Wordpress blog getting spammed

[pcproblems]

Hi People

I've recently been experimenting with a wordpress site that I've set up in order to learn a little.. I even started a small blog but after 1 particular post about SEO it seems to be attracting a lot of spam comments.

Now, i know that i can turn comments off but my question is:

How the heck are them spammers even finding the site?

It certainly doesn't do well in search at the moment and i may not even continue with it as i have a seperate site for my business..

In case anyone's interested, the wordpress site in question is in my sig.

Many thanks

 

[crossdaz]

It's usually a script - not a person doing it. All you can do is ensure that all comments have to manually approved and keep on top of it.

Comments that have links in the actual body of the text are often targeted the most.

 

[Posilan]

Hi People

I've recently been experimenting with a wordpress site that I've set up in order to learn a little.. I even started a small blog but after 1 particular post about SEO it seems to be attracting a lot of spam comments.

Now, i know that i can turn comments off but my question is:

How the heck are them spammers even finding the site?

It certainly doesn't do well in search at the moment and i may not even continue with it as i have a seperate site for my business..

In case anyone's interested, the wordpress site in question is in my sig.

Many thanks

Install the Defensio plugin (http://www.defensio.com/) - it will block spam comments really well and is free for small (under 5 employees) businesses.

As an alternative, you could install Akismet although it is not free for commercial sites.

Steve

 

[pcproblems]

Hi, many thanks for the advice, seems i have a lot to learn about wordpress..
Interesting though..

 

[Deleted member 106254]

I've tried several anti-spam plug ins for Wordpress but none seem to work very well. I'll give defensio a try though, thanks.

 

[Nick Dougan]

Hi pc problems,

Wordpress gives you the options to turn off comments completely, or to require people to login to leave a comment (and you can use Captcha to block automated spammers or you can simply apply manual approval for all comments.

I do the latter, and it provides a small distraction to see who's resorting to these sort of tactics - you expect the porn and viagra sellers, I suppose, but sometimes some quite reputable businesses seem to be at it. It's all part of the learning curve!

Nick

 

[fisicx]

Askimet is already built into wordpress. Activate and enjoy spam free commenting.

 

[Posilan]

Askimet is already built into wordpress. Activate and enjoy spam free commenting.

Remember, it's not free for use on commercial websites (as I mentioned above) - Defensio is.

Steve

 

[crossdaz]

Remember, it's not free for use on commercial websites (as I mentioned above) - Defensio is.

Steve

it doesn't stop people spamming you either

 

[H22SolutionsLtd]

Search plugin's for "SI CAPTCHA Anti-Spam"

 

[Faevilangel]

Also think about adding a captcha to the comment form, or make all commenters register and having a captcha on the register form

 

[OldWelshGuy]

remove/rename the most common WP footprints and they won't find your sites.

 

[tomsmith2010]

They using the script i think that's why getting lot of spam messages...

 

[RemoteTechs]

I highly recommend Askimet. We used to get lots of spam on our WP blog, to the point that it was a lot of work filtering through it and identifying the real comments, we installed Askimet about 5 months ago and its worked like a charm. Well worth the small price tag to keep the spam down.

 

[pcproblems]

Hi People

many thanks for your suggestions, much appreciated

 

[Deleted member 106254]

I tried Defensio on one of my blogs and it works wonders. Stopped 600 messages so far. I experimented with math captchas and recaptcha and AVH First Defence Against Spam on another blog but the spam was still getting through so have just installed Defensio on there as well.

 

[kidino]

Haven't tried Defensio but hearing good things so far now. I use Akismet. And if you don't mind, just make a small donation for the key. I have it on my site and is working good so far. Stop 1000's of spam comments already.

 

[OpenSure]

Hate spam, useless waste of time and limits the spontaneity and usefulness of much of the web.

These days many of these spammers are in fact low wage human armies paid to submit 1000s of messages a day. That means any systems that simply check the human capacity to read an image and interpret or perform simple maths based on it are never going to stop them.

They get lists provided by scanning software so hiding aspects of the WP fingerprint may help but there are lots of ways for scripts to find WP eg using calls to known obvious URLs essential when managing and running a simple WP site.

