your site vs. the world

YOUR SITE VS. THE WORLD

HEY THERE.I'M JASON COSPER.

I'M THE SENIOR TECHNOLOGY ADVISOR AT WP ENGINE.

THAT MEANS I GET TO PLAY WITH WORDPRESS

FOR A LIVING.

I ALSO SPEND a lot OF TIMEANALYZING & NEUTRALIZING

SECURITY THREATS.

IF YOU ASK MY WIFE, PROBABLY TOO MUCH TIME.

BUT IT'S REALLY FUN.TO ME, AT LEAST.

ANYWAY.

LET'S TALK ABOUT SPAM.

IT'S THE WORST, RIGHT?

Comment spam is a fact of life if you have a blog.

THAT IS A QUOTE LIFTED DIRECTLY

FROM THE CODEX.

ONE OF THE BIGGEST REFERENCE LIBRARIES OF

ALL THINGS WORDPRESS.

YOU'D BE SURPRISED HOW FEW PEOPLEHAVE TAKEN THE TIME TO SET UP ANTI-SPAM COUNTERMEASURES.

AS WORDPRESS CONTINUES TO TAKE ON THE ROLE OF CMS,

LESS PEOPLE USE IT TO BLOG.

BUT THAT DOESN'T REMOVE THE BLOG FUNCTIONALITY.

IT'S STILL THERE.AND SPAMMERS ARE ITCHING TO HIT IT.

THERE'S VERY LITTLE BUILT INTO WORDPRESS TO BATTLE SPAM.

THAT'S NOT A BAD THING.THE LESS CRUFT IN CORE, THE BETTER.

FORTUNATELY, YOU CAN GAIN A LOT OF GROUNDWITH A FEW SIMPLE CONFIG TWEAKS.

BUT FIRST,LET ME ASK YOU A QUESTION.

ARE COMMENTS EVEN WORTH IT?

OF COURSE!IF YOU HAVE A TRADITIONAL BLOG OR COMMUNITY SITE, THAT IS.

HOW CAN YOU BATTLE SPAMWITH A STOCK INSTALL?

DISCUSSION SETTINGS!

FIRST:Pingbacks & Trackbacks

TRACKBACKS WERE CREATEDalmost 12 years agoTO PROMOTE CONVERSATIONS BETWEEN WEBSITES.

IT WAS A NICE WAY TO SAY"Your post inspired me to write one of my own.

Here's the URL."

BUT THERE WAS NO VERIFICATION.

YOU KNOW WHO LOVES THINGS THAT DON'T REQUIRE

VERIFICATION?

SPAMMERS.

PINGBACKS ADDED A VERIFICATION PROCESS TO COMBAT THIS.BUT THAT DOESN'T MEAN THAT PINGBACKS CAN'T BE SPOOFED.

IF I HAD A NICKEL FOR EVERY SPOOFED PINGBACK I'VE RECEIVED

I COULD AFFORD A BETTER IDIOM.

THIS MIGHT BE ACONTROVERSIAL OPINION BUT...

Pingbacks & Trackbacks are bullshit.

THAT'S WHY I DISABLE THEM.

1. UNCHECK "ALLOW LINK NOTIFICATIONS FROM OTHER BLOGS".

2. DROP THIS CODE INTO YOUR MYSQL CLIENT OF CHOICE.

UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'post';UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'page';

SECOND:Other comment settings

THE WORDPRESS DEFAULT IS TO CLOSE COMMENTS ON POSTS AFTER 14 DAYS.

BUT THAT CAN BE LIMITING.

MAYBE THAT'S WHY THAT SETTING NEEDS TO BE ENABLED MANUALLY.

I FIND 30 DAYS TO BE A HAPPY MEDIUM.

YOU DON'T have to ENABLE THIS IF YOU HAVE OLDER

POSTS WITH ACTIVE CONVERSATIONS.

BUT IT HELPS.

THIRD:Comment Blacklist

THIS IS the MOST OVERLOOKED SPAM FIGHTING

TOOL IN WORDPRESS.

PROBABLY BECAUSE CREATING & MANAGING A BLACKLIST CAN BE TIME CONSUMING.

WHAT IF I TOLD YOU THERE WAS A SHORTCUT?

THAT'S WHERE THE WORDPRESS COMMENT BLACKLIST COMES IN.HTTP://COSPER.ME/COMMENT-BLACKLIST

119KB OF BEAUTY.AND IT KEEPS GETTING BIGGER & BETTER.

IT BLOCKS...1. Spam keywords

2. Spam URLs3. URL shorteners

4. Non-English comments

ALL YOU HAVE TO DO IS COPY & PASTE IT.

IF WORDPRESS FINDS A MATCH,THE COMMENT GOES TO SPAM.

THESE KEYWORDS PROCESS before AKISMET.THAT MEANS LESS EXTERNAL API CALLS.

AND YOU CAN CUSTOMIZE IT TO YOUR HEART'S CONTENT!

NEED TO ALLOW A URL SHORTENER?REMOVE IT FROM THE BLACKLIST!

CONVERSE IN THAI?GET RID OF THOSE CHARACTERS!

I'VE SEEN FOLKS HAVE A SIGNIFICANT DROP-OFF IN

SPAM USING JUST THIS BLACKLIST.

BUT YOU SHOULD STILL USE AKISMET.

WHY AKISMET?DOESN'T IT, YOU KNOW, COST MONEY?

