Comment Spam: Where it comes from and the best defense to protect your WordPress site.
If you have a blog and have comments turned on, no doubt you are in the battle against comment spam. It may be long text with lots of links in a foreign language with a few smiley faces thrown in or it may be just “Nice post.” I consider comment spam anything that doesn’t indicate to me that the commenter read the post and adds to the conversation.
Yes, I realize that commenting on blogs is a traffic generating strategy, but hey, at least give me a hint that you actually read the post!
There are two sources of comments spam – bots and humans.
Bot spam is generated from scripts with the sole purpose of distributing millions of comments because it doesn't cost them any more to send a million than to send one. Typically they hit your comment WordPress file directly and don't visit the blog pages. And if just a tiny fraction of them stick, they are happy.
Human spam is another story. Many times it is generated by people in third-world countries being paid a pittance for cranking them out as fast as they can. Some people call them “mechanical turks” maybe as a takeoff on Amazon's outsourcing service.
These people want to spend as little time as possible on your page so they use techniques like copy and paste or even desktop applications that partially automate the process.
Then of course there are the misguided commenters who are trying to get a link back to their own site by leaving cryptic or nonsensical statements.
So what do you do about comment spam?
Blocking and tackling – to use a football analogy. You can block the perpetrators from even accessing your site or you can tackle them once they get there.
You can identify and then block IP addresses from accessing your site either in the WordPress dashboard or in your .htaccess file. You can also block scripts from accessing your comments file directly. These techniques can have unintended consequences, so test if you go this route.
You can use spam plugins to tackle them once they get there so that the comments are whisked away into the spam bucket for you to wade through.
The technique I currently recommend is either Akismet or SpamShield.
Submitted by Christine Cobb, a WPSecurityLock contributor
Leave Your Feedback
So how do you battle comment spam? What did you think of Andy Bailey's interview? Leave your comment below.
I’m using nospamnx plugin for block (no need to manage) both human and script based spams with zero false-positives. It’s very cleaver plugin. Doesn’t require captcha or other annoying methods, cookies, javascript etc..
Hakaner — thanks for sharing.
Hey Christine,
Great post on the battle of comment spam! I love your statement, “I consider comment spam anything that doesn’t indicate to me that the commenter read the post and adds to the conversation.” That’s the perfect way to describe it. When moderating comments on my site, I use that same analogy.
I hopping over to listen to your interview with Andy Bailey now at http://mybonusblog.com/essential-wordpress-plugins-commentluv.
Thanks Regina! I certainly don’t mind helping someone get a link back to their site, but in return I would like my readers to get even more value from the comments.
Free plugin Akismet does an excellent job catching more than 99% spam for my blog.
Hey Audrius — Yes, I have Akismet on all my sites. Fortunately I got the account before they started asking for money. My problem was the time it took to wade through hundreds of comments in the spam bucket looking for ones put there by mistake. I now only have a few.
Thanks Christine for the good info re blog spam. The plug in sounds great. Appreciate your help.
Thanks MaryJo. I just got it as a last resort mainly to deal with the comment spam on my sister’s ecommerce store site. She was getting hundreds a day! Now she only gets two or three a day.
Thanks Chris. I’ll have to give CommentLuv Premium a try. To be honest, I’ve given up on a few of my blogs because of comment spam. This will help me revive them!
You should do it Gary. You’ll love all the settings in the G.A.S.P. area which is the comment spam tool.
I’ll probably look into that premium plug in. Akismet does OK but it’s not free anymore from what I understand.
I am ruthless when it comes to spam of any kind! Good stuff, Christine.
Angie, I know you spend a lot of time going through the spam looking for legitimate comments. This way, the actual spam won’t even be there.
Super useful! This is always a concern and you really helped out with some good info!
Thanks,
Lon Naylor
I have several WordPress blogs and my strategy varies. On the Coast Guard Auxiliary blog I use Akismet. No blog should be without it. It gets 98 percent of the comment spam and trackback spam. Allof my blogs use the CloudFlare service that blocks known spammers and allows me to block problematic IP addresses and IP address ranges that I identify using ProjectHoneypot.org. On some blogs I moderate all posts.
