Hacking The Challenge Question

In my war against spammers I installed a Challenge Question Plugins that ask you for the year before it will post your comments. This Plugin has helped to reduce the number of spams this blog gets. However, there was one major problem with the Plugin.

If you forget to answer the question before submitting the comment, the Plugin takes a new page asking you to answer the question. The problem was, when you go back to the comment page, your comment was gone. This would be very frustrating if you spent a long time writing a detail comment.

To fix that problem, I had coding guru Justin code up a fix. Instead of taking you to a new page if you forget to answer the challenge question, you now get this pop up message.


If you somehow get the answer wrong (for whatever reason), you will get this pop up message.


If you try submitting a blank comment, you will get a pop up message as well but I won’t show you what it says. You can try it yourself. I posted about this fix two days ago and many readers have asked how they can put this hack on their blog. Here is how you do it.

Step 1 – Codes For the Head

Place the follow code inside your blog’s <head> tags. It can go anywhere within the tag just as long as it’s between <head> and </head>.

<script type="text/javascript">
function get_answer(field,alerttxt)
with (field)
if (value!="2007")
{alert(alerttxt);return false}
else {return true}
function validate_required(field,alerttxt)
with (field)
if (value==null||value=="")
{alert(alerttxt);return false}
else {return true}
function validate_form(thisform)
with (thisform)
if (validate_required(author,"Name must be filled out!")==false)
{author.focus();return false}

if (validate_required(email,"Email must be filled out!")==false)
{email.focus();return false}

if (validate_required(answer,"Please answer the question! It’s 2007 in case you
didn’t know.")==false)
{answer.focus();return false}

if (get_answer(answer,"You don’t know what year it is? Here’s a clue. The answer
is 2007!")==false)
{answer.focus();return false}

if (validate_required(comment,"Umm… you going to say anything?")==false)
{comment.focus();return false}

There is no need to change any of the codes that came with the Challenge Question Plugin. The above code just overrides the way it displays the wrong, or no answer. You can customize the codes to give you own custom responses if you don’t like mine.

If you are also running Brian’s Threaded Comments Plugin, then you will need to make one more code change before the Justin hack will work.

Step 2 – Comment Out & Add

Open up your comments.php file in your current WordPress theme and look for
the following line:

<input onclick="if(typeof(onAddComment) == ‘function’) { onAddComment(); }
else { alert(‘ERROR:
It looks like the website administrator hasn\’t activated
the Brians Threaded Comments plugin from the plugin page’); };" name="addcommentbutton"
type="button" id="addcommentbutton" value="Add comment" />

Comment out the above code (or delete it) and directly below it add the
follow line of code:

<input type="submit" name="Submit" value="Submit">

Once again, step 2 is only for people running Brian’s Threaded Comments. If
you haven’t done anything to your comments.php file, then you only need to do
step one.

18 thoughts on “Hacking The Challenge Question”

  1. Leftblank says:

    Thanks for the guide John, I might add this on my CMS-powered webpage as well, sounds like a funny and easy way to get rid of a lot of spam.

  2. Shocker says:

    Oh no, my code is exposed!! Enjoy πŸ™‚

  3. Michael Kwan says:

    Neat. Too bad I can’t implement it on my blog. I’ve been having troubles with it lately… it keeps saying that the session is “timed out”

    1. John Chow says:

      Ya! I got that when trying to make a comment on your blog. Took me three tries before the comment went.

  4. Ryan says:

    I was glad to see this implemented. Nice tutorial, too. πŸ˜€

    Oh, and change the tab order so that when I hit tab I go to the Submit button. If you need help I’ll go through the code for ya. πŸ˜€

  5. Jane says:

    hahaha…I had to try entering the year and no comment…funny stuff!!

    Thanks for sharing this info John…very much appreciated!

