Anti-Spam Comment Plugins and Cookies

While looking at anti-spam solutions for comments, does CleanTalk set cookies in a ClassicPress site? My website does not use cookies and does not have a cookie banner. I did try out AntiSpam Bee however my content security policy for my website does not allow inline styles and scripts. Plus, I want to avoid CAPTCHAs, puzzle solving, and math riddles because I want to make sure that even people who are deafblind or have both hearing and visual impairment can comment in my website and I have a visual and hearing impairment myself. Also, I am very handy with coding in PHP, HTML and CSS. Plus, even though my website does have just a single line of JavaScript code, I do want to avoid JavaScript when it comes to anti-spam plugins whenever I can. When I first tried building my own CMS from scratch, I built my website where the use of JavaScript is minimized, so I want to make sure that anyone with NoScript can still comment in my website as long as they are not bots.

So can anyone give me pointers or recommendations on which anti-spam plugins for comments I can go with?


I don’t use this plugin myself but it seems from this document page:

That you can configure CleanTalk to not use Cookies at all, so on first glance it seems worth a try.

I’ve been starting to look at this recently - I’m a long established user of Kismet (I know, don’t say it!) but I’m trying to find an alternative, seems CleanTalk might be a good alternative. I’d be interested to know if you go ahead and also if anyone else has recommendations on good (or bad) alternatives.

1 Like

Thank you for letting me know about the Set Cookies option. So CleanTalk stores session cookie in visitor’s browser and that reminded me of the “Form Spammer Trap for Comments” plugin. For the “Use alternative mechanism for cookies,” it seems the plugin would either use AJAX or WordPress/ClassicPress REST API in order for the plugin to work.

I make use of Content Security Policy because I only have JavaScript code at the end of the footer.php file for my custom theme and I use the Disable REST API plugin because I do not want any cybercriminals using REST API to assess my website. I even prevent the enumeration of users which is important for security and privacy reasons even though privacy and security are different things; however, hardening my ClassicPress site is one of my habits. With that said, I do have security concerns regarding disabling CSP or deactivating the “Disable REST API” plugin.

However, I did do some research regarding session cookies. According to the web page, session cookies are exempt from EU cookie laws.

So since session cookies (necessary cookies) are exempt from EU cookie laws, does this mean I can go ahead and use CleanTalk (as long as I mention CleanTalk in my privacy policy)? I live in the US and I host my personal website. And even if I do host my personal blogging website, I still have to obey the EU GDPR and cookie laws, which means I cannot embed YouTube or Odysee videos in my website without first creating a cookie consent banner, so I simply post links in my posts to either YouTube or Odysee videos.

I know I sound crazy, but as a privacy enthusiast, my main goal is to not have my website serve cookies and thus avoid having to ask EU citizens to accept my consent. That’s why I started a thread about anti-spam commenting plugins that do not use cookies. I am very strict about my privacy myself even if I do not live in Europe.

GDPR provides exemptions for some cookies. Security and anti-spam cookies should fall under that category. My go to source for GDPR is Iubenda, which is what I use for privacy and cookie solutions. They have a good explanation with examples about this:

1 Like

Okay, so I registered for my CleanTalk account and activated the CleanTalk plugin, but after I click in “Get API Key automatically,” I get the following error:

:hammer: Nov 19 2022 21:21:36: Error occurred while updating SpamFireWall local base. WRONG_SITE_RESPONSE ACTION: sfw_update__worker RESPONSE: “<!DOCTYPE html> <html lang=“en-us” prefix=“og:”> <head> <meta charset=“utf-8” lang=“en” /> <meta name=“viewport” content=“width=device-width, initial-scale=1.0” /> <meta name=“author” content=“Grayson Peddie” /> <title>Grayson Peddie’s Website</title> <style nonce=“t6Gbz04RcZqP1”> body {font-family: Arial, Helvetica, sans-serif;} .thumbnail { float: right; clear: right; margin-l”

Why is this happening? I do not want to add a wp_head() in my header.php file because I do not want to give out any more information such as ClassicPress version number and plugin version numbers. Of course, bots can find version numbers in readme.* files in which I can delete them from my VPS server. Yes, security through obscurity is a bad thing, but hardening my website is all I can do.

Update: I have reviewed the output of HTML within the comment form section of my ClassicPress site and unfortunately, Content Security Policy does not allow embedded scripts and inline styles.

Should I simply disable Content Security Policy entirely? (shrug) :slightly_frowning_face: It seems like I need to have more control over comment_form() and wp_head()… Since I have experience with building my own custom theme and I have written my own custom blogging engine before I switched to ClassicPress, I do not want to trade security for convenience.

Update 2: I tried making a comment as an anonymous user (not logged in) and I get a message saying that I need to enable JavaScript. It seems to me that I need to disable Content Security Policy and I want anyone to be able to comment with JavaScript turned off. Of course, there is not that many people online who use a browser extension such as NoScript. I created a Firefox profile just for the purpose of having a clean slate and even if JavaScript is on, the error message told me I need to enable JavaScript. For this reason, I’ve decided to delete my CleanTalk account.

I will look for another anti-spam plugin that does not require JavaScript or maybe forget about it entirely.

Thanks everyone.

I expect your first issues was due to CleanTalk trying to load an <iframe> on your site to deliver the API key.

Is also seems like comment validation via CleanTalk may be done asynchronously with Javascript based on your second issue.

1 Like

I do not know if it’s possible to write a petition regarding whether to list ClassicPress plugins as Content Security Policy-friendly or not. Is that even possible?

One of the plugin called AntiSpam Bee adds a second textarea and uses inline style to position the textarea off-center using absolute positioning instead of specifying a class name so that I can handle the styling myself. Honeypot for WP Comments is CSP-friendly.

And looks like one of the spambots fell for the honeypot! :grinning:

(Had to blur out the email address and IP address.)

I think I’m going to rely on the honeypot plugin for now. That plugin does not require JavaScript and does not use inline styles.

I just found OOPspam.

no JavaScript, cookies loaded

Seems like a much better alternative to CleanTalk!

(Grayson checks the pricing…)

Oh, wait a minute. False alarm. $49/month is too expensive for me. Yikes. But the good thing is there’s no JavaScript required. I do not need to mess with Content Security Policy. Well, that’s a good find. I did sign up for a free account but only at an impulse. That is my mistake for not checking pricing before I sign up for an account.

Hmm… Maybe a localized version of anti-spam commenting plugin might work? That kind of reminded me of SpamAssassin for Postfix (email).

Anyway, I’ll just deal with deleting spam comments. Time is not money anyway. Plus, I get only a few traffic going to my website anyway.

One option is to use blacklisted keywords to catch spam. Here’s a good, updated list we use:

Just pop it in your Discussions section. Some plugins will automatically update it:

Thanks. I have just added “you realize therefore” to my blacklist. I have never seen or heard anyone use “you realize therefore” at the beginning of the sentence.

Anyway, I’m ready to go ahead and close this thread and manually monitor for spam. Haven’t gotten any real comments so far when I enabled commenting in my website last week.