IF YOU'VE EVER DEALT WITH A SPAM RUN, YOU KNOW HOW crazy town banana pants

IT CAN BE.

IS YOUR SANITY WORTH$5 A MONTH?

MINE'S WORTH A LOT MORE THAN THAT.YOURS SHOULD BE TOO.

AKISMET'S TRUE POWER LIES IN THE NUMBER OF SITES IT'S ACTIVE ON.

THE MORE PEOPLE RUNNING AKISMETTHE MORE SPAM IT SEES.

THE MORE SPAM AKISMET SEESTHE BETTER IT GETS.

AKISMET 3.0 MADE SETUP stupid EASY.

JUST ACTIVATE THE PLUGIN.IT'S INSTALLED BY DEFAULT WITH WORDPRESS.

THEN, GET AN API KEY FOR YOUR SITE.

ONCE AKISMET HAS AN API KEY...

SET IT UP TO DISCARD THE VERY WORST SPAM.

AKISMET HANDLES SPAM SUBMITTED THROUGH...

1. Comment forms2. Contact forms

3. BuddyPress4. bbPress

THAT'S COOL AND ALLBUT WHAT ABOUT SPAM USER REGISTRATIONS?

IF YOU RUN AN OPEN MULTISITE, BUDDYPRESS OR BBPRESS SITESPAM USER REGISTRATIONS ARE PROBABLY THE BANE OF YOUR EXISTENCE.

THERE ARE A COUPLE great PLUGINS THAT FILTER SPAM USER REGISTRATIONS...

▸ WangGuard▸ Anti-Splog

BUT THERE'S ONE THAT I LIKE MORE.

AVH FIRST DEFENSE AGAINST SPAM!THAT NAME IS KIND OF A MOUTHFUL, I KNOW.

AVH DEPENDS ON WIDELY USED, TOTALLY FREE ANTI-SPAM BLACKLISTS.

▸ Stop Forum Spam▸ Project Honey Pot▸ Spamhaus

THESE BLACKLISTS ARE NORMALLY LEVERAGED BY FORUM & EMAIL

ADMINISTRATORS.

MOST SPAM COMES FROM THE SAME PLACE.

NO OFFENSE, CHINA.

AVH ALSO HAS THE ADDED BENEFIT OF TOTALLY BLOCKING TRAFFIC FROM

BLACKLISTED IP ADDRESSES.GTFO, SPAMMERS.

HEADS UP!HOSTS THAT CACHE heavily DON'T PLAY NICELY WITH AVH.A NUMBER OF MANAGED HOSTS LEVERAGE SOME OF THESE BLACKLISTS AT THE SERVER LEVEL.

TO GET THIS WORKINGYOU HAVE TO REGISTER FOR API KEYS FOR TWO OF THE THREE SERVICES.

REGISTER FOR STOP FORUM SPAM ATHTTP://COSPER.ME/SFS-SIGNUP

REGISTER FOR PROJECT HONEY POT ATHTTP://COSPER.ME/PHP-SIGNUP

ALL OF THE DEFAULT THRESHOLDS IN AVH ARE FINE.JUST MAKE SURE TO ENABLE ALL 3 SERVICES IN 3RD PARTY OPTIONS.

DON'T FORGET TO ENABLE THE COMMENT NONCE!

YOU CAN FIND THIS IN AVH'S GENERAL OPTIONS.

WHY REQUIRE A NONCE?

A NONCE IS LIKE A KEY.IF YOU DON'T HAVE ONE, YOU CAN'T GET IN.

OR, IN THIS STRAINED METAPHOR, SUBMIT A COMMENT.

THIS MEANS BOTS HITTING WP-COMMENTS-POST.PHP DIRECTLY

WILL GET FLAGGED AS SPAM.

HONESTLY, NOBODY REALLY needs TO HIT WP-COMMENTS-POST.PHP DIRECTLY.

OKAY. ENOUGH ABOUT SPAM.WHAT IF AVH DOESN'T WORK ON YOUR HOST?

LOOK INTO A HOSTED WAF!

(WEB APPLICATION FIREWALL)

JUST LIKE MANAGED HOSTS FOCUS ON JUST WORDPRESS.HOSTED WAF PRODUCTS CONCENTRATE ON MITIGATING RISKS AND DOS PROTECTION.

THE MOST FAMOUS HOSTED WAF SOLUTION IS CLOUDFLARE.BUT BOTH SUCURI CLOUDPROXY AND INCAPSULA ARE JUST AS GOOD.

AND A BIT MORE FOCUSED ON SECURITY RATHER THAN SPEED.

SPOILER ALERT!ALL OF THESE COMPANIES CHARGE FOR WAF SERVICE.

THEY'RE totally WORTH IT THOUGH.SO FIND THE ONE THAT'S RIGHT FOR YOU AND PAY FOR IT!

YOU'LL SEE LESS SPAM,LESS FAKE REGISTRATIONS,LESS LOGIN ATTEMPTS.

SPEAKING OF LOGIN ATTEMPTS...

YOU SHOULD DEFINITELY INSTALL LIMIT LOGIN ATTEMPTS

HTTP://COSPER.ME/LLA-PLUGIN

A LOT OF HOSTS ARE ADDING IT TO THEIR INSTALLS BY DEFAULT.

WP ENGINE DOES!

THE DEFAULT SETTINGS ARE okay

BUT I PREFER TO salt the earth INSTEAD.

OKAY.I THINK THAT'S MY TIME.

QUESTIONS?