WordPress security doesn't stop with just using a strong password, keeping your site up to date, and using a good hosting provider. Your blog comments are part of WordPress security too.
Unwanted comments have the potential of making you lose readers, ruin your site's reputation, get your blog attacked by a malicious hacker, or harm your site visitors computers (a rogue link can inject computer viruses).
Here's 3 mistakes I see blog owners make with comments:
1) Approve spam comments
It's amazing how many blogs out there have approved spam comments. I'm not sure if it's just pure laziness, comments are un-moderated, they have no clue what comment spam looks like, they like promoting Ugg Boots, or they just don't care.
If you're going to have a blog you need to pay attention to what you're feeding your readers and search engines! Check for links in comments/replies, look at the Author Name, checkout the comment author's website, check the IP address, look for bogus email addresses, and READ what the comment says. I can't tell you how many times I've clicked on the author's URL and it was blocked by Google for malware or my Kaspersky stopped me from opening the page.
Two things I do to reduce WordPress comment spam is Akismet and SpamShield plugins and check the comments that get through at Stop Forum Spam.
2. Approve non-relevant comments by backlink seekers
I remember when I first starting blogging and got my first comment, “Nice blog. Thanks. I'm going to bookmark it.” I thought, Woohoo, someone likes my blog and approved it. But I failed to think, is this comment relevant or someone that's just trying to get a backlink to their own site. Sometimes these may just be trackback comments in the hopes that I allow trackbacks. (I've even seen trackback comments linked to a porn site.) And sometimes they try to make the comment “look” relevant, but upon further examination you can just tell they're not sincere.
Here's a couple screen shots I just took today off a site today:
Be sure to moderate your comments for backlink seekers and don't give your readers an option to “click” on a link to a rogue or unwanted site. You never know when one of those links could contain a virus or your reader vows never to visit your site again.
3. Lack of comment security settings
When was the last time you checked your “Discussion Settings” inside your WordPress dashboard? At the very least you should enable “Comment author must have a previously approved comment.” I always change the default of “2” to “1” for “Hold a comment in the queue if it contains…”
Please be sure to go through your comment settings and protect your site and your readers.
WordPress Security Tip:
Use the WordFence plugin to scan your comments for suspicious URLs.
Leave Your Feedback
If you're approving spam comments please tell me why? Do you moderate your comment spam? How does it feel when you see comment spam on someone's site? Please leave your comment below.
That’s a great post Regina (crap, I made the fatal spam commenter mistake – I personalized this comment to you, I guess I have to write a real comment.)
Actually, it’s kind of funny. When I first starting accepting comments, I was just happy someone found my blog even if it was a spammer. Now, like you, if someone doesn’t say something specific about the piece and contribute in some way, I don’t approve comments.
One of the other things I won’t approve is people looking for support by submitting comments. We have a support desk for that.
And finally, I love CommentLUV – as do you. But too many “Luvvers” think finding other CommentLUV-vers is a license to spam. I welcome CommentLUV comments on my site too. But they better be relevant!
Great post.
Hey David,
Guess you and I were alike when we first started blogging. Glad we are much more selective now.
I’ve had a few people submit comments for support as well. It’s a shame so many people don’t see the “Contact Us” link in the main navigation bar, sure would get their question answered quicker 😉
I hear you on the CommentLUV-vers trying to spam as well. You got that right, comments better be relevant!
BTW, I am so excited that I’m going to see everyone this weekend in Atlanta at NAMS9.
Great post, Regina. One way to spot spam right off the bat is if the comment is really vague–“I loved your post” or “Great Information.” Anything that would apply to just about any blog is usually spam.
Hey MJ,
You’re right! Vague comments or one that can “generically” apply to any blog makes me hit the “Trash” button.
Personally think part of the spam problem is caused by the ease with which it (WordPress) installs, so am sure some people assume since they have Akismet or other WordPress spam filtering plug-in that any comment left has to be ok. Also many people don’t even know that moderation is possible for comments. I’ve read that is much as 20% of the computers online have been zombied as the owners don’t do one or more of the following, have anti-virus istalled,have some kind of malware removal software installed, don’t keep up with the WordPress upgrade, and so one. Bottom line is the easy button only works on TV and computer users need to take better care of there OS(Operating System) apply upgrades, etc
Hi Robert,
I think you’re correct in many people thinking that since they have Akismet or another anti-spam plugin makes them feel it’s “okay.” Just wish they would find some common sense or compassion for their readers.
All good ideas and I must report that my comment spam stopped cold on several sites when I began using premium CommentLuv. It’s worth the money not to have to wade thru the crap! And it helps make it securer too!
Hey Kurt,
I found the same thing after I installed and configured the security settings in CommentLuv Pro. Save me lots of time and $ not having so many to filter.
Since many of the spam comments come from automated systems or people paid pennies to post these comments, it can be overwhelming to deal with the spam. CommentLuv saved me hours of time wading through the junk just to be sure something legitimate didn’t accidentally get marked as spam.
