Cracking WordPress Hashcash

As many know, WordPress Hashcash is not a hashcash at all. This is more than merely semantics. A true hashcash would provide protections to blogs from spam bots, but WPHC does no such thing. Rather WPHC merely projects an aura of protection that even the most novitiate script kiddie can crack.

According to the authors of WPHC:

WP Hashcash is an antispam plugin that eradicates comment spam on WordPress blogs.

Not really, let me explain why.

WPHC inserts javascript into your blog’s webpage. By default, a spam bot will not load and run this code because it is only run by web browsers. However, the spam bot makers are no Luddites and can easily pull this javascript code from the page, run it, and return the hashcash code.

To prove this fact, see the below PHP class UnHashcash which takes the HTML of a blog post, processes the javascript, and returns the purportedly secure hashcash code.

I present this code as a clear example of why people should not assume that WPHC will protect their blogs from spam. The simplest solution is to require member sign up or use captchas and Akismet.

Oh, and I know this blog is running WPHC. I’m looking forward to some spam bots. Spam Ahoy!

Update: 20 Feb 2016

Blog has moved to static Hugo, so sorry, no longer running WPHC.