As your WordPress site gets noticed and generates traffic, it becomes a natural target for spammers. If you’re noticing posts on your site that you don’t expect, or see users in the Dashboard that you didn’t create, you have other security problems. Most likely, your posts will accrete a variety of spam comments as a side effect of being popular.
You can recognize spam by a list of links within the comment, or [p2p type=”slug” value=”6-strategies-to-generate-new-content-easily”]content-free[/p2p] comments saying that the poster enjoyed your writing, with an attached URL or source address that invites you to a less-than-reputable destination. In either case, the goal of comment spam is to generate more web content that points back to the spammer’s site, taking advantage of the page popularity ranking algorithms used by Google and others that give weight to incoming links. The best way to deal with spam is to simply get rid of it, denying spammers the opportunity to use your site to boost their own visibility.
There are three basic approaches to dealing with the problem: make it impossible for anyone to leave comments, increase the difficulty of a spammer sneaking a comment onto your site, and enable auto-detection of common spam patterns. Obviously, disabling comments (through the Dashboard) is a bit harsh and defeats the goals of establishing conversation with your readers. On the other hand, if you decide to take this drastic step, remember that changing the settings for posts on the control panel affects future posts only; anything already on your blog will still have comments enabled unless you go through the Dashboard and turn them off individually. If you don’t mind an even greater bit of brute-force effort, you can remove the wp-comments.php file from the WordPress core, which somewhat unceremoniously puts an end to the ability to comment on your posts. We recommend something a bit more subtle.
Comment Moderation and CAPTCHAs
One approach to comment spam is to slow down the spammers; this simple approach, however, slows down valid commenter’s as well. You can require commenter’s to register as site users before being allowed to post comments, but that has the downside of preventing passing-by users from adding their thoughts. It also requires that you stay on top of the user registration, as you may see seemingly valid users that are created purely for the purpose of posting spam to your blog.
Moderation is another tool in the slow-but-don’t-stop vein; you can hold all comments for moderation or require all commenter’s to have a previously approved comment. In effect, you’re putting the burden of spam detection on yourself, looking at each comment as it appears and deciding whether to post it to your site or flush it. Again, an innocuous looking comment may be the approval stepping stone for an avalanche of spam later on from the same user. As with many security mechanisms, the bad guys are continually getting smarter and more automated, and testing the edge protection and response of the systems they want to infiltrate.
A variation of the brute-force and moderation method is to blacklist IP addresses that seem to be the primary sources of spam; the access controls can be put in your .htaccess file. Again, this is perhaps a bit like hunting bugs with an elephant gun, as you’re likely to block valid IP sources from common carriers that are unfortunately home to some low-limit spammers. Also, spammers jump IP addresses easily using bot nets and other resources, so this can be a never-ending war that you cannot keep up with.
Enter CAPTCHA methods — based on a phrase coined at Carnegie Mellon University that ostensibly stands for “Completely Automated Public Turing test for telling Computers and Humans Apart” — that impede spammers’ ability to post unwelcome comments by requiring them to enter some additional, dynamic piece of information. There are quite a few CAPTCHA-generating plugins for WordPress, all of which add a displayed word or math problem to the end of the comment posting form, requiring the user to enter the correct information before the form is submitted.
The simplest of these, the Math Test plugin, displays a two-term addition problem that must be solved by the user. The basic idea is that an automated spamming process won’t be able to recognize the distorted words or solve the problems, alleviating the spam at the point of insertion. There’s some debate as to the effectiveness of CAPTCHAs, with their failure rates suggested to be as high as 20 percent. You’re also adding a step for commenter’s, albeit a trivial one. If your site attracts a large, non-English speaking audience, CAPTCHAs depending upon wavy English words will be effective, but only in preventing valid comments from frustrated users.
Automating Spam Detection
The first step in automating spam detection is blacklisting certain types of posts or particular words. In the Dashboard, choose Settings ? Discussion in the Comment Moderation box, you’ll find an option to block any comment that contains more than a particular number of links. Don’t set this to zero, or anyone who includes his own site URL in a comment is going to be filtered. This cuts down on the obvious spam messages, however. Similarly, adding words to the blacklist like “Vicodin” will eliminate the faux-pharmacy spam, but if you’re perturbed by offers of fake Rolexes, don’t add “watches” to the blacklist or you’ll drop any comment that uses “watches” as a verb as well as a fake product noun. Word blacklists are universally effective in blocking comments with those words, irrespective of context.
Fortunately, WordPress has the Akismet plugin built in for dealing with comment spam that relies on a crowd-sourced blacklist and is transparent to users. Go to http://akismet.com/ to register for an API key for the service; when you open up the Dashboard and configure the Akismet plugin, you’ll need this to make sure your instance of WordPress can connect to the Akismet service.
Effectively, Akismet takes each comment as posted, runs it through a database of spam comments hosted by Automattic, and decides whether or not to mark the comment as spam. Statistics on the akismet.com site claim that upwards of 80 percent of all comments are spam, and that they have caught and marked more than 55 trillion spam comments.
There are other implementations of the Akismet service besides the built-in plugin, and Akismet works on other content management systems as well. [p2p type=”slug” value=”get-free-api-key-akismet”]Akismet[/p2p] is priced based on the size and type of your site, ranging from free to $50 per month. While the freely available nature of WordPress and most of its related plugins and themes has been highlighted, paying for Akismet spam protection is also highly recommended. Compared to the cost of a commercial WordPress hosting option, most low-end Akismet plans are minimal in cost. You remove a time-consuming administrative burden from your plate for a few dollars a month.