Me too Christine! I’m still amazed that people ethically will accept $ to post spam. Guess it’s better than armed robbery.
I Would say that my time spent moderating (since I have CommentLuv) has reduced by about 80%. I am a secure-a-phobe so I check all those that came through anyways, unless they’re from you of course 😉
I’m using the GASP anti spambot plugin, also by Andy Bailey.
Cut down my spam 100%.
Relevance has to be a good indicator of genuine comments, but I think the spam bots sometimes take a few words from the body of the post just to confuse.
I also like to see an avatar with the comment – most bloggers would have an avatar.
Hi Keith,
You’re right! Spammers get sneaky and “attempt” to make their comment relevant by grabbing some words. Many times I see the title in a comment and then they “slip” up with something from left field.
I agree! Comments without avatars grab me first, especially for my blog. 99.999% of my readers have blogs and should have avatars.
Hi Regina
Noticed the reference to WordFence plugin – how good is it.
I’m looking at security on client sites and have been considering Sucuri.
Would the paid version of WordFence be an alternative?
Hi Keith,
I like both Wordfence (paid version) and Sucuri and use both on all my sites.
Regina, great post. I also did the same thing when I first started. At one point one of my sites got on a list in a group and suddenly started getting several hundred spammy comments a day. Eventually I gave up and disallowed comments altogether for quite a while. Even 4 months later, I was still getting 300-400 a month.
Kathy,
It’s a shame you felt compelled to disable your comments. I love having comments and get my readers views and feedback, let alone the SEO aspects of them.
Do you have your comments turned off now?
Kathy
Try the GASP plugin – it worked for me.
I disabled comments because of the amount of spam, but no problems now.
Nice blog. Thanks. I’m going to bookmark it 🙂
Regina – I love Wordfence plugin! I wrote about it yesterday 🙂 Someone was attempting a brute force login and Wordfence blocked him/her and sent me an email!
You really nailed it when describing the feeling you get from comments that say things like, “Great work. I am telling my friends about this site.” This is especially true when you are starting up a new site. It is human nature to want to be accepted.
Also, as Keith commented, I have had great success with G.A.S.P to prevent the bots from leaving automated junk from appearing.
Any suggestions for blocking trackbacks or pingbacks (other then turning them off)? It seems that spammers are now linking to sites (so the trackbacks or pingbacks are created and therefore leaving a backlink) but then they delete the link on their site.
Hey Paul,
Glad you’re liking the Wordfence plugin. It’s amazing how many blocked “admin” login attempts I get on a daily basis.
As far as the trackback hogs, that just drives me crazy. Not sure which is worse, having pingbacks removed or having legit ones on porn sites. Give me strength! LOL As far as tracking incoming links there are a variety of tools out there (some paid and some free) that will give you a list of who’s linking to your site. I know you can see many of them in Google Webmaster Tools and alot of people use Market Samurai.
Here’s a video with Matt Cutts that will show you how to check your backlinks http://www.youtube.com/watch?v=f9LsbrQozik.
It’s a time consuming process to track them. I have yet to find a plugin that helps with this.
Great post. I tend to get the spam comments with random text that doesn’t make much sense so they are pretty easy to spot. I’ve also never had too much trouble weeding out the “great post mate” or “I learned so much” type of comments, lol.
Awesome info Regina… some of that I already had found out the “hard” way by allowing bad links in through my seemingly admiring spammers.
Question though… If a person has a PR2 or PR3 blog and then allows comments on that are PR2 or higher does that draw “juice” away from ones site or does it bolster the PR value up? I sometimes allow some commenters to leave their non-pertinent but not completely off topic comments just because their comment name links to a decent PR level site with the hopes that it will add to my own Google juice.
Any thoughts on that?
Hi Daryl,
Thanks for your comment. That’s a great question. I am going to request my friend and SEO expert to chime in, Kurt Scholle. Stay tuned for a reply from him.
Hi Daryl,
I’m not certain that I understand your question, but the more links you get to your blog, from almost any source, the better. Best to get higher PR sites, of course. But all legitimate links will help search engines figure out the value of your content and what it’s all about.
Pro Tip: Work to build links to sites and posts that are linking to you!
Hope that helps!
Kurt
Let me clarify. I DO NOT advocate getting links from spammy sources. That WILL hurt you.
And if you’re looking to build links, I would aim for quality sites.
Kurt
Thanks Kurt (and Regina)!
That all makes sense… spammy comment links do NOT equal good even if they are higher PR type links. I am talking about links in their profile though (their website they put down… Name/Email/Website) and not in the actual comment it’s self. I never allow links to outside sources within their actual comment as I have seen them put a link in and then have that link get redirected to some nefarious or malicious site in the past.
Your info is much appreciated… both!
There are actually tools out there to help find spammy links so that they can be removed. Penguin is the algorithm update that looks at links.
Hi Regina,
first of all, thanks for your post. I found it the other day while digging into the dangers of allowing (spam) comments.
