Add Additional Comment Form Validation in WordPress

Spam is inevitable. It’s just a reality of life on the Internet. And if you have a blog or a website running WordPress and you open up your comments form, spam is going to come your way. Fortunately there are great tools such as the WordPress staple Akismet or Antispam Bee that you can use to catch spam in your spam filter. But even though these sorts of tools provide an extra layer of protection, I also think it’s still a decent practice to to moderate all comments because there are times when those spammy comments can still sneak through.

What is the downside to this? Well for one, you’re going to have to be actively monitoring your blog spam filter because there is always the possibility that some actual legit comments get caught in the filter. But if you get a lot of spam, this isn’t really feasible. Who want’s to sift through 10,000 spam comments about larger penises or Louis Vitton handbags on a daily basis. If you’re into those things maybe you do… but for most, they’d probably rather not.

Fortunately there are ways to reduce the number of spam comments that actually get through into your filter. Before I implemented the following approach, I used to get hundreds and hundreds of spam comments a day in my spam filter. After this though, I reduced the amount that came through to around 10% of what it was. On that note, I just want to reiterate though that, this is not a bulletproof solution. You are still going to get some spam (so don’t go setting your WordPress settings to “Allow all comments all the time” just yet). But what this can do is provide a little extra validation to stop some of the the dumber bots from continually hammering your comment form submission system. Less spam to sort through is always a better situation overall. Nobody wishes for more spam.

We are going to add a nonce to our WordPress comment form to provide some additional validation. A nonce is as stated on the WordPress codex…

The nonce field is used to validate that the contents of the form request came from the current site and not somewhere else. A nonce does not offer absolute protection, but should protect against most cases. It is very important to use nonce fields in forms.

You can find more information on the general use of nonces elsewhere on the web. They’re not specific or unique to WordPress.

But what’s great about this is that you don’t even have to limit this additional validation to nonces. You could repeat this process and provide additional fields of validation by adding to the following areas of code and you wouldn’t even have to create new functions or anything. You could just add to the functions below.

In your functions.php file (or wherever you are handling your functionality) add the following 2 functions and the corresponding action hook and filter.

 function nbs_additional_comment_validation($comment_data) {
    if(!isset( $_POST['comment_nonce'] ) || !wp_verify_nonce( $_POST['comment_nonce'], 'nbs_comment_nonce' ))
        exit;
    else 
        return $comment_data;
}
add_filter('preprocess_comment', 'nbs_additional_comment_validation');
function nbs_additional_fields () {
    wp_nonce_field('nbs_comment_nonce', 'comment_nonce');
} 
add_action('comment_form_after_fields', 'nbs_additional_fields' );

NOTE: I use the “nbs_” (for Nine Bit Studios) prefix for naming my functions that occupy the global namespace to prevent collision and duplicate function definition errors. This is good practice and you should do it with your global custom functions as well. Or, you could wrap your functions in classes as an alternative.

What this code does is add the nonce comment field by hooking into the “comment_form_after_fields” action. You could add any additional validation fields that you wanted to this function. wp_nonce_field echos an input field out but you could do this manually if you wanted to add other validation.

function nbs_additional_fields () {
    wp_nonce_field('nbs_comment_nonce', 'comment_nonce');
    echo '<input type="hidden" id="myAdditionalValidation" />';
} 

The nbs_additional_comment_validation function is where you do your checks on your additional fields (as you normally do on POST requests). If validation fails on our nonce, we just exit (i.e. stop executing any code). You could all the validation checks that you want for any additional fields here in this function. You could even add (*cringe*) CAPTCHA here if you wanted, but, fair warning, your readers may despise you for doing so.

So that’s a general overview of how you can shore up your comment form a bit more. It’s not a bulletproof solution, but it’s something. And in the continual war against spam, every little bit can help. If somebody really wants to tell you how you can increase the size of various reproductive organs on your body by up to 300%, you gotta make them work for it.