Build a small business empire you can be proud of

Welcome to Microblogger! First time here?
I know there's a lot going on, click here to Get Started.

21 Comments

Spartan Shield Wall: Most Effective Package of WordPress Anti-Spam Plugins

Credit: epSos.de

Credit: epSos.de

For bloggers, comment spam is a big problem.

A blog with very few real visitors can have hundreds of spambots hit the pages each day in an attempt to get links, and a little traffic, back to their sites.

You might think that this strategy doesn’t work, and it’s largely useless because links are nofollowed and so much spam gets caught, but it does. It’s still extremely effective in certain instances and that’s why people still use it.

So how do you defend yourself against this onslaught?

300-spartan-shield-wallYou need to employ a series of plugins that act as a Spartan shield wall. Do you remember the slightly exaggerated but extremely entertaining movie 300? When the Spartans interlocked their shields in a defensive formation against the Persians — that was a shield wall. You’ll use interlocking plugins, and a few advanced tricks, to create your own Spartan shield wall.

I wanted to do a semi-scientific study of the most effective package of spam plugins in which I would test plugins for their ability to stop spam. For this test, I tested using my travel blog, Wanderlust Journey, which I only ever write on when we’re on vacation.

My test was very simple, I would activate a plugin and see how much spam it stopped in a week. I would look at the rate of false positives (good comments that were marked as spam), false negatives (spam that wasn’t marked), and total marked spam. I’m assuming that the level of spam remains consistent through out the weeks (so it’s only semi-scientific).

The only rule about the plugin was that I wanted zero reader intervention. I didn’t want a Captcha or for readers to even have to check a box. I realize those are very effective solutions and I don’t fault any bloggers for doing it, but I wanted to find a solution without it. Spam is a publisher’s problem, I didn’t want to make it the reader’s problem too.

No Plugins (Baseline)

No spam plugins (eek!) were used for one week, just to get a baseline measurement for what we were dealing with.

WHAT.

A.

MISTAKE. 🙂

Wanderlust Journey got pounded for close to 900 spam comments. Remember, this is a site that gets about 30 legitimate visitors a day. It was getting about 30x that in spam comments. I was getting spam comments in Spanish, Japanese, Chinese, Italian, and then good ole random nouns and verbs English. I learned about drugs I didn’t even know existed!

Fortunately, all comments were put into Pending because of my WordPress configuration, which isn’t the baseline. (Luckily, I could go into the database and just delete everything in Pending… instead of using the WordPress interface)

How was WordPress configured? Under Discussion Settings, I required that the comment author must fill out name and e-mail, which is the first check box in “Other comment settings.” I also automatically moderate first time comments, that’s the check box in “Before a comment appears” labeled “Comment author must have a previously approved comment.” (this is how many of these comments get put into Pending)

Immediately under that, there’s a setting that moderates comments if it contains links – I set that at 1. (and this catches everything else)

So in order for a comment to appear, the comment author has to have a previously approved comment and zero links in the post. Everyone else, who isn’t nuked by a plugin, gets thrown into the Pending queue.

Verdict on Baseline: Never do this. Don’t ever ever not put anything. I didn’t need to do this to come to this conclusion but I wanted to know how many spam comments the site got in a week. Wanderlust collected 894 spam comments, fortunately all in Pending, and I’m never doing this again. Ever.

Akismet (Pseudo-Baseline)

akismetAkismet, which comes with WordPress, is a great plugin for stopping spam from appearing on your site. By design, it allows every comment to be submitted but then runs it through checks to see if it’s legitimate. If it believes it’s spam, it goes into the spam queue. Between our configuration and Akismet, it’s my belief that no spam comment should appear on the site. It’s important to note that Akismet is not designed to stop spam from being submitted.

How did it do? In a single week, we saw 892 spam comments. Akismet caught 890 of them and put them in the spam queue, where they belong. Two comments made it through and were put into the Pending queue. Nothing made it live.

As you can see, Akismet is very effective. You should use it. There’s really no reason you shouldn’t!

But, we can do better. There are two other points in the process we can hit — stopping spammers from submitting a comment and stopping them from reaching the site at all?

Cloudflare

cloudflare-logoCloudFlare is a content delivery network (CDN) and a distributed domain name server (DNS) service that can increase the speed and responsiveness of your site by distributing your data (the CDN) and, potentially, block threats from ever reaching your server. I only recently discovered the service and I’ve been impressed with what it says it’s been doing to stop threats to Microblogger. We don’t get much spam, yet, so I wanted to see how it dealt with a little more activity.

We used the free plan with CDN only (this is speed only, has nothing to do with spammers) and Medium Security (this is what stops, or at least slows down, spammers). Cloudflare will challenge visitors with a CAPTCHA if there have been “multiple instances of spam, hacking, or denial of service (DoS) attacks reported no other sites.” There is a browser integrity check which will challenge if the visitor has a known malware browser signature. They claim this level is “appropriate for sites that want a strong defense, but are concerned about false positives.”

You can think of the security aspect of the service as being a firewall. They do checks on the visitor to see if they’re legit. They’re your club’s bouncer.

