WordPress: Spam Magnet
I should have been prepared for it - and I was (… sort of) - but I was still completely taken aback by the huge amount of spam version 2.0 of this site attracted within minutes of having been switched live. I’m not kidding you when I say that within the first hour or so, I had to wade through pages and pages of mile-long spam posts that had been caught by one of the many plugins I had installed to prevent getting nuked by those imbeciles that still haven’t figured out that if guarded against properly, blanketing the entire known universe with spam mails, spam comments, spam trackbacks, spam injections, spam pop-ups, spam pop-unders, spam ads, spam messages and whatnot is a pretty useless exercise.
I won’t even go into the stunning ineptness of politicians, the law and whoever else is usually above 100 years old, has twenty-three secretaries weeding out the spam for them and is supposedly in charge of helping us lead a somewhat normal life; suffice it to say that 20 years of hard labor for anyone sending or displaying a single scrap of spam is much more than a fair and just punishment. The spam problem can actually turn the most forgiving liberal into a staunch defender of capital punishment.
So, when I switched over from Expression Engine to WordPress, from a CMS known to have very effective spam controls in place (in my case, the whitelist/blacklist module caught 99.9% of any spam catapulted my way) to one that is widely popular and targeted by just about every spammer on the planet, my site got hit hard. I had worked meticulously on permanently redirecting quite a lot of front-page Google search results to the new pages of version 2.0 and the minute I went live with it, those top spot referrers, which (unknown to me because Expression Engine nuked them by default) had apparently been harvested since 2005, nuked my site. Kabloom!
[snip]
Yeah, I know. It’s not WordPress’ fault. If you read their take on comment spam (read the last paragraph, which is really a hoot), it’s everyone else’s fault and WordPress is virtually spam proof. It’s all reaaaaly simple. Right.
After about three months of using WordPress, I think they better get their act together and provide one well thought-out anti-spam routine by default. Akismet, I’m sorry to say, sucks on a site like mine and if I had kept it activated, it might well have eaten the entire time I have for posting around here … and THAT is hardly the purpose of a “Blog Tool and Weblog Platform”. On top of that, all the other recommended tweaks short of turning commenting off didn’t help either.
Actually, someone who advertises his “platform” as such, should spend less time on continuously adding new features, opening new security holes, revamping the entire thing, and adding new incompatibilities almost every month. Instead, things should be halted, cleaned-up and made somewhat spam-proof. Ever since I installed WordPress on my server, I had to go through two major updates, one millennium upgrade (the jump to 2.5) and days of getting things to work.
Just the most recent upgrade alone was and is a rather exciting affair, simply because there are now tons of users that can’t do the simplest things (like uploading an image). If you then hit the forums, you find out that … yep, wait for it … it’s the user’s fault. He/she installed plugins, was too dumb to transfer a trillion files onto the server, clicked the wrong button, filled out the wrong field, whatever. Even if you did everything correctly, you must have done something wrong. And even if it is conceded that you might have done things correctly (wait a week or two and it usually happens), it’s your web hoster’s fault. After all, not every single hosting account can handle WordPress. Not even the one I’m on that offers an install by default? One of the most reliable hosters in my country?
Yes, I admit it.
I just must be one of the dumb guys.
And I always have to think about the user who just stumbles upon WordPress by accident. You know, the guy or gal that has no clue about anything and just wants to write a few posts. Like my dad who regularly calls me when his printer jams because he’s scared of touching the thing in fear of breaking anything.
But WordPress is free, so who am I to complain?
[/snip]
Soooo, when I got back from a two-hour dinner break, I had to wade through hundreds (!) of comments advertising the usual gunk from anything you can swallow to anything that could get one’s motor running, ready to go (both literally and figuratively). And I did have a combination of anti-spam plugins installed. The spam was caught (well, most of it), but I had to look at it all to see if there were any false positives.
So, the spammers forced me to spend one whole night reading up on the problem and trying to find the appropriate remedy for it and since then I’ve had to spend the little time I have trying to test single plugins, combinations of plugins, and all kinds of tweaks to get things to run smoothly around here again.
And that’s when I realized the most depressing thing about all of this spamming frenzy: Many of my users, just like I myself do, have turned their browsers and e-mail programs into solid fortresses with walls as thick as lead, trying to stem the flow of spam and intrusions floating their way. They surf around with just about everything disabled, they have solid spam filters installed, pop-ups and whatnot blocked, they use proxy servers to surf around the Net, they are wary of anything they have to type aside from a comment and simply jump ship if a window pops up which asks them to enter something to prove they are human.
