Stop WordPress Spam

[Adam]

NOTE: This was written for my blog, so when you see an idiosyncrasy, keep in mind that I wrote this with my blog's audience in mind... It should be safe to ignore the very last paragraph because of that. I'm sharing it here, because I want other people to post their hacks for getting rid of spam.

For those who are hoping for some help with email spam, I’m sorry, but this article doesn’t apply. This is for bloggers who are tired of seeing spam in their comment moderation queue, especially for those who are using WordPress like I am.

For the impatient, you can just skip down to the bottom for instructions on how to stop the spam. It will start at a section heading labeled, appropriately, “Stop the Spam.”

For those who aren’t so impatient, though, I really recommend learning how a spam-bot works. For the curious, read on.

How the Spammers Work

Pretend for a moment that your job is to present unwanted, useless information to people in the hopes that they will buy something from you. Now, if you can resist the urge to quit or commit suicide, you’ll realize that the only effective way to get sales is to send that information to as many people as possible. Humans are very bad at sending out information in bulk, since we are very slow and can’t store thousands of addresses in our minds at one time.

That’s where the bots come in.

Bots are programs that pretend to be human. In a chat room, a bot might greet you, and if it is sufficiently sophisticated, it might even ban you for bad language, upgrade your account when you send it a password, or otherwise serve some (hopefully) useful function. Google and other search engine companies use bots to find pages that would be useful to people using their search engines. Illicit advertisers use bots to send email and stuff up the forms of bloggers in the hopes that their messages will be read.

With a bot, a spammer can spend one minute bringing up a program, then let the bot work for another minute and send out thousands of messages. Imagine sending out an advertisement to thousands of people with the investment of just two minutes… If you didn’t have a bot, then you would be able to send these advertisements to about one person every two minutes. Truly, a spammer who doesn’t use a bot doesn’t get fed.

The Problem with Bots

Besides being annoying, bots are also limited to the imagination of their programmers. If a programmer can’t think of a better way to get paid than by sending out spam, then he really doesn’t have any imagination at all. Bots are not flexible. They expect things to be a certain way, and do not know how to deal with any differences at all.

Bots that target WordPress blogs target one thing, the file wp-comments-post.php file. The reason why they target this file is because people do not feel comfortable with editing the default programs behind their blog, at most, they’ll edit the layout a little bit. (Obviously, I don’t worry much about the layout, but I have no fear of ruining something in the processing side, since I can always re-install.)

Almost every bot absolutely depends on certain things remaining default. This is the key to the method that I’m going to share in a little bit, so remember it.

Other Spam-Blocking Methods

Now, I’m not going to say that the other methods are flawed in any way. In fact, they work wonderfully well against spam bots that the spam blockers have seen before. With bots that people haven’t seen, though, there could be a problem. Spam blocking plugins and programs have two jobs to do; block the spammers and allow the normal humans to use the site normally. There are several ways to do this, each with their strengths and weaknesses.

One way is to watch the messages that are being sent to the server for key words, such as poker, viagra, etc. This works great against a small group of spammers who are selling that one product, but it also works against normal users who might happen to mention those items as well. Also, not every spammer is selling viagra or advertising gambling websites, so pretty soon, you get a large list of words to block, and a large number of legitimate users who are blocked as well, simply because they used a word that a spammer used before.

Another way is to block the IP address of the spammers… Sorry, folks, but the spammers are way ahead of you there. They use all different IP addresses, and many of the addresses are also used by people who have legitimate business.

There are also some advanced methods for looking at other information that a spammer has, such as their user agent, whether they can process Javascript or not, and a myriad of other clues, but these all also have the problem that legitimate users might not see your pages as well.

Stop the Spam

Here’s the method that I’m using to stop spammers. Remember that this is WordPress specific, but the principle should work with any blogging platform.

First, find the section of your layout that deals with the comment forms. Find the section that says “<form action=”<?php echo get_option(’siteurl’); ?>/wp-comments-post.php” method=”post” id=”commentform”>.” In that section, edit the wp-comments-post.php line to something slightly different, such as getting rid of a dash. Be certain to leave the “.php” alone. As soon as you have done that, find that file on your server and make the exact same changes to its name. Once you have done that, simply post a test comment, and if you see it, viola, you’ve just blocked almost all of the spammers who visit your site without affecting a single legitimate user.

Also, since this isn’t one of my larger posts (it was written in about an hour), I don’t have a conclusion to give, or a ‘brought to you by’ line either. You should have noticed that this was one of my smaller posts because I started on topic. Shame on you for expecting my regular humor.

[Jill]

I just use the Askimet plugin...works great!

[Phil Newton]

I use Akismet too, and it's saved me a tonne of time. The odd comment still creeps through, but it's caught nearly 4,000 spam messages.

I might use your anti-spam tip on my forums, because they're being hammered by spam bots at the moment. A little form change should to the trick nicely.

[andrew]

I use the same plug in aswell, works wonders.

Your suggestion works because the bots look for that specific file name right?

[dECLAN]

I get about 1,000 visitors to one of my blogs and have only received one spam message in all that time. The Askimet plugin doesn't appear to have blocked any spam messages either.

Either I am really lucky or spammers don't see the point in comment spamming on my blog!

[tracyrtwyman]

In response to some of the other comments on this thread, I would like to point out that most SPAM originates from Chinese and Islamic terrorists trying to ruin the internet so as to destabilize the Western economy. And actually most of it is generated by robots and viruses that are no longer being controlled by the people who originally created them. They're just setting them loose on the world to wreak havoc where they may. So most of the time it isn't really people trying to sell actual products.

I ended up deactivating all comments on my blog because of this garbage. Otherwise it would be a never-ending battle. But now I'm starting to get it through my YouTube channel, so I guess I'll have to deactivate comments there as well.