  6. Paul says:

    John, from reading your earlier post on spam, it looks like you are having problems from mostly bots spamming, not individuals. Since bots do not execute javascript, why not just make the javascript fill in the answer and remove the box? Something like this:

    window.onload = function(){
    document.getElementById('answer').value = '2007';
    document.getElementById('answerdiv').style.display = 'none';

    Just put it in a tag at the top of your page, and that’s all you have to do.

    From a security point of view:
    – A regular user with JavaScript enabled will not even know the question is there, as the input box and question will disappear when the page is loaded. Before, he would have to fill in the question.
    – A spam bot is blocked because spam-bots do not execute JavaScript
    – A manual spammer does not realize the box is there, as long as he has javascript enabled. Before, a manual spammer would have to enter in the year which would barely slow down a spammer.
    – A regular user without javascript would have to fill in the box, just like before.

    So as far as I can tell the only loss would be the humor that we find in the current version.

    1. Paul says:

      That should read “Just put it in a script tag at the top of your page, and that’s all you have to do.”, but wordpress cut it out. I even spaced it out and everything to try to get around it but wordpress wouldn’t have it, so you’ll have to imagine the “” around the word “script”.

    2. John Chow says:

      Thanks. I’ll have Justin look at doing this.

  7. ThomasDM says:

    The current code isn’t really perfect. It will work fine on every day of the year except on New Year. People will try to enter 2008 but the current script will think it’s still 2007.

    You could solve this by getting the local time from the user but I think this won’t work if the user has JavaScript deactivated. And when you use the local time of the server it won’t work properly because of different time zones.

    1. John Chow says:

      I plan the change the question long before the new year.

  8. Doug Karr says:

    If the plugin allowed you to set the question and the correct response to whatever you’d like, I’d install it!

    If it’s programmed, someone will most likely program a response. Take a look at my Contact Form (not comment form) … I allow the admin to determine the question and response via their settings.

    This way you can select something that would require a human… like, “What kind of fruit is dancing on my page?”. And if they start getting through, you can change it.

    Hmmmmm… perhaps some hacking is in order!

    1. Paul says:

      Doug, it appears the plugin itself (which was not written specifically for this blog) will let you ask any question you can come up with. It is just this hack that only works with John’s question. Sure, it would be easy to modify a bulk spamming script for John’s blog, but it would be unlikely to happen for two reasons:

      1. Spammers take the easy way. If a site takes measures against spam, the spammer might ignore it since there are thousands of blogs around that don’t take measures against spam.

      2. A blogger that has anti-spam measures is more likely to be concerned about spam, and therefore more likely to delete the spam sooner. A spammer is not going to make an extra effort to spam a blogger who has anti-spam measures, because that blogger is less likely to let the spam exist.

      Of course, these assume that the spammer is an intelligent, rational person, which may or may not be the case.

  9. Fenton says:

    Thanks for the guide and tutorial and most importantly getting know the existence of this plugin. πŸ˜‰

  10. Marc says:

    Thanks John, it’s great to see alterations and expansions of plugins.

  11. derrich says:

    Well, given my traffic level (and amount of spam), I wont need this for awhile. The Askimet plugin works great for me right now.

  12. Soultrance says:

    I’m in desperate need of help with some Anti-Spam measures.

    Akismet picks up all my spam no problem, but for the last few days I must be the target of some automated crap because I’ve received close to 2000 spam comment attempts. Akismet nabs them all, but it’s a royal pain in the butt to have to go through 500 spam comments every morning. I usually just end up deleting them all and hope that Akismet didn’t catch a genuine comment in the fold.

    Is there anyway to prevent things like this from happening. At this point I can literally delete all my spam comments, refresh the akismet page and have 2 – 4 more comments waiting. There has to be a way to kill this madness.



    Everyone comment comes from a different IP, but starts with the words “SomegifttoME”, followed by a string of 6 random numbers. WTF is up with that? And they all have an URL including XXX.pics-ratings.org/X.

Comments are closed.