Bad Behavior spam-blocking for Expression Engine 2

June 8, 2011 at 5:58pm.

This entry is about Expression Engine


Way back in the dark ages (well, 2007), Paul Burdick wrote an extension to use Bad Behavior spam blocking on an Expression Engine website. Since then, many things have happened—Expression Engine 2 was released, I got married and moved to Oregon—and many things have not—the apocalypse, an EE2 version of Bad Behavior. I decided it was high time to remedy that last item.

I have been using Low’s excellent NoSpam add-on for years and still recommend it highly. However, it has it’s limitations. The biggest issue for me is that it does not block spam submissions to SAEF forms. Additionally, it doesn’t do its filtering until after the form is submitted, meaning that all that spam traffic is putting additional load on your poor server.

Bad Behavior is an open-source script that has been around for a long time and is well-respected. It works differently than Akismet or other popular anti-spam scripts, in that it prevents spammers from accessing your website at all. The Bad Behavior script runs at the beginning of page load and checks a variety of data about the request to identify spammers. If it decides a particular request is suspicious, it immediately stops Expression Engine from processing the rest of the page and displays a simple error message. As a general rule, Bad Behavior attempts to never block legitimate users, even if that means the occasional spammer does get through. Therefore, you may want to run Low NoSpam or another comment-spam filter as a second line of defense.

Generally, you can just upload and activate the extension to be protected. There are settings you can tweak to fine-tune the way Bad Behavior works, but doing so is not necessary. Optionally, it will also check requests against Project Honey Pot’s http:BL, a blacklist of known spammers. To use that feature, you will need to sign up for an API key and enter it on the extension settings page.

The settings page also displays detailed logs for the past week (which is as long as Bad Behavior stores log data). This can be useful in resolving false-positives.

VZ Bad Behavior


Download and unzip the extension. Upload the “vz_bad_behavior” folder to your /system/expression_engine/third_party/ folder. Finally, enable the extension in your control panel. You can change some settings if you want, but there is usually no need to.

Visit the VZ Bad Behavior repo on GitHub

P.S. If you appreciate the decrease in spam you see after installing this extension, don’t thank me. It only took me a couple hours to put this together. Thank Michael Hampton, the developer of the Bad Behavior library. Even better: make a donation to support its development.


Ibn Saeed gravatar

Ibn Saeed on June 8, 2011 at 6:49pm#1


I have one question, will this work with Safecracker ?

EliVZ gravatar

EliVZ on June 8, 2011 at 6:53pm#2

Bad Behavior works before Expression Engine starts generating the page, so spammers won’t be able to see your website at all. So it keeps them from spamming SafeCracker, FreeForm, EE contact forms, etc.

Michael Fraase gravatar

Michael Fraase on June 9, 2011 at 9:20pm#3

Installed the extension and enabled it. Appears to be working. Added the Project Honeypot API key and received the following errors:

A PHP Error was encountered

Severity: Notice

Message: Undefined index: log_table

Filename: vz_bad_behavior/ext.vz_bad_behavior.php

Line Number: 96

A Database Error Occurred
Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘WHERE `key` NOT LIKE ‘00000000’’ at line 1

SELECT * FROM WHERE `key` NOT LIKE ‘00000000’

Filename: third_party/vz_bad_behavior/ext.vz_bad_behavior.php

Line Number: 96

EliVZ gravatar

EliVZ on June 10, 2011 at 1:48am#4

Michael- Sorry about that. I just uploaded a new version to GitHub that should fix the bug. You might need to disable and re-enable the extension for it to take effect.

Mark Collins gravatar

Mark Collins on August 18, 2011 at 8:04pm#5

Thank you kindly sir :)

Christian Engelhardt gravatar

Christian Engelhardt on December 14, 2011 at 1:08am#6

Is it possible to exclude a post address? We are running an extension using a post address /index.php/?ACT=31 to post back variables. The posting app is hosted on a different IP and my variables get never posted with your extension. It does do a good job preventing spam…

EliVZ gravatar

EliVZ on December 14, 2011 at 1:25am#7


Do you have the “Allow off-site posting to forms” box checked in settings? By default, direct posting from other IPs is disabled, as that is how most comment spam is generated, but checking that box should enable it. Let me know if you already have that set and it still isn’t working.

