments page (Warning WordPress hack ahead – I’ll bother to learn the plugin system one day…)

This hack requires the following PHP libraries installed on your server: Freetype, GD and mcrypt.

Create a new file in [path_to_your_blog]/wp-image-verify.php

Insert the following code:

  1. < ?php
  2. require( dirname(__FILE__) . ‘/wp-config.php’ );
  3. $verifier = $_REQUEST[‘verifier’];
  4. $display_string = decrypt($verifier);
  5. $image_details = imagettfbbox (10, 0, ‘/usr/share/fonts/TTF/tahoma.ttf’, $display_string);
  6. $image = imagecreatetruecolor($image_details[4]$image_details[5], (0$image_details[5])(0$image_details[3]) + 1);
  7. imageantialias($image, true);
  8. $background = imagecolorallocate($image, 255, 255, 255);
  9. imagefill($image, 0, 0, $background);
  10. imagettftext($image, 10, 0, $image_details[0] + 1, 0$image_details[5], imagecolorallocate($image, 119, 119, 119), ‘/usr/share/fonts/TTF/tahoma.ttf’, $display_string);
  11. header(“Content-type: image/png”);
  12. imagepng($image);
  13. ?>

Note – you will probably (ok will) have to change the path of the font as /usr/share/fonts/TTF/tahoma.ttf is a font I copied from my windows directory.

Open [path_to_your_blog]/wp-comments-post.php and add the following lines at around line 25:

  1. $verifier = trim($_POST[‘verifier’]);
  2. $verifier_compare = decrypt($_POST[‘verifier_hash’]);

Open [path_to_your_blog]/includes/comments-functions.php and add the following lines at the top of the file:

  1. // image verifier functions – by Myles Eftos
  2. $key = “afedss”; // Enter a 5 character string
  3. $iv = “sdfesdf”; // Enter a 7 character IV
  4. function random_string($length = 6) {
  5. $str = ;
  6. for($i = 0; $i < $length; $i++) {
  7. $str .= chr(rand(ord(‘A’), ord(‘Z’)));
  8. }
  9. return $str;
  10. }
  11. function encrypt($string) {
  12. global $key;
  13. global $iv;
  14. return base64_encode(mcrypt_encrypt(MCRYPT_DES, $key, $string, MCRYPT_MODE_ECB, $iv));
  15. }
  16. function decrypt($string) {
  17. global $key;
  18. global $iv;
  19. return chop(mcrypt_decrypt(MCRYPT_DES, $key, base64_decode($string), MCRYPT_MODE_ECB, $iv));
  20. }

Replacing the $key and $iv variables with a random 5 and 7 cahracter string respectively.

Finally find the comments.php file in you theme directory – if you are using the default theme it is at [path_to_your_blog]/wp-content/themes/default and add the following lines after the url textbox (Around line 89 in the default template):

  1. < p>

  2. < input type=“text” name=“verifier” id=“verifier” size=“22” />
  3. < label< small>Enter the string you see here: < img src=“< ?php echo get_option('siteurl'); ?>/wp-image-verify.php?verifier=< ?php echo urlencode ($image_hash) ?>” alt=”” />< / small>  < / label>
  4. < input type="hidden" name="verifier_hash” value=”< ?php echo $image_hash; ?>” />
  5. < /p>

All done :)


  1. I use http://akismet.com, which is the default on wordpress.com. It works fine.
  2. Yeah I looked at that - but with any learning system they are going to be false negatives (And god forbid false positives).

    Granted using an image verification method won't stop real people blog-spamming, but until I see evidence of a lot of this happening I'll stick to this method - it's simpler and doesn't rely on a third party that could disappear tomorrow (Not to say akismet will).
  3. Akismet doesn't work. I get spams coming through and legit comments in the 200 porn spams in Akismet.
  4. Yepp, I've made the same hack as soon as I installed WP. You can check it on my blog (http://blog.venia.ru/?p=24). Maybe it's a bit simplier :)
  5. hi,

    i try to use your script in my blog (i use wordpress ver. 2.7)

    but there's error at "return chop(mcrypt_decrypt(MCRYPT_DES, $key, base64_decode($string), MCRYPT_MODE_ECB, $iv));" said that there's unknown mcrypt_decrypt function.

    and then i try benjamin's script but there's error too :(

    would you help me to re-write your code for wordpress 2.7 ?

    or maybe you could send the file and how to install it to my email??

    thanks for your advice
  6. Sorry @johanericka, this code is 3 years old, and I removed it from my blog about 2.5 years ago. Just use akismet: http://www.akismet.com
  7. akismet doesn't work for me because i put my blog at my personal server (not at wordpress.com)

    finally i found the plugin here http://www.theblog.ca/random-anti-spam

    just install and enjoy :D

Leave a comment