Vlad Lasky: Beating SPAM on your Blog or Website

Transcript

1. 1 Beating Spam On Your WordPress Site Beating Spam On

   Your WordPress Site Vladimir Lasky http://wpexpert.com.au/ WordCamp Melbourne 2013

2. 2 What is Spam? What is Spam?  Unsolicited and

   often untargeted electronic communication  Persistent phenomena due to the extremely low marginal cost of sending it over the Internet  Even a minuscule response rate from targets makes it profitable

3. 3 What Do Spammers Want? What Do Spammers Want? 

   To get recipients of spam emails to purchase products and services. Common examples: – “Get Rich Quick” schemes – Products to enhance reproductive organs or reproduction process – Weight loss  To take advantage of the ranking/popularity of your site to promote theirs – If your site gets many visitors and/or ranks highly in search engines, they will receive a portion of your traffic

4. 4 Why is Spam Evil? Why is Spam Evil? 

   A parasitic phenomenon  Wastes owners time in dealing with emails and moderating comments  comments and discussion boards less useful to website visitors  Search Engines lower the rank of websites that link to spamblogs and low quality sites  Increases load on web servers and eats through data transfer and storage quotas

5. 5 Types of Spam Types of Spam  Types of

   spam that WordPress site owners often encounter include: – WordPress Comment spam – Trackback spam – Contact form spam – Email spam

6. 6 Comment Spam Example Comment Spam Example

7. 7 Trackback Spam Example Trackback Spam Example

8. 8 100% Surefire Plan To Prevent Website Spam 100% Surefire

   Plan To Prevent Website Spam 1. Don’t publish your email address 2. Don’t have a contact form on your website 3. Don’t let visitors comment on posts 4. Disable trackbacks/pingbacks

9. 9 Our More Practical Spam Reduction Plan Our More Practical

   Spam Reduction Plan  Promoting visitor engagement by making it easy to communicate, comment or provide feedback  Preventing and Detecting attempts to leave spam to the best of our ability using free automated tools wherever possible

10. 10 Know Your Enemy Know Your Enemy  Spambots –

    Automated computer programs running on servers that trawl the internet and post spam – The vast bulk of today’s spam  Human Spammers – People who manually post spam, often are paid to do this

11. 11 Spambots (Machine-Generated Spam) Spambots (Machine-Generated Spam)  Strengths –

    Very fast, can bombard lots of websites in a given period of time  Weaknesses – Only can do what they are programmed to do – Can only adapt to countermeasures by being reprogrammed

12. 12 Human Spammers (Human-Generated Spam) Human Spammers (Human-Generated Spam) 

    Strengths – Humans can adapt and work around many anti-spam measures  Weaknesses – Slow – usually must visit websites in a browser – Expensive for spammers to employ humans – People employed to spam often have a limited education and can be tricked using intellectual means

13. 13 Email Spam Email Spam  Problem: – Email harvesting

    robots trawl the net scanning websites for email addresses, which are then sent spam emails  Common Mitigation: – Not publishing email address, relying on contact form  Side Effects: – Not having a visible email address on your website lowers response rates

14. 14 Comment Form Spam Comment Form Spam  Problem: –

    Spammers leave comments on posts  Common Mitigation: 1. Not have comments 2. Require comments to be approved before publication 3. Use a CAPTCHA  Side Effects: 1. No participation 2. Reduces participation 3. Moderation time

15. 15 What is a CAPTCHA? What is a CAPTCHA? 

    A test designed to distinguish between a human visitor and a bot (computer program). – E.g. Asking the user to type a distorted randomly picked phrase contained within an image, difficult for a computer to extract  When used on a web page, normally placed at the bottom of a form, before the submit button.

16. 16 Should You Use CAPTCHAs? Should You Use CAPTCHAs? 

    No longer recommend  Legitimate visitors often find image-based CAPTCHAs hard to read and annoying  Increase hesitation and site abandonment  These types are less annoying: – Math CAPTCHAs – Classification CAPTCHAs

17. 17 Pingback/Trackback Spam Pingback/Trackback Spam  Pingbacks/Trackbacks are sent to

    your blog by others that have linked to one of your posts. These are listed in the comments and contain the URL of the referring site.  Problem: – You may receive trackbacks from spam blogs, or even fake trackbacks that point to an arbitrary website  Common Mitigation: – Disable Pingbacks/Trackbacks  Side Effects: – Reduces SEO from legitimate sites – Lose information about readership of your posts

18. 18 List of Free Anti-Spam WordPress Plugins List of Free

    Anti-Spam WordPress Plugins 1. Cookies for Comments 2. Bad Behavior 3. Jetpack Comments (part of Jetpack) 4. Simple Trackback Validation with Topsy Blocker 5. Minimum Comment Length 6. Email Address Encoder