I dó allow spam on my website; the other day I added a feedback button to my website, which leads to a page where people can leave comments.
The way I set everything up, comments are shown without user’s email addresses or -url’s; also all code (including links) is stripped from replies; furthermore all comments with more than one link are put into moderation right away.
It was a bit of a joke- I figured the spam was rather innocent this way, and the main thing: without any harmful or annoying links, only the hollow flattering (‘you’re such a great informative blogger’ etc) is left- which I found funny. Of course legit comments are welcome as well but my site (a portfolio site rather than a blog) isn’t that well visited.
The first two days I got plenty spam and it started looking really, well, flattering 🙂
I’ve seen abandoned blogs with no moderation, with well over 10000 comments under one article, all spam of course, and I was hoping for that effect, but unfortunately the well ran dry… Somehow the spambots (or the spammers) must’ve noticed something fishy.
So my question would be an odd one- how to attract spammers back to my site … :/
I have to say I have never been asked how to bring spammers back to a blog. My feeling is spam is no good and I cannot help you by encouraging it.
I made this same mistake on my blog when I was just starting out…. Luckily I quickly found out and activated a comment plugin… Also using Wordfence and Better WP Security on my blogs.. Better to be safe than sorry
Yes as google tighten there alog’s , the link seekers , seem to go crazy. But Akismet plugin works very well for me. It almost gets every spam comment for me. And that is really awesome. I get around 9-10 spam comments everyday. Apart from the fact, that I don’t have much of traffic.
Regina, spam comments not only have an impact on security but also they can affect your search rankings to quite an extent. This is because you are linking to a spammy website and when Google knows your doing that, your page rank and search rankings will drop. Thanks for the nice article.
That’s a great post Regina. I personally like WordFence plugin for WordPress security. It’s easy to understand and does the job perfectly too. 🙂
I have always used Akismet plugin for taking care of SPAM comments, is GASP better than Akismet?
Great tips Regina 🙂 I didn’t know about WordFencer before. I usually checked everything manually and as you may know, sometimes I got virus from these websites. I think I owe you a huge thank for telling me about this plugin 🙂
I currently use Akismet now and everything that it labels spam I automatically delete. It’s been pretty awesome that I don’t have to deal with spam so far thanks to akisment. I have had heard of Wordfence before but I just thought that there won’t be any use for it. But reading one of your comments regarding how someone blatantly tried to log in to your site, NOW, that is freaking scary. I’m definitely installing it now!
I am using Better WP Security Plugin in my wordpress blog. But when I use the “Hide Back End” feature of the plugin, new user registration stops working. Is there any solution for that?
Any help is appreciated.
Sounds like you need to change your Register Slug in the Hide Backend section. You need to use the exact Register URL: on that page to open it.
Thanks admin for these tips. I am a newbie and do all this things i. e approving spam comments, non-relevant comments. Just thinking that Traffic is coming on my blog. But now onward i will never accept spam, non-relevant comments as you teaches in this post. And also will add comment security today. Thanks for tips once again.
Curious if the akismet plugin is effective since I have it installed on multiple clients sites. It seems to stop a ton of spam even though I still have to still check the ones that get through to see if they are relevant.
Hi Herman,
I think that Akismet does a very good job in catching most spam, but some still seem to get put in pending. I personally prefer to use CommentLuv Premium.
I’ve been trying to figure out how to minimize spam comments on my blog. (Sometimes I think spammers are the only ones paying attention!) I have been considering CommentLuv for a while but I am wondering if it ends up being a distraction having all of the links to the commenters latest posts. What do you think?
Hi Sheri,
I have CommentLuv Premium and it includes spam protection built-in. Christine Cobb and I have done a complete setup video on it as well on how to reduce your spam. I don’t find it a distraction with the commenters latest posts, in fact I find it easier to decide if I want to approve it or not. Hope that helps.
Here’s more info on the CommentLuv video.
Glad I got this reminder. I keep forgetting to remove spam comments, especially on sites that I don’t monitor very often.
Heh. I did the same thing too, I usually change 1 to 2 in the discussions settings page. By doing this, any link even just a single link should be moderated first.
Well hello Regina, great advice on moderating comments.
In the early days of my blog, I made the comment moderation mistake and approved comments without fully checking them and their creators.
Google will group you with the people you are linked to. Whilst doing a Keyword search of my site at that time using Google’s keyword tools, my site had become apparently adult orientated with many rather rude keywords! Thankfully that was a long time ago and the blog is now seen by Google for what it really is.
Hi Regina,
I have been using commentluv on all my site. As well, I still have Akismet. Hardly any spam gets through. But I still read every comment and respond to it. If anything looks suspicious I check the link to the site and if it is a spammy site, out it goes to the trash.
It is quite easy to recognize the spammers. Their language is different and it sounds spun. I still moderate all comments even from the people that visited my site before. I do it simply not to miss anyone who comments as I want to reply to them. But unfortunately, as I get more comments it is getting more tedious. I’ll have to figure out something to correct this.
Thanks for sharing your article,
Dita