In practical terms the only approach is to reduce some of the problem for a little time. We suggest approval only for the first message which frees regular genuine users providing them good access. It also prevents you having to trawl through lots of real messages hunting for spam.

Using anti-spam measures as needed will reduce the mire of spam but as the war continues you will need more and more aggressive approaches that will put off some genuine visitors.

Ultimately, it is the price of a successful interactive website/blog and a process of moderation is part of the cost of managing it. I see a growing business opportunity for someone ;-)

 

[awebapart.com]

How the heck are them spammers even finding the site?

It is also worth mentioning that Wordpress sites are usually set up to broadcast to the world that they are blogs and each time content has been added to them. This is done by a process called Update Services (or more commonly referred to as pinging).

Broadcasting to the world in this way can have some negative affects with regards to spammers and seo black hatters:

1. It makes spammers aware that you not only have a blog, but you have some fresh content they can add spam comments and backlinks to

2. It also makes content farms aware that there is fresh content to scrape/copy. Some blackhat seo'ers will scrape/copy fresh content onto their own sites in the hope that google indexes their content first and treats it as unique content, and if this is the case your content could be treated as the duplicate content even though it is your original content. Some content will be copied even if it is already indexed by google, since the blackhatter site's may reformat it in a better way to improve their site's SEO.

Pinging can bring in more traffic too, not necessarily targeted but automated traffic (from the spammers), and some people with blogs will think they are doing well because they see an increase in traffic, and they then wrongly think that this is because the blog is improving their site's SEO.

So all in all, there is a lot more to Wordpress and blogging than first meets the eye.

 

[pcproblems]

This is certainly turning into an interesting thread. I'm learning more and more each day about wordpress so many thanks for the info so far.

 

[OpenSure]

In many ways there is great similarity to the physical world.

Anyone offering employment opportunities will know how such news spreads quickly to agencies, CV consultants, advert space sales etc. They all use the same things that get your message 'out there' to let them know how to get to your organization. Some also market your job offering to gain more prospects themselves, usually without your consent or knowledge. Competitors may well use the information you use to attract customers and staff to identify weaknesses and opportunities.

End result will be some people feed off your effort to their own advantage rather than yours, but importantly, you still get a new employee. You also get a few contacts in recruitment and media ;-)

The scale on-line may increase beyond what the physical equivalent can sustain but many of the tools to combat it also scale. It is an ecosystem like any other and so aim to achieve your end result rather than expend huge effort avoiding the annoyance and the generally limited detrimental side-effects.

Not saying that you should ignore it but that you should accept limiting efforts to thwart it, a bit of 80/20 rule, spend 20% of the effort to hit 80% of the problem, not 80% effort to hit the last 20%!

As with evolution in any environment, if you focus too much on the downside you may find when predators change they do so faster than you can adapt...

 

[awebapart.com]

How the heck are them spammers even finding the site?

It is also worth mentioning that Wordpress sites are usually set up to broadcast to the world that they are blogs and each time content has been added to them. This is done by a process called Update Services (or more commonly referred to as pinging).

Broadcasting to the world in this way can have some negative affects with regards to spammers and seo black hatters:

1. It makes spammers aware that you not only have a blog, but you have some fresh content they can add spam comments and backlinks to

2. It also makes content farms aware that there is fresh content to scrape/copy. Some blackhat seo'ers will scrape/copy fresh content onto their own sites in the hope that google indexes their content first and treats it as unique content, and if this is the case your content could be treated as the duplicate content even though it is your original content. Some content will be copied even if it is already indexed by google, since the blackhatter site's may reformat it in a better way to improve their site's SEO.

Pinging can bring in more traffic too, not necessarily targeted but automated traffic (from the spammers), and some people with blogs will think they are doing well because they see an increase in traffic, and they then wrongly think that this is because the blog is improving their site's SEO.

So all in all, there is a lot more to Wordpress and blogging than first meets the eye.

