Breakpoints & Breaktime

October 30, 2019
WordPress

How to Add a Custom CAPTCHA Field to WordPress Comments

by Jigang Guo

Spam comments have long been a persistent issue for WordPress websites. If your site has decent traffic and the comment section is open, you’ve likely encountered a flood of unwanted spam. While there are plugins that can add CAPTCHA protection to WordPress comments, introducing an entire plugin for a single feature may negatively affect your site’s performance.

In this tutorial, I’ll show you how to add a custom CAPTCHA field to the WordPress comment form without relying on external plugins. Our CAPTCHA will be a poetic question: “What year is it tonight?”—a twist inspired by traditional Chinese poetry, which we hope will confuse bots.

Step 1: Add a Custom CAPTCHA Field to the Comment Form

To customize the WordPress comment form, we’ll use the comment_form_default_fields filter. This hook lets us modify the array of default form fields and insert our own.

Here’s how to add a new field labeled “What year is it tonight?”:

function wprs_add_captcha_comment_field( $fields ) {
    $fields['captcha'] = sprintf(
        '<p class="comment-form-captcha">%s %s</p>',
        sprintf(
            '<label for="captcha">%s %s</label>',
            __( 'What year is it today?', 'text_domain' ),
            wp_required_field_indicator()
        ),
        '<input id="comment-captcha" name="captcha" size="30" type="text" required>'
    );
    return $fields;
}
add_filter( 'comment_form_default_fields', 'wprs_add_captcha_comment_field' );

After adding this code to your theme’s functions.php file or a custom plugin, refresh your site and check the comment form. If the new field does not appear, your theme or a plugin may be overriding the default comment form. You’ll need to investigate further in that case.

Step 2: Validate the CAPTCHA on Comment Submission

Now that the custom field is visible, we need to validate its input during comment submission. We’ll use the pre_comment_on_post hook, which triggers before the comment is saved.

Here’s the validation logic:

function wprs_verify_comment_captcha() {
    if ( empty( $_POST['captcha'] ) || (int) date( 'Y' ) !== (int) sanitize_text_field( wp_unslash( $_POST['captcha'] ) ) ) {
        wp_die(
            '<p>' . __( '<strong>Verification failed:</strong> Do you even know what year it is tonight?', 'text_domain' ) . '</p>',
            __( 'Verification failed. Please don’t post spam comments.' ),
            [
                'response'  => 200,
                'back_link' => true,
            ]
        );
    }
}
add_filter( 'pre_comment_on_post', 'wprs_verify_comment_captcha' );

This function checks:

  • If the captcha field exists
  • Whether the entered value matches the current year (as returned by date('Y'))

If either check fails, the comment is rejected with a friendly but firm message.

Summary

As you can see, adding a simple, custom CAPTCHA to your WordPress comment form is straightforward and effective. No need for bulky plugins or external services like reCAPTCHA. With just a few lines of PHP, you can reduce spam and keep your comment section clean.

This method is especially useful for lightweight websites, or those with strict performance and privacy requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like