5 Tips on securing your Wordpress blog from spam comments and pings
No matter where or how you host your blog, sooner or later you’ll notice unwanted comments or trackback pings coming up – this is especially the case with a weblog powered by popular software such as Wordpress. Luckily, there are also several ways to block or filter this kind of trash from the ‘real’ content, I’ll list a couple of ones I recommend.
#1, Akismet. You might have seen this plugin in your Wordpress installation already as it comes (disabled) with Wordpress. This plugin works fairly simple but very effective; every time a comment or pingback is made to your blog, it’ll be submitted to Akismet’s servers and matched against loads of filters in order to see if it’s ‘good’ or ‘bad’. The more you use Akismet, the better it’ll become; it’s a learning filter. The pro of using this plugin is that ‘positives’ will be stored for two weeks in your database so you can review them to see whether they’re really junk or not.
#2, Bad Behavior. So far this plugin is my personal favorite; this plugin will match all visitors to a list of known ‘bad’ servers, hosts and email addresses, blocking the junk even before your page is loaded. The main advantage of this is that bad web crawlers and other automated tools will not consume your bandwidth or resources, reducing the load of your server and perhaps even speeding things up. It has one drawback though; you can’t easily see if a blocked user was really a bot or trying to do harm as there is no easy interface for that. Logs are available, but they require quite some ‘knowhow’ to understand.
#3, Rename your comments file. This might seem a little ‘easy’, but a lot of bots simply submit to this file, without actually checking if it’s the file used on your config. Brian’s Threaded Comments will allow you to do that with just entering the new name. It’s also a nice plugin to allow some more structure in your plugins – potentially increasing the amount of comments. In case you don’t want to use this plugin, simply look in your theme for the old filename and replace it with the new one, such as ‘comment.php’.
#4, Deny visits without referrer. When a person visits your page A and then decides to click a link to page B, A will show up as referrer – if it’s a “real” user. Bots however, usually change this referrer field to a website they’re promoting as a lot of websites have publicly visible referral statistics. To prevent this kind of ‘trash’ you’ll have to edit your .htaccess file and add the following lines, after replacing the URL with your own and changing the filename of your comments page if you did that already.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*shoemoney.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://whereyouwanttosendthem.com/$ [R=301,L]
#5, Disable comments on older posts. This option most likely wont have a lot of effect on spam bots, but it will prevent a lot humans that consider it nice to promote their link by spamming it on your weblog – that kind of messages often go through your spam filters. You can also do this easily, by installing the Autoshutoff plugin from the Wordpress website. There is also an alternative plugin, named Comment Timeout, vailable which will let you pick more options, such as maximum amounts of comments or just a time limit.
If you use all of these plugins, you’ll be not spam-free, most likely. You should notice a way lot less spam though – since I’m using Bad Behavior I’ve only received a couple of spam comments a week, instead of the ‘good old’ 5+ a day. If you’ve got more nice plugins to syat safe, please let me know as I’ll be glad to add them.
Popularity: 42% [?]