Protection Options

Form Checking

Only Use the Plugin for Standard WordPress Forms (not recommended)

Stop Spammers kicks off whenever someone fills out a form and presses submit. It checks ALL the forms on your website, not just comments and logins. If this option is enabled, it will limit the plugin to checking wp-comments-post.php and wp-login.php only.

Members Only Mode

Require Users to Be Logged in to View Site

All pages, except for the homepage, will be locked behind a login screen.

Prevent Lockouts

Automatically Add Admins to Allow List

Whenever an administrative user logs in, the IP address is added to the Allow List. This means that you can’t be locked out unless your IP address changes or you log in from a different location. As soon as a login is successful then the IP is white-listed to prevent future problems. Disable this if you think that you will never be locked out.

Check Credentials on All Login Attempts

Normally the plugin checks for spammers before WordPress can try to log in a user. If you check this box, every attempt to log in will be tested for a valid user. This may allow a hacker to guess your user ID and password by making thousands of attempts to login. This is turned on initially to prevent you from being locked out of your own blog, but should be unchecked after you verify that the plugin does not think you are a spammer.

Notification Control

Manage the spammy notices at the top of your admin pages that many plugins come packed with. It’s easy to see several at any time, and they push the content down the page. Save yourself the extra clicks to hide a notice each time you update, and keep them hidden for good by selecting the “Keep Hidden” button. There are also more advanced notification features in Premium, including the ability to hide all notices at once. If you change the setting, you may need to clear your cache to see the change take effect.

Validate Requests

Block Spam Missing the HTTP_ACCEPT Header

Block Spam Missing the HTTP_ACCEPT Header Blocks users who have a missing or incomplete HTTP_ACCEPT header. All browsers provide this header. If a hit on your site is missing the HTTP_ACCEPT header it is because a poorly written bot is trying access your site.

Block Invalid HTTP_REFERER

When you submit a form, all browsers provide the web page that submitted the form. If this referring page is missing or does not match your website then the submission is probably from a program accessing your site. Some phone apps try to log in without the correct header. You may want to disable this function if you log into your website from your mobile device. Test it first – the better written apps provide the referring page.

Block Disposable Email Addresses

Spammers who want to hide their true identities use disposable email addresses. You can get these from a number of sites. The spammer doesn’t have to register. He just picks up any mail anonymously. Legitimate users use their real email address. It is very likely that anyone using a disposable email address is a spammer.

Check for Long Emails, Author Name, or Password

Spammers can’t resist using very long names and emails. This rejects these if they are over 64 characters in length.

Check for Short Emails or Author Name

Spammers sometimes use blank usernames or author names. If you are having trouble with a plugin or theme not using the correct fields with rejects for short usernames, then uncheck this box.

Check for BBCodes

BBCodes are codes like [url] that spammers like to place in comments. WordPress does not support BBCodes without a plugin. If you have a BBCode plugin then disable this. This will mark any comment that has BBCodes as spam.

Check for Periods

An email with more than 2 periods (1 to separate a name and 1 after the TLD is often the sign of a spammer.

Check for Hyphens

Spammers like to use hyphens in their emails. With this check enabled, an address with >1 hyphens is blocked.

Check for Quick Responses (disabled if caching is active)

The plugin will drop a cookie with the current time in it. When the user enters a comment or tries to log into the system, the time is checked. If the user responds too fast, he is a spammer. If cookies are not supported, this is disabled. Use the timeout value below to control the speed (stops the most spammers of all the methods listed here).

• Response Timeout Value: This is the time used to determine if a spammer has filled out a form too quickly. Humans take more than 10 seconds, at least, to fill out forms. The default is 4 seconds. If a user takes 4 seconds or less to fill out a form they are not human and are blocked. Users who use automatic passwords may show up as false positives, so keep this low.

Block 404 Exploit Probing

Bots often search your site for exploitable files. If there is a match to a known exploit URL, this will automatically add the IP address to the Block List.

Block IPs Detected by Akismet

Akismet does a good job detecting spam. If Akismet catches a spammer, then the IP address should be added to the bad IP cache. Akismet will continue to block comment spam, but if there is a login or registration attempt from the same IP, it will be blocked.

Check for Exploits

This checks for the PHP eval function and typical SQL injection strings in comments and login attempts. It also checks for JavaScript that may potentially be used for cross domain exploits.

Block Login Attempts Using ‘admin’ in Username

When a spammer starts hitting the login page with ‘admin’ anywhere in the login ID and there is no matching user, then it is a spammer trying to figure out your password. Block List immediately. This only works if you do not have any users with ‘admin’ in their username. It is dangerous to have a username ‘admin.’ Sites get thousands of hits from bots trying to guess the admin password. This has the side effect of preventing users from registering a username with the word admin in it. Users cannot register with ‘admin2’ or ‘superadmin’ or ‘Administrator.’

Check Against List of Ubiquity-Nobis and Other Spam Server IPs

A list of hosting companies who tolerate spammers. They are the source of many comment spam and login attempts. This blocks many of them.

Check for Major Hosting Companies and Cloud Services

Your users should come from ISPs only. If a request comes from a web host such as Softlayer, Rackspace, or Amazon AWS, it is likely that the the user is a spammer who is running some spam software to attack your site.

Check for Tor Exit Nodes

Spammers can conceal their bad activities by accessing your website and commenting through Tor.

Check for Many Hits in a Short Time

Spammers hit your site over and over again. If you get more than the specified hits in the specified time, the spammer will be stopped, added to the bad cache, and shown the challenge page.

Check for Amazon Cloud

You can block comments and logins from Amazon Cloud Servers using this setting. It may be that good services use Amazon Cloud servers so you may not want to use this. Be careful about blocking Amazon. Sometimes you get spam from one of their servers, but they shut it down right away.

Filter Login Requests

Some plugins and themes bypass the standard registration forms. If you check this, Stop Spammers will try to intercept the login in the WordPress user login module. This will cause some overhead, but gives Stop Spammers another shot at detecting spam. This is turned off by default because it could potentially be called at every page load.

Block Countries

Blocking countries only blocks the known spam blocks from those countries. Blocking residential ISPs in countries where spammers are quickly shut down is avoided. Blocking the US will not block Cox, Verizon, AT&T, etc. It will block hosting companies that send out spam that are located in the US.

Blocking RU will, however, block most of Russia, because Russian ISPs do not shut down zombie computers in residential blocks. If you block countries, make sure that you have set the Challenge to use a CAPTCHA screen so that legitimate users can get into your site even if blocked.

The biggest countries can put a strain on memory. US, Russia, India, Ukraine, Brazil, China, and Indonesia (in that order) are the sources of most spam, but they also take up to a half a meg of memory to load. This may slow things a little and in some cases might shut down your site. If you are using a free or low-budget host to run your site, there could be a problem.