How To Fight WordPress Comment and Trackback Spams

Sooner or later, your beloved WordPress blog will be flooded with comment and trackback spams. As a blogger, there is not much you can do to stop spams from hitting your blog, but there are several things you could do to fight them back.

Akismet Screenshot

5 Levels of Spam Protection

1. Discussion Settings

A key setting in your WordPress configuration is the check box “Comment author must have a previously approved comment”. You can find this under Settings –> Discussion –> Before a comment appears. This will prevent any comment that haven’t approved before from appearing.

This is very useful at preventing hit-and-run spammers. But all the spams will be mixed in your moderation queue, so the next step is to implement Akismet.

2. Akismet

Akismet is by far the best spam fighting tool in your arsenal. It is a distributed spam fighting system where comments and trackbacks marked as spams by other bloggers are automatically marked as spams for you. These spams are placed in a separate Akismet Spam queue for you to review, so the moderation queue with legitimate comments waiting for moderation won’t be cluttered up.

There is one weakness with Akismet and it’s called “false positive“. This occurs when legitimate comments and trackbacks are marked as spams by mistake. As a blogger, you would have to “fish” these false positives out, which is like finding a needle in haystack.

Although I have never used Spam Karma 2 before, it’s another alternative to Akismet that’s worth investigating.

3. Simple Trackback Validation

Once your blog gets fairly popular, fishing false positives out of Akismet Spam queue becomes quite painful. This is where plug-in like Simple Trackback Validation comes in. The plug-in works in two ways:

(1) checking if the IP address of the trackback sender is equal to the IP address of the webserver the trackback URL is referring to and (2) by retrieving the web page located at the URL used in the trackback and checking if the page contains a link to your blog.

This plug-in automatically eliminates trackback spams that fail the above conditions, thus reducing the amount of spams in Akismet Spam queue that you have to review for false positives.

There are other plug-in in this class, and I’ll mention the two I have used before:

  • Bad Behavior — Bad Behavior works really well for what it was intended to do. However, I stopped using it because (1) it logs information to the SQL database making it bloated and consuming system resources, (2) it embeds javascript in your code which is something I don’t like.
  • WP-SpamFree — Another good plug-in that I stopped using. WP-SpamFree requires javascript to work and it causes extra load on the server (another situation that I want to avoid).

4. Deny Access by IP using .htaccess

This one requires some knowledge of .htaccess and it is not necessary unless you have a serious spamming problem. Anyone with a matching IP addresses will not be able to access your blog.

This technique is useful if you use it strategically and with the understanding that spammers have access to millions of IP addresses (they can even fake their IP addresses) — so this won’t fix everything.

Here are some good articles you can read on this technique:

5. Other Techniques

Here are some other techniques that I have used with varying degree of success.

  • Renaming wp-comment-post.php as something else — i.e., “wp-comment-stop-spam.php” However, you have to update the POST variable in the comment.php (inside your theme folders) as well, and remember to update this each time you upgrade WordPress or the theme.
  • Using CAPTCHA type validation system — There are many plug-ins that will ask the user to enter a text string to validate that he or she is really a person. In general, I don’t like this approach because it adds another level of barrier for readers that want to leave a comment.
  • Using challenge question — This is similar to CAPTCHA, but the technique ask a simple question, such as “what is 2+2?”
  • Inserting hidden fields in comment form — Several bloggers suggest adding a hidden field in the comment form and check for the value. Since spam bots don’t know about the hidden field, the spam comment wouldn’t go through. For example:
  • Forcing users to register to comment
  • Closing comment and/or trackback on older posts — i.e., using Close Old Posts plug-in.
  • Closing comment and/or trackback entirely — This is a very drastic measure and goes against the nature of blog as a communication media

I hope this post gives you some ideas on how to protect your blog against spams and make your life a little easier.

Tags: , , ,

3 Responses to “How To Fight WordPress Comment and Trackback Spams”

  1. hank says:

    It’s nice to be able to break out of the slump o’ spam. Honestly Akismet is a livesaver. I can’t imagine life without it! :0

  2. Those seem to be poor reasons to not use Bad Behavior.

    First, the database usage is quite minimal; it is hardly a resource hog. If you can’t stand even the small amount of data in the database you can turn that functionality off.

    Second, the JavaScript is not at all required for Bad Behavior to work. It continues to work even with users who have JavaScript disabled.

  3. Pinyo says:

    @Michael — I didn’t notice the capability to disable those options. Although, I am not using BB, I’d like to say thank you for your contribution tot he blogging world.