Have you ever found yourself dealing with a spam attack on your site?
If you have, you’d know. It almost always starts out as a trickle…
Maybe it’s a couple comments about how enlightening your entry on the summer corn you made on the grill a few weeks ago was. Only all the comment author links are to pharmaceutical sites or places where you can buy knock-off high heels. And can an entry about corn really be enlightening?
This is spam, isn’t it? Well, let’s go ahead and flag those in Akismet so it can catch others like it.
You are using Akismet, right? It’s probably the preeminent solution for fighting spam on WordPress. If you’re not, that’s totally fine. In fact, I can wait here while you go install it…
Okay. Everyone’s (hopefully) running Akismet now. Good. That’ll make things easier.
Anyway, the trickle of spam eventually turns into a steady stream. And their contents get even more blatant and desperate. Where there was once a not-quite-relevant compliment about your post and a hidden link trying to trick you into approving it, now there’s just a link to an online sunglass boutique. Or a luxury brand outlet.
Now, the fact that this crud is getting through the filters isn’t Akismet’s fault. Its server infrastructure — which is where they figure out if a comment is spam or not — is ridiculously robust. That means you need to also factor in things like the robustness, connectivity and stability of your site and server. Especially if you’re on a bargain host. Then again, even a good host can have connectivity problems every now and then.
So you start spending more and more time every day wading through the spammy pending comments that might find their way around whatever filters you might have in place. Then, as the stream turns into a torrent, you eventually stop dealing with them altogether.
You started a site to write and share your thoughts, not to deal with spam. Maybe if you disable comments completely…
Stop. What if I told you there was a better way?
Actually, there’s two better ways. One is a plugin that requires a bit of setup and the other is a something that you can copy & paste into your WordPress install’s settings. Let’s go ahead and start with the easy one first.
Newton enthusiast, developer and haircut documenter Grant Hutchinson has cooked up and shared a dizzying blacklist of almost 4300 commonly used spammer keywords. And it’s growing larger (practically) every week.
To use it, you just need go into Settings -> Discussion in
wp-admin and scroll down to Comment Blacklist. Once there, you just need to copy the raw version of the blacklist and paste it into that field.
Once you’ve done that and verified that you’re not blocking anything you don’t want to, just scroll down and click Save Changes. Now your site has an added barrier that should help keep spammers at bay.
As an added bonus, the matching of any keywords in this blacklist get processed before the message is run through Akismet. That means that you’re actually freeing up resources on Akismet’s servers by having this block in place. It’s kind of a minuscule slice in the grand scheme of things, but every little bit helps.
Now the plugin has a real mouthful of a name. And I’m not going to lie, it could be a lot easier to set up. Still, AVH First Defense Against Spam is totally worth the time and effort you’ll spend getting it dialed in.
Before your install even serves up a page, AVH First Defense checks three well known anti-spam blacklists to see if an IP is known for sending suspicious traffic. If it is, the visitor gets sent to a page that tells them why they were blocked and what they can do to get off the list they were found on.
Since most spam comes from bots, they won’t bother with getting their IP address removed. But the rare valid person who gets flagged will. So everyone wins.
The effort in setting up this plugin comes from the fact that you have to register (and then locate) two API keys for Stop Forum Spam and Project Honey Pot. But if you follow the links I’ve provided, that shouldn’t be too hard.
While you’re dropping your new API keys into place, go ahead and shut off any email notifications you don’t want to receive. Oh, and make sure to only retain the IP addresses you look up in cache for no more than 7 days. That’ll keep your site’s database nice and lean and keep the lookup process nice and fast.
What are you waiting for? Add these two tools to your site admin toolbox and get back to thinking about your next post!
As WP Engine‘s “other Jason”, Cosper is the company’s WordPress nerd. He’s been tirelessly debugging his xorg.conf file since installing Slackware in 1996 and has been working with WordPress since 2004. In his spare time, Cosper enjoys spending time with his wife and very tiny dog, grilling meats, sampling assorted beers and brewing coffee.