In short, both bloggers like myself and readers like my audience have been hit so hard by spam - probably ever since they went online for the first ten seconds - that we have all erected impenetrable walls around our online life that give us as much peace as possible.
The problem for me then was finding a way of blocking my spam here without scaring my users away … and that is, for a nOOb like me, an almost impossible task. I set up a post and asked regular readers here to test the comment form whenever I tried a new combination of spam prevention controls and no matter what I did, one third of them was practically excluded from commenting here. And, as silly as that sounds, that was a good thing because it showed that the people reading around here are very security-conscious. They know how to set up their browsers and keep all attempted intrusions or irritations at bay.
When I was a member of 9rules, I recall a brief but heated discussion in the members’ forums there: I had dared to mention that I had several things installed in my browser (or turned off in my browser) that prevented me from seeing the ads he had placed on his site. The person in question went into a verbal frenzy and basically called me an idiot who had no right to do so because when I hit his site, my visit wasn’t properly registered and he didn’t make any money. He practically demanded that I return my browser settings to normal. Needless to say, I didn’t.
I do understand that many sites are dependent on making some money to cover the costs, and I have excluded some sites from ad-blocking (and whatnot) in my exclusion list, but in general, I have so many add-ons installed in Firefox that nail my browser shut that you could hit it with a flamethrower and it wouldn’t notice.
Call me paranoid (and with that, call a large group of other “normal” users paranoid), but it’s the way I do things. It’s also the way many of my readers do it, and I support them with a hearty “… and rightly so!”
If you check usage statistics online, you often hear that only a minuscule number of users has JavaScript turned off in its browsers, or has this or that disabled or hasn’t installed this or that plugin.
Well, my audience is decidedly different.
To get back to the topic, the WordPress community has developed a huge pool of spam-detecting or spam-nuking plugins, but many of them use all kinds of tricks (and what else, if not that, should they really do?) to determine if the user is human or not. Captchas, IP- and domain blocking, blacklisting and whitelisting, complete nuking of anything that reeks of spam, JavaScript payloads, hidden input fields, randomly chosen questions that have to be answered … you name it and one of these (more likely several of them at once) will be in the solution.
I simply refuse to get into what I did here to solve the problem, but I think that I’ve gotten a solid grip on it. Being a relative newcomer to all of this though (Expression Engine did - in my case - an exceptionally fine job of preventing my site from getting hit by spam) I can’t help feeling that I’m deterring some people from commenting here. Maybe I’m even trashing some legitimate comments. I simply don’t know (yet).
These next weeks will be spent fine-tuning the tools I have installed (one of them is about as nasty as a neutron bomb) and building a strong defensive wall, brick by single brick.
If you do have any problems commenting here, please let me know via the contact form (link at the top) and I’ll try my best to make it possible. Also, please have some patience because the war I have to fight here is a strenuous one, one that is shared by many bloggers out there who often have worse problems than I have.
Popularity: 18% [?]
I’ve got stuff! wanna buy?!
:P
If it enlarges parts, sure.
I hear ya man. WordPress really is a spam magnet. I’m using Textpattern and the only anti-spam measure it has is a mandatory preview of the comment before it gets submitted and I get zero spam. I don’t need any plugins or any crap like that (which work only with marginal effectiveness).
If I ever leave Textpattern I’ll go to Expression Engine. The thing I like more about Textpattern though is that it’s open source. WordPress is open source too but like you said, it seems to me that they’re more concerned about adding new shiny features than creating a stable, spam-proof CMS.
Yo, Ben!
Nice to see you around here (again)!
I’m dumb and probably didn’t understand, but do you mean you have to moderate each comment (”mandatory preview”) or does the person entering the comment have to preview and OK the comment? I guess it’s the latter. Hm. I could just wander over to your site and try it out. :)
The reason I switched to Wordpress was simply that I needed an easily skinnable CMS … and this was the one. It took me an afternoon to throw this stuff together - based on a theme - and all the other work was migrating the stuff over from EE and fixing it up. Not done with the latter yet (have to add some stuff to older posts that are getting frequent visitors, etc.), but almost.
Seems like as of today I also got a pretty good handle on the spam … until the next wave of exploitable holes and/or methods shows up. I just hope I’ve read up enough on all of this and will have gotten enough experience under my belt to be ready for it. This time I wasn’t … not by a long shot!
Well, a big help would be running Akismet, Spam Karma and Bad Behavior all at the same time. That was the only combination that was able to stem the flood of spam when I was on WordPress.