Using the WASSUP plugin one can also get more information about the IP address to help identify the source and potential intent of the spammer. e.g. whether it is a spammer or hacker.
If you do just one thing to prevent comment spam install Akismet.
Thanks for the emails Regina. Sure glad a company like yours is out there in the WordPress community.
Hey Doug,
Nice to see you on the blog again. I use Akismet and Wassup as well. I’m installing CommentLuv Premium and will run it along with both those plugins. Christine is helping me set it up now to block more spam and also check for phony backlinks, etc. using CLP. Looks really cool with the extra “checkers” it does. I’ll let you know how it goes.
Hey Doug,
I was wondering whether you go through your Akismet spam to recover ones put there by mistake? I haven’t tried CloudFare service yet.
Hey Lon. Thanks for coming over.
Great information Chris! I use CommentLuv, but not the premium version. Will certainly have to take a look at it more closely. So far (knock on wood) I don’t have a lot of comment spam, but I’m drowning in email spam. Ugh!
Anyway, thanks for the helpful information and how you are doing great!!
Terri 🙂
Hey Terri — thanks for the comment. I could use email spam control myself especially after all those Yahoo emails were hacked.
Well I’m already a convert as you know. I love the anti-spam features of Comment Luv Premium but what I love even more, is what it does to maximize the value of leaving legitimate, relevant comments on other blogs and how that helps me increase visibility for my own blog posts by allowing me choose the most relevant post to feature. It let’s me put my best foot forward when I comment.
As I read comments on other blogs it encourages me to read the comment writers other posts to learn more about and from them too. Often at the very least it causes me to follow them on Twitter. In that way Comment Luv Premium really does reward thoughtful engagement for and acts like a ‘social concierge’ introducing me to the most interesting people at the party.
Debra — I really appreciate you setting up the interview with you and Andy. It was very enlightening.
Great post Chris! People need to know what spam comments are, as well as what spam registrations are. They are basically the same, in that the spammer will typically use an email address from some random foreign website to register, as well as leave a comment.
I’m glad for plugins that can help us manage this stuff, otherwise we would have to go through thousands of comments and users to sift out the bad stuff. Anyway, thanks for taking the time to provide us with info on spam!
Thanks Michael — I really didn’t understand how the bots worked until I interviewed Andy. Everything makes more sense now.
CommentLuv is pretty worthwhile from what I hear. What do you think of Akismet? I’ve used that pretty successfully.
Kurt — Akismet does a good job for what it is designed to do but it can throw legitimate comments into the spam bucket. And if the spam bucket has hundreds of comments, they are hard to find.
I have a client that does not have comments even turned on… and I have that cbnet ping optimizer plug in to reduce pings when I’m adding a post for him… and have minimal things checkmarked on the Discussion settings… don’t think we have akismet activated at this time — didn’t think we needed it if we aren’t accepting comments. So, if he is not accepting comments… why do I still get alot of notices about comments/trackbacks/pingbacks that I have to go in and mark as spam and delete? Is there a way I can just block them or am I missing a setting somewhere? At this time or in the near future, I don’t see him engaging with any kind of commenting… so we might as well block if we can. Advice appreciated!
ALSO… I was unable to comment via Chrome browser… (and none of those options were presented below)… got a message that my javascript was disabled, but it was not. Comments?
Hi Christine,
I’m in the process of installing CommentLuv Premium so it probably was a glitch in the system. I will respond to you again in a couple of hours after it’s setup and I’m done with my webinar to see if it works in Chrome again for you.
Thanks,
Regina
Christine — To disable trackbacks on future posts only, go to Settings >> Discussion and uncheck “Allow link notifications from other blogs (pingbacks and trackbacks).”
I think there are plugins to disable them on existing posts. You might try the G.A.S.P. plugin (Growmap Anti Spambot Plugin). That is included in CommentLuv Premium but there’s also a standalone version.
Thanks, Christine… although we’ve never had that checked… so need another solution.
Christine – I think if I were you I would try the G.A.S.P. plugin
Well, I looked at that, and it’s premise is asking for a commenter to check a box… which is fine if the site were allowing comments, but it’s not. I guess that’s why I’m surprised that we are still getting pingbacks and trackbacks.
