Ben Marshall


WordPress Zero Spam Plugin

WordPress Zero Spam Plugin



WordPress Zero Spam Plugin

WordPress Zero Spam Plugin

Why should your users prove that they’re humans by filling out captchas? Let bots prove they’re not bots with the WordPress Zero Spam plugin.

WordPress Zero Spam blocks registration spam and spam in comments automatically without any additional config or setup. Just install, activate, and enjoy a spam-free site.

Zero Spam was initially built based on the work by David Walsh.

Major features in WordPress Zero Spam include:

  • No captcha, because spam is not users’ problem
  • No moderation queues, because spam is not administrators’ problem
  • Blocks spam registrations & comments with the use of JavaScript
  • Contact Form 7 support if installed and activated
  • Gravity Form support if installed and activated
  • BuddyPress support if installed and activated
  • Supports caching plugins to help provide great performance
  • Blocks spammy IPs from ever seeing your site
  • Extend the plugin with action hooks
  • Optional logging, so you can see who’s trying to spam
  • Advanced settings for complete control

Languages: English

If you have suggestions for a new add-on, feel free to email me at Want regular updates? Follow me on Twitter or visit my blog.

Download Now (Version 1.5.3) Fork on GitHub WordPress Repo Report Issue



  • Fixed Gravity Form issues (


  • Added IP location service (
  • Improved pagination (
  • Made date/times match site’s WP time, not servers (
  • Removed the banner image to boost performance (
  • Enhancements to the admin JS to boost performance
  • Works with Multisite as network activated or per sub site (
  • Added BuddyPress support (


  • Added missing code documentation and fixed typos (
  • Fixed issue with settings not getting initially saved when the plugin is activated. (
  • Added ability to auto block spam IPs (
  • Added paging to spammer log and blocked IPs (
  • Added additional stats and graphs (
  • Fixed issue with comment moderators not being able to reply to comments (
  • Fix issue with DB errors when first activating plugin (


  • Switched to using a nonce to validate form submissions that support WordPress Zero Spam
  • Added Zero Spam plugin settings page for advanced control
  • Fix for for non-logged in users (, thanks @afragen)
  • Added blank index.php files to prevent directory browsing (, thanks @TangRufus)
  • Added uninstall.php (, thanks @TangRufus)
  • Addded support for GitHub Updater plugin (, thanks @afragen)
  • Added support for Contact Form 7 form submissions (, thanks @leewillis77)
  • Added ability to log spam detections
  • Fix for warnings cause by default settings not being set before actions run (, thanks @leewillis77)
  • Installed Compass (
  • Added support for Gravity Forms
  • Fixed potential issue with sites that use caching plugins
  • Fixed minor typos (thnaks @macbookandrew)


  • Added `zero_spam_found_spam_comment` and `zero_spam_found_spam_registration` action hooks (thanks @tangrufus)
  • Minor updates to the readme file

1.3.1 – 1.3.3

  • Minor fixes to WP SVN repo


  • Removed Grunt creation of the trunk directory
  • Added spam detection script to registration form


  • Fixed some typos in the readme.txt file


  • Removed testing for core function testing
  • Fix for adding comments from admin (thanks @afragen)
  • Removed unneeded WP svn trunk and tags folders from the git repo (thanks @afragen)


  • Updated theme documentation.
  • WordPress generator meta tag removed to help hide WordPress sites from spambots.


  • Initial release.


Author Marion

Posted at 9:04 am July 22, 2014.

A few ideas to help deter bots.

1) When the plugin is activated make a random string and use it as the name of the field to check against. This would require the bot to change it’s attack per WP install to bypass the field.

2) Require the REQUEST_METHOD to be POST


Author Lucas Karpiuk (@karpstrucking)

Posted at 6:31 am July 24, 2014.

I came to make a similar suggestion as Marion. Is there a github available for contributions?


    Author Ben Marshall

    Posted at 7:41 am July 24, 2014.

      Author Marion

      Posted at 8:25 am July 24, 2014.

      I actually added these mods after I downloaded the plugin, but where I ran into the snag was in getting the random field name back into the JavaScript.

      I had not seen the code before I made the suggestions. The biggest looming issue is how to get the random field name into the form on submit w/o broadcasting its name back in the code before it’s triggered?

      I’ve thought of a few ways to eloquently get the random field where it needs to be, but once it’s in the source code, all a bot has to do is search for the known file name extract the field name, and then all we’ve done is wasted our time.

      I keep thinking the resolution to this is an AJAX request on the form fields, but then I start thinking about too many things that could go wrong w/ that… and then I get indecisive.


        Author Lucas Karpiuk (@karpstrucking)

        Posted at 2:10 pm October 4, 2014.

        I’m working on a similar plugin to Ben’s for Gravity Forms specifically and have been pondering this same issue. The current prototype uses a defined field name, but the value is being generated randomly and included in the form at submission. Even though the value is random, it’s displayed in the source code as JavaScript. I ended up coming to what I suspect is the same approach you’re imagining – trigger an ajax call on page load that retrieves the randomly generated code (stored in a short-term, form-specific, transient) and then adds it to the form. This would keep the random value out of the source code. I suppose it could potentially fall apart in the case of a JS error or interruption of the ajax call – but I can’t think of a situation that would cause this to approach to fail that wouldn’t also cause David and Ben’s approach to also fail.


          Author Marion

          Posted at 5:00 pm October 4, 2014.

          Using the transient data, is a good idea. That, would be an excellent way to pull this off.


          Author Lucas Karpiuk (@karpstrucking)

          Posted at 5:54 am October 6, 2014.

          I’ll link you to the code once I’ve had a chance to put something together that works. I might actually try use the WP Nonce system for this rather than Transients.


Author sstern

Posted at 9:34 am July 24, 2014.

I’ve installed on my site, on which Akismet was marking about 40 comments/day as spam. Since installation, either no one has tried to comment or all that spam is just being blocked.


    Author Marion

    Posted at 9:59 am July 24, 2014.

    A simple test would be to make a comment while you’re not logged in, and confirm it’s working. Then find how to disable JavaScript in your browser of choice and try to comment again. With JavaScript disabled you should see the failure message.


      Author sstern

      Posted at 10:22 am July 24, 2014.

      Thanks. it works! (And boy oh boy, does my site fail badly with js turned off.0


Author Tom McGee

Posted at 10:26 am July 30, 2014.

I noticed that it blocks comments I make myself from the WordPress admin screens, both the post-edit screen and the comments-reply panels. When I temporarily disabled the plugin, I was able to comment.


    Author Ben Marshall

    Posted at 10:16 am August 12, 2014.

    This will be fixed in the next release.


Author Christoph Weber

Posted at 5:15 pm July 30, 2014.

Would be nice if this slim plugin could be extended to other forms without adding much bulk. Contact form comes to mind.


    Author Ben Marshall

    Posted at 9:02 am August 18, 2014.

    Hooks will be included in the next release to enable the ability to extend the plugin.


Author rauf

Posted at 1:55 am September 16, 2014.

Great Plugin. A Big relief from Spam moderation ;)


Author Dan

Posted at 7:17 pm December 2, 2014.

Hi Ben!

Very innovative plugin concept… love the original post behind it and all the commentary following. :-)

Is there a way to make this work for the WordPress login page as well?

User HATE traditional captchas, even simple ones… but could this be reliable enough as far as compatibility with any browser to work for a login page?



Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

View Comments (18) ...