Mollom logo

Stop spam on your WordPress blog

Embrace social content with Mollom for WordPress.

Tired of spam on your WordPress blog? — Here’s the solution you’ve been waiting for:

Mollom is an excellent spam filtering service to mostly automate the task of content moderation for you.  Mollom allows you to focus on producing quality content and things that matter: Interact with your audience, and respond to their feedback to drive your brand recognition.

The Mollom plugin for WordPress existed before, but has been completely rewritten recently.  The original author, Matthias Vandermaesen (netsensei), reviewed and accepted the entire set of changes in less than 24 hours.  The plugin continues to evolve and see improvements and new features at a steady pace — Open-source at its best!

» Download and install the Mollom plugin from WordPress’ Plugin Directory.

Why Mollom?

Mollom protects your site from spam and unwanted posts; Mollom enables you to focus on quality content:

  1. Mollom blocks all bad spam
  2. accepts the good user-contributed content
  3. and honestly admits when it is unsure — asking the author to solve a CAPTCHA to be sure.

To learn more, check How Mollom works.

Mollom is the most sophisticated and bullet-proof solution to combat comment spam on the market.   It uses thousands of heuristics to classify a particular post into spam or ham.

It leverages statistical data from external resources as well as the combined power and swarm knowledge from all connected sites in the Mollom network to make well-informed decisions.

The Mollom network is huge; more than 4,500,000 posts are processed per day.

Why is my IP blacklist not sufficient?

A typical record/replay attack from a spam bot network attacks your site with up to 50 posts per second, executed from many different and globally distributed hosts/servers in parallel.  To do so, spammers are breaking in and taking over vulnerable computers having security holes.

This means both web servers, but also personal computers; potentially even yours.  Things get tricky when dynamic IPs are infected.

Did you know that the vast majority of world-wide Internet Service Providers assign you a new IP address every 24 hours?

IPs of end-users are changing.  Rapidly.  IP blacklisting services like http:BL were designed for static server IP addresses only.  They’re not able to identify dynamic IPs, and they are blocking IPs for 30 days.  That’s 29 days too long.  Consequently, you will block innocent end-users by using them.

Even Mollom ran into this trap some time ago.  People were inappropriately blocked as spammers.  After removing the culprit, previously blocked but actually innocent end-users were finally able to comment.  Lessons learned; this won’t happen again.

Today, Mollom accounts for dynamic IPs of end-users in a proper way:  It maintains a huge database of all IP addresses for all posts of all post authors on all sites in the Mollom network.  These IP reputations do not only exist – they live on their own, and adapt themselves to new post attempts very quickly.

What about human spammers?

Mollom catches human spammers, too.  Three unique features enable it to do so:

  1. The service deeply analyzes each post.
  2. Suspicious content triggers a CAPTCHA – destroying the cost/benefit model of spammers.
  3. Even the CAPTCHAs are intelligent: Recent author activity, Mollom’s smart reputations, as well as feedback from all sites in the Mollom network is taken into account.

In short:  Human spammers have a very hard time with Mollom.  On top, Mollom’s engineering team works 24/7 to monitor and improve the performance of the service.

What if Mollom is wrong?

Truth is:  All spam filters can be wrong.

And when they are, all hope is usually lost.  Just how many e-mails ended up in nirvana, because of an overly strict spam filter somewhere?

Not so with Mollom:  End-users are able to notify Mollom in case their post is inappropriately blocked as spam.

In such rare cases, Mollom’s support team manually analyzes the situation and resolves it.  This process intentionally does not involve the site owner, since there’s a good amount of human spammers who are trying to game the feedback loop.  Only Mollom is able to see and study all past and current information, in order to identify whether a false-positive report is legit.

Why took the WordPress plugin so long?

(This gets technical.)

The architecture of WordPress core is very simple (and dated).  Implementing and enabling the usual flow that is required for Mollom was a tough challenge.  Here’s why:

  1. WordPress sanitizes and replaces all user input for database storage, but the original user input must be checked with Mollom.
  2. In case of any error, WordPress prints a message and halts execution, but we need to show a CAPTCHA and allow the user to try again.
  3. Data objects and state is not maintained across multiple event subscribers in WordPress, but we must track and access the state of a particular post attempt in various hooks.
  4. WordPress only provides routes for its core entity types, but we need to handle requests for a custom endpoint.

The solution?  Inject a good chunk of battle-tested knowledge and experience from Drupal, Symfony, and generally, PHP, The Right Way into WordPress.

The new Mollom plugin for WordPress

  1. Reverts WordPress’ escaping of user input, in order to check it with Mollom.
  2. Introduces a simple mechanism to re-render a form upon validation errors.
  3. Implements a hook/callback dispatcher, in order to retain state between multiple events.
  4. Relies on Pretty URLs for advanced Mollom integration features and intercepts HTTP requests early, in order to dispatch them to a controller.

Each solution required to dive deep into WordPress’ core architecture and bootstrap.  But in the end, they’re surprisingly simple.  Hopefully they can serve as basic inspiration for WordPress core developers.  Happy to help and clarify!

Can I use Mollom on my blog?

Yes, you can. :)  It’s simple:  Get started by following these steps:

  1. Add the Mollom plugin to your site (via your dashboard, or by downloading/installing it manually).
  2. Sign up for Mollom (it’s free!) to get your API keys.
  3. Enter your API keys into the Mollom plugin settings.
  4. Profit! :)

If you have the Akismet, CAPTCHA, honeypot, or any other spam filter plugin enabled, you should disable those, as they will conflict with Mollom’s operations.

For more details, check the complete Mollom Tutorial for WordPress.





3 responses to “Stop spam on your WordPress blog”

  1. Jeff Norwich Avatar
    Jeff Norwich

    This is fantastic. Thanks for sharing!

    I’ve been a long-time user of the includd Akismet and, wasn’t happy with the results..
    Switched over to Mollom yesterday, finally no more spam comments!!! Thank you!!!!

    1. Daniel F. Kudwien Avatar

      Glad you like it :)

  2. JasonP Avatar

    I’ve tried Mollom, and allthough it worked very well (a little bit to well..), i have had many complaints about users getting a message like this: (ofc this example is real spam), they were unable to post even though the message was not ‘spammy’ at all, so i just went for recaptcha again, but this is not nearly as good :/