Hey Christine,
I got CommentLuv Premium installed, when you get a chance please let me know if Google Chrome is working for you when trying to leave a comment.
Thanks.
Seems to be working fine for me. I got my 10 posts to choose from.
Akismet is still free, as long as only one WP site has it for useage. Granted you have to go through several hops to end getting it for free.
Seems logical enough to me, everyone needs to make a living after all! However, this does not mean that Akismet in itself is no longer free. On the Akismet Signup Page, there are three specific plans: $5 a month, $50 a month and $100 a month. If you look right below the above three plans, you’ll find the ‘Personal Site’ option – which is basically a ‘pay what you want’ option. During a checkout process, there is a slider asking you: What is Akismet worth to you? If you set it down to $0, you will complete the checkout for free and the API key will be mailed to you. Of course, you can’t use the API key on unlimited websites.
Robert — yes, Akismet is still free for a personal blog.
Has anyone ever used that plug in “Bad Behavior”… I have it on a couple blogs… not perfect, but use it instead of Akismet.
Hey Christine,
I’ve used the Bad Behavior plugin on many sites. I love the integration with ProjectHoneyPot and have stopped many spam harvesters using it. However, sometimes it gets glitchy if your settings are configured to high. I’ve had a couple of site visitors complain they were on a blacklisted IP address even though they were one of the good guys. My only suggestion to them was to call their Internet provider and ask them for a different IP address or get a new provider.
And sometimes BadBehavior can cause conflicts with other plugins especially with certain commands between websites (like GET).
What is ProjectHoneyPot? … and with BadBehavior, would I also want CommentLuv?
And/or if I added GASP to a site… would I also want CommentLuv (or any others)?
I get confused about what to use in tandem in order to keep spam at a minimum but avoid conflicts, slowing the site, etc.
Christine,
Thanks for your questions. Since it looks like you work on multiple WordPress sites, I would suggest getting a Developer License of CommentLuv Premium which has many spambot, trackback validation, and more security features (plus cool tools). If the does not have comments enabled, you can still utilize the GASP that comes with it.
Projecthoneypot.org is the blacklisted ip database that helps catch spammers, email harvesters, etc. Since I have CommentLuv Premium now I don’t need those other plugins. Hope that helps.
Right, Robert it’s free for personal blogs. Most everyone I know with a blog has it as part of their business. That is why I mentioned it was no longer free….just assuming everyone here has a blog for business.
It has been… yes… although it asked me to type more words, so here I am, typing more. 🙂
LOL Yes, we have it set to require a minimum number of words to reduce spam. Just one of the cool filters you can use with CLP. No more “Nice post” comments from spam authors looking for a backlink to their sites.
I just posted a comment and question about honeypot and I think it was blocked because I included a trackback sample…
I also wanted to say that I cannot even get to the honeypot site to set up an account so I can do the settings part… wondering if they are out of biz.
Hi Christine,
Yes, I see your other comment went to my spam filter. They are currently upgrading their website (which happens at least once a year). So you will probably have to check back in a couple of days. It’s a pain, but their database is awesome.
GASP or CommentLuv Premium are very good, for those who don’t use it and use Disqus or Livefyre then I recommend Simple Trackback Validation with Topsy Blocker which also works very well at removing and blocking all Trackback spam.
Thanks Justin for the other resources.
So many plugins so little time. Are they all from the same publisher and do all of the upgrades keep up? I had a lot of problems with using this mix and match form of comment spam wars.
Spammers be damned, especially since I use Impermium for my sites.
BcSpamBlock uses javascript to keep spambots at bay. You have to enter a code into this field to confirm you’re human. Other than BcSpamBlock, I also use Akismet. Both have done wonders for me so far.
Hi Jean-Philippe,
Thanks for listing your plugins. I’ve never used the BcSpamBlock plugin and will have to check it out. Akismet is still one of my favorites and I use it on all my sites 🙂
I pay for akismet. It works fine for me. I may at some point use Andy Bailey’s plugin as part of commenluv. Guess I am lucky that my new site doesn’t have enough traffic to get much spam. Not sure that is a good thing. Anyway even a little spam can carry with it hidden viruses. I am more worried about hackers and virus attacks than spam. Spam by itself is just annoying.
Wayne Melton