Fighting Spam Comments on WordPress

By | November 3, 2004

After many months of getting no more then a handful of spam comments per day on this blog, last week I started getting 50-100 spam comments a day. While almost all of them were caught by WordPress and put into the comment moderation queue, I was wasting a lot of time each day deleting them from the queue and deleting the emails that notified me of each comment.

After doing a little research, I came up with three tactics for fighting back. As with security, a layered approach works best. No single tactic is going to stop all black hat hackers or spammers. The goal is to create enough of a deterrent that they decide to go somewhere else.

With black hat hackers, deterrents don’t always work, since they tend to have lots of free time on their hands and they enjoy a good challenge. Fortunately, spammers just want to make money. They are seeking the cheapest way to generate lots of inbound links to boost the Google PageRank of their websites. In addition to using automated programs to post their annoying comments, the spammers often employ legions of people in India, China, etc. to post comments (I’m assuming this based on the reverse lookups on IP addresses). Assuming that the spammer’s orcs are getting paid based on comments posted, they also want to post the comments as quickly as possible.

While I would be glad to post the three changes I made, I fear that one of the spammers’ orcs might actually read this. So, email me if you want to know what changes worked for me.

So far, I’ve gone from nearly 100 spam comments a day to exactly 0 spam comments after making the changes about 48 hours ago. Also, if they figure out one of the changes, I can trivially alter that tweak to shut them down again. It will be faster for me to make the change than for them to update their system. With that equation, I believe I will come out the winner in the end.

I updated my WordPress install notes to suggest some of the changes.

2 thoughts on “Fighting Spam Comments on WordPress

  1. Robert Post author

    What initially worked was changing the name of the script that posts the comments (and then updating all references to it), adding a preview step, and using .htaccess to require that the referer URL be from within my domain.

    However, I recently started getting spam comments. So, now that I have upgraded to WP 1.5, I installed an alpha version of Spam Karma 2. It has worked pretty well. However, it has incorrectly classified 3 comments (including yours) as spam and let about 5 spam comments or trackbacks through. It does catch about 35 spam comments or trackbacks a day, though.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.