19. 19 What About the Akismet Plugin? What About the Akismet

    Plugin?  Good, but only free for non-commercial sites

20. 20 Plugin: Cookies for Comments Plugin: Cookies for Comments 

    Action: – Reduces comment spam  Mechanism: 1. Each visitor to your site will be issued with a tracking cookie 2. If they try to leave a comment without having the cookie, it will be blocked. Most spambots do not accept cookies 3. Option setting: If an attempt is made to leave a comment without having spent some time on your site, it will be blocked

21. 21 Plugin: Bad Behavior - I Plugin: Bad Behavior -

    I  Action: – Reduces all types of spam  Mechanism (in standalone mode): – Uses various indicators (e.g. User agent, HTTP headers, contents of URL) to identify requests from clients that are known to be or likely to be spambots – These visitors will receive a 403 Forbidden error message and won’t be able to see your site  Limitations – Plugin may not be aware of newly created spambots and could inadvertently block legitimate search engines on occasion – Updates should address these issues

22. 22 Plugin: Bad Behavior - II Plugin: Bad Behavior -

    II  Mechanism (combined with Project Honey Pot): 1. Project Honey Pot operates a network of websites designed to attract spammers, in order to record their IP addresses 2. WordPress owner obtains a free http:BL key from Project Honeypot and configures Bad Behavior to use it 3. Every website visitor will be checked against Project Honey Pot’s database to see if significant amount of spam has been detected from their IP 4. If so, Bad Behavior will block them  Limitations: – Small overhead when checking Honey Pot database – Spammer must have already spammed the Honey Pot websites

23. 23 Plugin: Jetpack Comments - I Plugin: Jetpack Comments -

    I  Action – Indirectly reduces comment spam from spambots  Mechanism – Replaces your existing comment form with one hosted on WordPress.com, embedded within HTML iframe – Most spambots will not find a comment form on your site

24. 24 Plugin: Jetpack Comments - II Plugin: Jetpack Comments -

    II  Limitations – Requires a modern theme that calls the comment_form() function (introduced in WordPress 3.0) – Incompatible themes require modification by a PHP developer – Will change the look of your comment form  Configuration Note – If using this together with the Bad Behaviour plugin, enable the Bad Behavior setting: • Security->Allow form postings from other web sites

25. 25 Plugin: Minimum Comment Length Plugin: Minimum Comment Length 

    Action – Indirectly reduces comment spam  Mechanism – Rejects comments that are shorter than a specified minimum length, e.g. 15 characters – Many spambots/spammers leave a token comment with a URL of their website  Limitations – Antispam benefit is small, but also discourages humans from leaving useless comments like “Great Post!” or “I agree”

26. 26 Plugin: Simple Trackback Validation w/Topsy Blocker Plugin: Simple Trackback

    Validation w/Topsy Blocker  Action – Reduces Trackback Spam  Mechanism – Confirms that the IP address of trackback sender matches the IP address of the site the trackback URL points to – Accesses the trackback URL and confirms that the content contains a link to your post  Limitations – Some trackback spam will still pass both those tests

27. 27 Plugin: Email Address Encoder Plugin: Email Address Encoder 

    Action – Reduces Email Spam  Mechanism – Encodes email addresses in your WordPress site content and widgets and into decimal and hexadecimal HTML entities, foiling the majority of email harvesting spambots  Limitation – It is possible for a spambot to be developed that can deal with this sort of encoding

28. 28 Other Spam Reduction Tips Other Spam Reduction Tips

29. 29 Disable User Registrations Disable User Registrations  Only authors

    or members should have accounts on your site.  In WordPress admin, uncheck the following: – Settings->General->Anyone can register

30. 30 Authenticate Commenters Authenticate Commenters  Jetpack Comments and other

    plugins allow commenters to authenticate using their facebook, twitter and other social sharing accounts without requiring an account on your WordPress site

31. 31 Comment Moderation Tips Comment Moderation Tips  Recommend approving

    comments before they’re published (if you have the time)  If you have a crowd of regular fans/commenters, enabling the following will save you time: – In Settings->Discussion Settings->Before a Comment appears, check the box “Comment author must have a previously approved comment”

32. 32 To Disable Pingbacks & Trackbacks To Disable Pingbacks &

    Trackbacks  In Settings->Discussion->Default article settings, unselect the following: – Allow link notifications from other blogs (pingbacks and trackbacks)

33. 33 Dealing with Human Email/Contact Spam Dealing with Human Email/Contact

    Spam  Most common human-generated spam is for Search Engine Optimisation services.  If these are a problem, try the following: – Publish an email address for SEO and Ranking enquiries – Have an “SEO/Ranking” department on contact forms  This may help separate those enquiries from all others

34. 34 Conclusion Conclusion  Project Honey Pot: – http://www.projecthoneypot.org/ –

    Provides http:BL key to use with Bad Behaviour plugin – You can also contribute by joining their network of honey pots  Questions and Comments: – http://wpexpert.com.au/contact-us/