Paul Hachmang gravatar

Paul Hachmang on November 3, 2012 at 2:21pm#8

Hi There,

I’m having trouble blocking spam on our website, installed reCAPTCHA, Honeypot EE plugin, This one, Added the http:BL key, but spam messages are still coming in and since we are unable to block them through the email we have to log in to the admin panel and block them there, which is a lot of work.

Have any solution perhaps?

Tobin Rogers gravatar

Tobin Rogers on December 14, 2012 at 6:41am#9

I’m also running into a ton of spam on a couple of sites.  Does this work in a MojoMotor form?  If so, how would I properly install it?  Thanks for any help.

Eli Van Zoeren gravatar

Eli Van Zoeren on December 14, 2012 at 7:14pm#10

Tobin- No, MojoMotor requires a different extension format than ExpressionEngine. I’m sure Bad Behavior could be adapted to it, but as far as I know it hasn’t been done so far.

Tobin Rogers gravatar

Tobin Rogers on December 15, 2012 at 6:44am#11

Thanks, Eli.  Do you know of any other possibilities for MojoMotor?  I’m currently regretting the decision of using it.

EliVZ gravatar

EliVZ on December 16, 2012 at 12:48am#12

Do you mean other possibilities for spam-blocking on MojoMotor? No, I have never used MM and don’t know what is available for it. Sorry. Or it you mean another possibility for a CMS to use instead, I would suggest you take a look at Statamic. That’s what I’ve been using recently for small projects and it’s quite nice.

saddas gravatar

saddas on February 2, 2013 at 8:26pm#13


erik gravatar

erik on June 6, 2013 at 3:04pm#14

I’m using EE 2.3.1, I put vz_bad_behavior into ../system/expressionengine/third_party and it’s not showing up in the extensions panel so I can’t enable it. Do I need to upgrade my EE version or what’s going on?

EliVZ gravatar

EliVZ on June 7, 2013 at 10:09am#15

Did you upload the folder *inside* the download? You might have uploaded the outside folder (with README) in it, which would keep EE from seeing it.

Lutz gravatar

Lutz on July 4, 2013 at 8:40am#16

Do you plan to update Bad Behavior lib to 2.2.14? Or, works replacing just the bad-behavior folder with the one provided at the Bad Bahavior site?

EliVZ gravatar

EliVZ on July 9, 2013 at 10:25am#17

Oh, I think 2.2.14 was released while I was traveling and I missed it. I will try to get that update out later this week. There’s a little more to it than replacing the folder, unfortunately, but it won’t take too long.

Lutz gravatar

Lutz on July 9, 2013 at 11:25am#18

Great, thanks a lot!

EliVZ gravatar

EliVZ on July 12, 2013 at 10:57am#19

Lutz- Okay, 1.4 is out with the newest version of the BB library. Get it here:

Lutz gravatar

Lutz on July 12, 2013 at 7:08pm#20

I look forward to install it, thanks again. Especially for adding a setting to disable logs!

Lutz gravatar

Lutz on July 13, 2013 at 8:57am#21

I installed 1.4, thanks again. After the update displaying detailed logs was not working. I tried changing the setting to disable logs, then back to enable logs, but this doesn’t help.
Have a nice weekend!

Jack gravatar

Jack on August 14, 2013 at 9:02pm#22

Is there an easy way to switch it off locally? Having issues logging in locally. Having settings in a bootstrap config.php would be nice.

EliVZ gravatar

EliVZ on August 16, 2013 at 10:33am#23

Jack- that’s a good idea. I’ll try to get it added into the next version, or if you’re handy with PHP you are welcome to add it yourself and submit a pull-request. It will be a couple weeks before I can find time, since I am traveling right now.

EliVZ gravatar

EliVZ on August 23, 2013 at 9:54pm#24

For anyone who’s following along, the VZBB configuration can now be set in your configuration file for better multi-server support.

Lutz gravatar

Lutz on December 16, 2014 at 1:25pm#25

Hi Eli, are there any plans to build a Craft version? #craftcms

Eli Van Zoeren gravatar

Eli Van Zoeren on December 17, 2014 at 2:04pm#26


It’s not something I’m currently working on, but I will definitely consider it. It shouldn’t be too hard to port over, since most of the work happens in the open source BB library. Thanks for the push!

Lutz gravatar

Lutz on December 18, 2014 at 12:22pm#27


that would be great, I really would appreciate that a lot. I currently think about a migration of an EE site to Craft, but VZ Bad Behavior seems to be a big help there, they are blocking around 20k+ access attempts the week with it… Thanks a lot!

Got something to say?