WordPress Comment Plugins: Building A Fortress To Defend Against Spam!

UPDATE: There’s been an uprising in my own “Blogdom”!  The people have spoken and I’m considering their words…  Recent Posts on other sites, PMs and comments here have made me reconsider the usage of a “captcha” challenge script with use in presenting commentors the option to leave a comment.  I still believe that Peter’s script is a fine example.  I have opted to consider Lorelle’s advice and a fellow named “Otto 42” ;), after extensively re-reviewing the availble literature. 

So in the place of my challenge guard, I’m adding Spam Karma 2.  I’ll let you know how it goes!  You can see more about the conversations about this at Lorelle’s WordPress site.

The original article follows: 

It’s remarkable, programs like Akismet have protected us from over 1,000,000,000 (read a billion!) spammers!  I first read about this in Photo Matt’s Blog.  Spam has been a real problem for me and of course for all of you as well.  The biggest problem I have is that I want to be able to have a dialog with people, but I don’t want to be forced to shut off my “comments” due to the tremendous amount of SPAM that keeps on coming. 

SPAM has to be treated like an enemy and there are some KILLER plugins that will allow you to turn the tide in your battle with the EVIL SPAMMERS.  With the right programs, you will be able to barricade yourself against the evil SPAM empire and stop the offenders that are trying to take over your “Blogdom”! 

THE THREE-FOLD DEFENSE STRATEGY:

The following three plugins will provide a fortress for defense against SPAM while still allowing you to receive comments, pingbacks and trackbacks. As a matter of fact, since you are reading this article, why not let me know about it by leaving a non-SPAM comment! I’d like to know if, I helped you with your quest against SPAM or if you have any other weapons in your arsenal that will help others with this war! 

Bad Behavior: Your First Line of Defense (The Moat)

Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots. It goes far beyond User-Agent and Referer, however. Bad Behavior is available for several PHP-based software packages, and also can be integrated in seconds into any PHP Script.

This program is amazing at stopping SPAMMERS before they even “get to your Web log”. The Bad Behavior Plugin is designed to detect the EVIL army of SPAMBOTS and block them before they actually SPAM you site.  It targets any malicious looking software with an error message. This “error message” confuses them, thus sending them on their “merry way” away from you and on to others without such a sturdy defense strategyBad Behavior doesn’t analyze the potentially bad message (parse), because it actually prevents it from being sent in the first place.

Peter’s Custom Anti-Spam: The 2nd Line of Defense (The Gate and Outer Wall) 
Note: A lot of discussion about using a Captcha plugin like this has occured recently, see the above notes and comment section for more information.  Join in the conversation and let us know what you think.  Some people beat me up about this, some people reasoned with me, some people agreed- in the end, after taking another hard look what people were saying- they convinced me that this type plugin is not necessary for blog sites, mainly due to how much they say it harrasses would-be commentors (personally, I’ve never felt harassed).  Currently, I have replaced this pulgin with Spam Karma2 and am evaluating how it works in conjucntion with Bad Behavior and AKISMET.  We’ll see….

While there are a couple of other great plugins that are similar like Meyerweb’s WP-Gatekeeper ,  Did You PASS Math?, ΛορδΧηαος’s Challenge Plugin and Captcha!, I am a real fan of the simplicity, functionality and currentness of Peter’s Custom Anti-Spam Plugin. Peter’s plugin works with WordPress 2.1.2 and has some great functionality that includes customizing the words used for detecting spam AND still allows for pingbacks and trackbacks! Something I certainly still want and I know you do too!

Peter’s plugin is a “challenge” a “laying down of the gauntlet” type of plugin.  Non-registered users will have to copy a word (customizable) to enter a comment providing a challenge of sorts.  Your own subjects, don’t have to deal with this challenge if they are logged in already and safe inside you walls.

It’s a great “defense” against would be SPAMMERS, since SPAMBOTS can’t read well and “autofill” incorrectly, thus keeping them at bay and your Blogdom safe.

AKISMET: The Final Defense (The Keep)

Everyone has heard of the Aksimet plugin for WordPress, it’s your final bastion of defense.  If you are running the new version of WordPress you already have it, but it may not be activated.  Got to http://wordpress.com and get your personal code to activate it. 

You don’t have to sign up for a wordpress.com blog to get your code, however it’s still a little confusing… You still have to choose “Start your WordPress Blog” to get your code even if you don’t want one:

Then choose “just a username, please”:

Follow the rest of the prompts to get your code.  When you have it “copy” it so you don’t misspell it later when you sign it “into law”.  Finally, go to your “plugins” menu and choose the Akismet Config. button and enter it in so you have protection!  If you have not entered your code you are not being protected and your Keep is unsafe and your strategy weakened!

For any of the more hearty SPAM varieties that fool Bad Behavior and find a way to get through your “gauntlet challenge”, AKISMET is there to interrogate them one final time and check to see if their legitimate or not.  It does this by comparing the message to thousands (hundred of thousands?) of other messages in the Akismet database. If they are found to be malicious, AKISMET sends them to your SPAM box, your little prison for the buggers.  Now as Supreme King and Emperor of your domain, you have the ability to either execute them for their crimes against you and your Blodgom (and providing the world with the knowledge of this new type of SPY; Aksimet Learns from this and will protect others!) or you may free the innocent and have them placed rightfully into your comment section as ambassadors of your community!

Many professional bloggers recommend checking the “Automatically discard spam comments on posts older than a month” check box to minimize SPAM.  The problem with this is that if you have a lot of really good “older” posts you won’t get any new comments about them. :(

The Defense Strategy Reviewed:

By using these three programs you should eliminate almost all of your SPAM enemy.  Bad Behavior stops the SPAM  before it even gets to your Web log (crosses the moat).  If it gets by Bad Behavior, the guard at your gate (let’s call him Peter) issues a challenge for safe passage (Peter’s Custom Anti-Spam).  Finally, at the Keep, AKSIMET takes another crack at interrogating the SPAM and renders any potential SPAM (SPYS at this point) into a holding-cell for you to decide their fate.  It’s a great plan, it works; I use it here.

MOUNTING AN OFFENSE:

There’s another Bold  option in the War against SPAMMERS and it’s called Hashcash. It’s software that not only protects you from SPAM, but irritates those sending it. Elliot Back has this to say about how it works:

…However, if a spammer does interpret this JavaScript, there will be a substantial slowdown to them.

I certainly don’t understand the mechanisms behind how it does this, but the author of Captcha! (above) has stopped development of his plugin due to the effectiveness he sees with Hashcash.  Elliot claims it blocks 100% of SPAM; however, I have seen that some users state it slows down their systems.  Personally, I don’t know, I haven’t installed Hashcash but I thought it was worthy of mention in the annals of this article.  I’d love to hear from you if you are running it and if it is working for you. For now…

The battle awaits, your defenses are sure; onward into the fight!

                                 ~Joseph Pisano

Joseph M. Pisano, Ph.D. is the creator of many education websites, a lecturer, clinician, trumpeter, and conductor. He is currently the Associate Chair of Music and Director of Bands in the Calderwood School of Arts at Grove City College in PA. He been named a TI:ME Teacher of the Year, received the JEN Jazz Educator Award and the PA Citation of Excellence. He is a past Vice President of the Technology Institute for Music Educators and the current Vice-President of the PA Intercollegiate Bandmasters Association. He also writes for DCI Magazine, Teaching Music Magazine, and is the Educational Editor for In-Tune Monthly Magazine; he has contributed hundreds of articles to various publications. Find out more at his website jpisano.com.
Print Friendly