But you’re right, by “mandatory preview” I mean that a commenter simply has to click “preview” and then “submit.” It’s not as obtrusive as a Captcha and does a wonderful job at stopping these spam bots, which is what we’re really trying to curb anyway. If a human spammer wants to spam your site then all the Captchas in the world won’t stop him.
Actually, right now I can take a breather because I’ve trained my defenses well … they’re beginning to catch.
Although Spam Karma can be trained quite well - and offers something like it - for the future I’m considering giving Oliver’s (remember Oliver from Delicious Days, also a former 9rules member?) SMP: Better Spam Control a thorough workout. I’ve already had it installed but because it basically works by “[...] blocking of specific IPs (taken directly from SPAM comments), prohibiting those hosts from accessing your site again”, I haven’t given it a spin on this site here yet.
I don’t dare to yet because you need time to make sure you don’t block half the planet (for example a gateway/proxy server), but from what I’ve seen so far, it’s an easy-to-use interface with some mighty possibilities … again, if you know what you’re doing.
SpamKarma, for example, is actually pretty difficult to set up in comparison, although it has a lot of similar functionality (actually a lot more, but in the end also unnecessary stuff). I had to consult some other websites to find some decent settings that would filter the spam wave properly.
The best solution would be Oliver’s plugin with a continuously updated blacklist/whitelist file, much like what EE has built-in already.
No matter what, the spammers will challenge us time and again and I do believe it won’t be long until I have to start all over again.
Let’s see what the future has to offer.
P.S.: That forced preview is a nifty idea. Should be easy to implement on WP … for people who aren’t deaf, dumb and blind … like me. ;)
Ah yes, Delicious Days! His site’s really looking great! I actually think there’s a plugin that adds that preview button to a WordPress blog but I’m not sure where I saw it.
Yeah, trying to find out the name of some plugins or finding them in the/a repository is sometimes a real drag.
I tried to comment on the previous post using the latest version of IE…..didn’t work. I swictched to my backup, Mozilla Firefox, no problems.
You have to do what you have to in order to keep all the spam-bots peddling porn, sexual aides, medications, etc. from taking over your site.
Steve, could you send me a mail telling me which provider/IP-adress/.com address you came from? What happened? Did the comment get eaten? Did nothing come up? Etc. It would help me figure out how I can maybe fix the problem(s). I could look, for example, if your provider’s domain address got blacklisted because I got spam through that one. This is still very much a learning process for me.
Thanks!
Update:
It’s absolutely amazing to watch, via various logs, how practically each post on this version of my site is being a) “harvested” and b) subsequently spammed. One by one, now that my permanent redirects are fully in place and working. I can see “someone” enter the site, go through a series of posts and then, a while later, those posts being spammed from every spot in both the known and unknown universe.
So far, protection seems to nuke it all, but I’m also getting a frightful number of top-level domains being blacklisted. This weekend I need to hit various forums and posts around the Net to figure out how those things I installed actually work.
As far as I can see, nothing legitimate has been nuked, but I don’t know who is being stopped from commenting.
I’ve also found an interesting series of posts over at Perishable Press that seem to offer a way of blocking lots of this stuff via the .htaccess file before it even comes near my WP install. I’m going to read up on that over on the site soon, especially since it seems something one should be knowledgeable about today, even if I should switch backend at some point again.
That’s one of the features of Bad Behavior. It stops attempts on your blog that come from questionable IP addresses and such. Not sure exactly how it works, pretty sure it’s not via .htaccess, but it functions on the same principle.
Yeah, I checked that one and read up on it, but I thought of learning how to do it the “Perishable Press” way because if ever needed, the method can easily be transferred to any CMS I might use in the future … if needed. Taking that route will most certainly save time in the long run, I hope.
Besides, instead of relying on a plugin and learning how that works in every detail (a plugin that might one day just disappear from the face of the earth), I’d like to become autonomous on the issue of spam fighting as much as possible, meaning I’d like to learn and later know exactly what I’m doing. Concentrating on the .htaccess route, relying on a supplied blacklist at first and then learning as I go along, makes the most sense right now.
Makes sense to me too :D
Ironically, the Perishable Press site is blocked by my workplace’s filtering system as “Spam URLs” - too bad, since it looked like a good way of reducing incoming junk comments.
It is?
How ironic.
I wonder how that came about, but then again, my filters have weeded out practically the entire globe as apparently spam comes from, well, all over the globe. If I don’t figure out a different configuration soon, I’ll be talking to myself in about 5 days.
I dont think that im going to install this after reading this