There is a risk… this introduces an additional point of failure for your site if there is a failure on Cloudflare’s end. Traffic is routed through their servers so if they go down, you go down. The upside is that when they are up and running, things are much faster. They can handle some of the load from bad actors so your server doesn’t have to.

According to Cloudflare, it stopped 1294 threats (172 of which were unique), though there’s no way to know whether these were spambots or some other variety of nefarious agents. In terms of spam stopping power, it wasn’t much of an improvement. We still caught 729 spam, which down a little bit from the near 900 spam comments from the week before.

I consider it a win given the other benefits but we can’t stop here. We’ll need to start bringing in some plugins.

Spam Free WordPress

Spam Free WordPress is a plugin that’s been around for years and is still being updated today, which is crucial. In addition to stopping comment spam, it’s able to protect other forms including contact forms, login, and registration forms. It’s quite versatile and it’s a plugin I’ve used simply because of its versatility. This will be the first time I’ve tested its efficacy – I’ve always just taken it on faith that it works.

Spam Free WordPress relies on a combination of JavaScript and cookies to confirm the visitor is a real human being. You need both cookies and Javascript enabled in order to leave a comment on the site and, according to them, fewer than 2% of users have either or both turned off. Their argument, which I agree with, is that it’s better to annoy the 2% by asking them to turn on JavaScript and cookies than it is to ask the 100% to fill in a captcha.

So how did it do?

ZERO spam.

It stopped all spam dead in its tracks with no complaints about false positives. Before we get too excited, I have it installed on another site (my scotch blog) and Spam Free WordPress doesn’t stop everything there. Some spam still makes it through (about 5% of regular). So while we can declare victory on my travel blog, I don’t think we can stop there. (to stop the rest, I used FV Antispam, which puts all of the remaining spam into Trash — not a perfect solution but it’ll do for now)

Here’s the kick in the pants, I installed it on Microblogger and it stopped all comments. 🙁 Josh of Bigger Pockets also notes that a lot of functionality was stripped out in order to create a paid version, which stinks. So while it was effective on a few other sites, strangely it didn’t work here. I’m replacing it with NoSpamNX (recommended by Michael of Financial Ramblings) for now and it appears to be doing the trick.

A Lot of Plugins With No Effect

Unfortunately, no other plugin was effective enough to stop all spam.

I tried a handful of other plugins from known names to a few more generic sounding plugins and none of them stopped the last few that were trickling in. I won’t list them all because a lot of anti-spam plugins operate on the same principles so I don’t want to disparage their good names by saying they’re ineffective. I just didn’t want to de-activate Spam Free WordPress just to see if they would be better.

I did, however, pull in a trick that I learned from Bargaineering that nixed the remaining spam comments. These are advanced because they require you to change files, something you may not be comfortable with.

Advanced Technique: .htaccess Restrictions

When a human being leaves a comment on your site, they will have done it from your site itself. Very few human commenters directly access your comments file to leave a comment. 🙂 So this change to your .htaccess file makes it so that it checks the referrer whenever someone loads up wp-comments-post.php. If the referrer isn’t from your site, it returns a 403 Forbidden status code.

Add this to your .htaccess file, making sure to replace domain.com with your domain:

RewriteCond %{HTTP_REFERER} "!^http://domain.com/.*$" [NC]
RewriteCond %{REQUEST_URI} ".*wp-comments-post.php$"
RewriteRule .* - [F]

Test to see that comments are being saved properly after you save your .htaccess file.

Advanced Technique: Rename Comments PHP File

This is another technique you can use but if you do the .htaccess trick then this is unnecessary. Since spammers are accessing wp-comments-post.php directly, you can just rename it. You will have to go through your themes and files to rename references to the filename, which can be a bit of a pain in the neck. Editing your .htaccess is far simpler and, as far as I can tell, just as effective.

If you change your comments PHP file and are using the .htaccess Restrictions trick, be sure to change the filename in .htaccess as well.

That’s it… I’m using this mix of anti-spam plugins and techniques to stop 99.99999% of the spam on the blogs I run and thus far it’s been extremely effective. Time will tell if these strategies will get defeated but for now it works and requires no additional input on the part of readers.

What do you use to combat comment spam?

Sharing is caring! Tweet about this on TwitterShare on Facebook0Share on Google+0Buffer this pageShare on LinkedIn0Share on StumbleUpon0Email this to someone
The following two tabs change content below.

Jim

In 2005, I founded a personal finance blog (Bargaineering.com) that became successful enough that I quit my career as a software developer in the defense industry. It is my goal to share everything I learned so that you can do the same - build an online business that let's you pursue your passion.

21 responses to “Spartan Shield Wall: Most Effective Package of WordPress Anti-Spam Plugins”

  1. Michael says:

    Interesting experiment. I use a combination of Akismet, NoSpamNX (basically a bot-stopper), and CloudFlare. While Akismet used to be prone to false positives, it seems to have gotten a lot better. In fact, a quick survey of the 140 spams currently in my queue revealed zero false positives. Overall, this combination does quite well.

