“Nonce! Please” is a simple plugin that prevents brute-force comments and trackbacks from spammer.


Akismet is a great plugin to block spam comments/trackbacks. It detects spams completely. But, Akismet allows to accept unsolicited feedbacks, and to store them in the database. It is weaker act to fight with spams. A better way is to reject them.

Also, the architecture of WordPress is vulnerable for spammer. Because the comment API is fixed URL like: “wp-comments-post.php”, “wp-trackback.php, or “http://blog.example.com/archives/99/trackback/”. Therefore, spammers can easily post bulk comments/trackbacks to WordPress weblogs.

“Nonce! Please” add a nonce (random strings) to the comment hidden field and/or the trackback URL. A valid comment and/or trackback should have a nonce string. Bulk feedbacks will not have nonce.
This plugins also verifies that a new comment/trackbacks has the valid nonce. If there is no nonce or an invalid one, the feedback is rejected.

Adding and detecting nonce is automatic, users are not do anything!


“Nonce! Please” can be installed in 2 steps:

  1. Unzip “nonce_pleaseNNN.zip” archive and put only the nonce_please.php file into your “plugins” directory (wp-content/plugins/) of the server.
  2. Activate the plugin.


The licence of this plugin is GPL v2.


If you are using cacheing plugins (such as WP-Cache, WP Super Cache), make sure that caching time less than 12 hours. Because WordPress nonce string will change in 12 hours cycle and valid for 24 hours. If caching longer than 12 hours, invalid nonce will be survived at your site.