Extreme Spam Control
Taking Spam Control to an Extreme Level
We took spam control to a ridiculous level. As an exercise in discovering just how effectively spam can be blocked with WordPress it’s been an interesting exercise. We looked at the 4 main types of spam one is likely to see on their blog; comment spam and trackback spam, spam registrations and finally e-mail spam from contact forms.
The site chosen was our WordPress information site. A few months back a plugin support forum was added to the site, and public registrations allowed. Almost immediately there was a spate of spam registrations – “visitors” registering an account. Most were bots. How do we know? Well, the only link to the registration form is from forum pages, and only a few registration attempts came from one of these referrer pages – the others all arrived at the form directly, without visiting the site at all.
Anti Spam Measures Already in Use
We already had a couple of anti-spam measures in place on the site; Project Honeypot HTTPBL, Akismet, Captcha on comment forms – and after opening registration to the public, on the sign-up form, and a keyword blocking plugin to block a list of common spam words used in spam comments and e-mails.
Additional steps, more security related than anti-spam, were also in place to deny access from known bad IP addresses (.htaccess), known bad host names and anyone/anything trying to access WordPress with username admin.
Even with these restrictions working, around 50 spam registrations were seen a day.
WordPress Plugins Used for This
Here’s a list of the WordPress plugins installed at this stage.
- AP HoneyPot
- SI CAPTCHA Anti-Spam
- Wordfence Security
The Next Anti-Spam Tools Installed
To further reduce the number of successful spam registrations, another plugin, Stop Spammer Registrations Plugin, was installed. After setting up the plugin options, there was an immediate drop in spam registrations from around the 50 a day mentioned to about 8 a day on average.
At this point it seemed we had stopped most of the spam bots, but were still getting manual spammers sign-ups, and a few more advanced bots were getting through the traps.
The next thing was removing the Website URL from the user profile form. After the web URL field was removed, we saw the spammers were signing up, but not bothering to go any further. It seems if there’s no web URL field spammers often aren’t interested in signing up. Again, there are several plugins to customise user profiles and dashboards. The ones we used were Adminimize and DashPress.
Why 2 plugins? Adminimize let us make nearly all the changes required, but not all. Adding DashPress we were able to change the dashboard for user levels to what we wanted. All dashboard menu links for Subscriber user accounts, except the ones for their profile and subscriptions are removed, and other user levels (for our signed-up customers, editors and support, have only the links we want them to see.
Better, but not good enough. Ideally the only user accounts wanted were from “real people” with a legitimate reason to join the site – for technical support… So we looked further into controlling the spammers.
We Decided to See How Far We Could Go to Stop Spam Registrations
Now we decided to go all out, and see just how far we could go to totally eliminate spam registrations.
One thing noticed was the number of direct requests for /wp-login.php?action-register. Well, everyone knows this is the standard WordPress user account registration request. But what if it wasn’t?
There’s several ways to change the link, one can write some simple .htaccess rules, or use a plugin. Keeping with the concept of the site – easy to use information for WordPress, we used a plugin, Custom Registration Link. The plugin lets you change the action= to something other than “register” and returns a “registration disabled” message when anyone tries to access ?action-register.
After making this change, the number of successful spam registrations has dropped to zero…
More Comment and Trackback Spam Control
Even with Project Honeypot Akismet and Stop Forum Spammers database lookup in use, we were still getting “comments” from spam bots. Spam bots exploit the WordPress xmlrpc system to post spam comments. Even though trackbacks are off, it doesn’t stop the bots from leaving comment spam and attempting trackbacks.
But remove the xmlrpc function and the bots can’t do their dirty deed. One could simply delete the file xmlrpc.php, but it gets installed again after a WordPress update. Removing xmlrpc.php can also break plugins – Jetpack needs this file to work properly for example.
But one can use a plugin e.g. “Prevent XMLRPC” to remove the function (although it may still interfere with some Jetpack functions and other plugins). So this is what we did. No more trash from the bots that exploit this function to spam your blog.
Importantly, the meta link is also removed from the site front end source code! So when bots crawl the site looking for the link to xmlrpc.php – they don’t find it and go away.
10 Plugins Stop Spammers
10 plugins to stop spammers! Sounds extreme doesn’t it. We agree, but the result is NO SPAM. No comment spam, no trackback spam, and above all, no spam registrations!
- WordPress Spam Registrations (graphiclineweb.wordpress.com)