    According to my WP dashboard, Akismet has stopped 6,832 spam comment since I activated it (Sept 2012). In that same time period, it says “NoSpamNX has stopped 37436 birdbrained Spambots (approx. 92 per Day).” So the lion’s share of the work has been done by NoSpamNX, awith Akismet cleaning up the remainder.

    As I understand it, NoSpamNX does things like creating hidden fields that bots will fill out but people won’t. So when one of these fields gets populated, the comment is automatically blocked. Simple but fairly effective.

    • Jim says:

      I’ll check out NoSpamNX, there are a few plugins out there that rely on that technique to detect spam bots, it sounds like it works pretty well though.

  2. Jim –
    The feedback on Spam Free WordPress is pretty negative — http://wordpress.org/support/view/plugin-reviews/spam-free-wordpress

    Seems that the dev pulled much of the functionality out in order to have a paid product. Are you using the free or paid version?

    I’m guessing there are other effective plugins that use a honeypot technique . . . I’m just not 100% certain which they are. Bad Behavior was pretty effective for years, but it was blocking Google’s bot and other valuable ones, which is not something you want happening.

    Nice writeup, BTW.

    • Michael says:

      Yeah, I ran into trouble with Bad Behavior blocking legitimate visitors years ago when I tried it out. I’m sure it’s effective, but my experience is that it’s overly aggressive.

    • Jim says:

      Hmmm… I’m using the free one and right after I posted it, Michael told me he couldn’t leave a comment because a field was missing. 🙁 I’ll be amending my post shortly… Thanks Josh.

      • No problem. I use Akismet, the little trick you posted above in HTACCESS, Cloudflare, Cookies for Comments, and Growmap Anti Spambot Plugin . . . combined, there’s no automated crap and very little manual junk because we toss it before it ever goes live.

  3. All I use is a combination of Akismet and the free plugin Conditional CAPTCHA. If forces a commenter to enter a CAPTCHA only if they are thought to be a spammer. Therefore, a legitimate commenter never sees the CAPTCHA.

    My discussion settings are extremely loose (i.e. no holds on a new commenter, only hold if there are 2 or more links) and I have never had anything sneak through. In fact, most of the comments go straight to the trash can and never even hit the Spam folder. I cannot recommend this combination enough!

    • Jim says:

      Hmmm that might be a good approach to, I skipped all the captcha ones (that one too) because I dislike them… but they are very effective.

      • Yeah, believe it or not, I hate them too.

        However, the thing that I love about this plugin is that true readers never even make it to the CAPTCHA. They just comment as normal and as long as they don’t include things that look like SPAM, they’re good.

        As I mentioned above, I even have a very relaxed comment moderation policy. For example, when I commented on here today, it went to your moderation queue. On my site it would have posted right away. Even with that, no SPAM has gotten through.

    • Nick says:

      Hi Adam,
      I suggest you to try goodbyecaptcha. There is no captcha at all! Since I installed this plugin I had no spam at all. For me… this is the winner and trust me I tried lots of antispam plugins.
      https://wordpress.org/plugins/goodbye-captcha/
      Hope this helps
      Nick

  4. Cap says:

    Since I stopped writing on StopBuyingCrap, the spam got more and more ridiculous in volume (which is strange for an inactive site but there’s probably some correlation I haven’t thought of).

    Akismet wasn’t cutting it nor were some of the other custom method I had setup from ages past..

    Quick search later shows that Antispam Bee for WordPress (http://antispambee.com/) seems to be a good choice, and I’ve had very minimal spam since then (the remaining ones are manual ones and you’ll always get those). Its still being updated and reviews are decent. Check it out.

  5. John says:

    Trying out NoSpamNX as well. It has a place to input a local blacklist of words to help block spam comments. I found a great blacklist here https://gist.github.com/splorp/1385930 that contains a lot of common spam words.

  6. Fred says:

    This article came just in time. My primary blogs use blogger, and I get maybe one or two spam comments a week. However, a few months ago, I set up a blog on WordPress, and haven’t used any promotion or listed it anywhere. It was more of a test to see if it could grow organically. However, I was shocked at the number of spam comments I was receiving. (What is it about WordPress and spam comments?)
    At first, it was a dozen a day, which I thought was manageable at the time (I also receive an email whenever a comment comes in – my inbox started filling up quickly). Then two days ago I received 173 spam comments in one day. I realized I had to do something right away. So I tried something called Seriously Simple Spam Blocker. It avoids CAPTCHA by having the user just drag an object into a box. Unfortunately, it didn’t help. Yesterday, I received 213 spam comments. So I tried another app called Anti-spam (Version 1.9). It actually worked; no spam whatsoever. I’m just concerned about it blocking the good comments. If it is, I will use your suggestions. Thanks Jim for doing this research.

  7. Ellie says:

    Spam is a real problem to anyone owning a blog. Especially when you allow comments. They’ll drop non sense thing on your comment section and it’s up to you to clean it up. Akismet has been working for me really well and I had never encountered any problems with it. I might take your suggestion on CloudFlare next time I start a new blog for a different niche.

Leave a Reply

Your email address will not be published. Required fields are marked *