I should have added that there is a 3rd reason there's unsavoury people out there on the lookout for Wordpress sites, and why you shouldn't broadcast that your site is Wordpress:

3. In addition to spammers and SEO black hatters, hackers will also try to exploit your Wordpress site, trying to hack in for various reasons (e.g. inserting malware links to try to get your visitors to install malware), for instance with this recent Wordpress hack attack (although in that particular hijack I don't think that was aimed at general Wordpress sites broadcasting pings, but rather sites with a certain plugin). Having a hacked Wordpress site with malware links might also result in Google de-listing your site.

Personally, if I had an important Wordpress website, I would switch off pinging (just let Google crawl your site normally) and remove as many signatures that reveal your site to be a Wordpress site as possible. Signatures include onscreen text associated with Wordpress, using robots.txt to prevent certain signature urls being indexed (/tag/ xmlrpc.php), and signature footer links (like Wordpress or links to Wordpress template design owner - the removing should be done in accordance to the license, some template licenses might say that you have to keep the link in). Having these signatures, the hackers and spammers will use google to search for sites with such signatures, so in this situation google is helping the spammers, blackhatters and hackers find your site.

There are advantages to pinging and some will say that you should keep pinging, but as with most things you have to weigh up advantages against risks and make your own decisions on this. But my opinion is that you cannot fully remove signatures and all easily searchable evidence that your site is Wordpress, if you are still pinging.

 

[OpenSure]

@awebapart.com I think we are on the same page, but perhaps alternate perspectives?

Interesting reading about exploit instances, we all know they happen with all software. There's no such thing as uncrackable! The biggest issues we see are with self-managed sites and the lack of updates applied, old OS versions etc kept working with no security review. Custom built sites are often worst, with forms, applets or snippets of code not looked at since they were written 2, 3 or even 5 years ago.

Generally keeping software updated will protect from the widespread exploits and the script-driven hacks from amateurs far better than 'security by obscurity' which carries with it its own set of risks (not least the culture it can engender).

These script-hacks are the people behind the spammers, the ones looking to exploit any weaknesses in software like WP sites, Sharepoint, IIS, Drupal, Joomla, Facebook etc. They bulk process them and door knock to see if anyone is on the case. You may reduce some of the spam and hack attempts by hiding your site software's identity and any fresh content which may be fine especially if you are not looking to increase your site visibility.

Real smart hackers will use far more subtle methods to determine and compromise a site and they are far more difficult to detect and counter as they don't announce themselves and want to remain undetected. Those hackers tend to be interested in significant sums of money and/or fame and will use the easily hacked unpatched, poorly managed sites/services/pcs as tools to use against the big interesting sites. You can't readily hide from them without seriously affecting access!

I do agree 'pinging' is a matter of opinion as to whether it is more or less helpful to your particular site. To express a take on the balance of importance, personally I would rather have pinging turned on and broadcast everything to the world than run an old unpatched version of software trusting to obscurity to protect me. Partly I think there a culture surrounding security based on many people feeling secret means secure when in fact; Secret = apart from, separate but Secure = without care, carefree. Online you want to access to services without worry or care not hide them.

I know you are not saying don't patch, and there is obviously no reason why you can't do some of both. We simply put forward that an approach of increasing obscurity to protect you from spammers is perhaps not the most sustainable direction of travel for a website garnering publicity ;-)

 

[awebapart.com]

A bit of a funny coincidence here, but I've just looked at the web logs of one of my sites, which is not a Wordpress site, and guess what? At 3am this morning the site had a visit (http requests) from a Chinese IP address looking for the following signature urls to identify if the site is Wordpress:

/wordpress/wp-includes/images/blank.gif
/wp/wp-includes/images/blank.gif
/blog/wp-includes/images/blank.gif
/wp-includes/images/blank.gif
(then it gave up)

I'm guessing this is one way to identify a Wordpress site by signature urls the brute force direct way (by visiting the site directly) cleverly a low bandwidth way (blank.gif is a 43 byte 1x1 pixel image), although IMO there are easier indirect ways to find Wordpress sites by using Google or update services ping servers.

 

[awebapart.com]

@awebapart.com I think we are on the same page, but perhaps alternate perspectives?

Yes, I agree with what you're saying.

 

[Anelly]

Install ASAP Askimet plugin. Best option

 

[InvicTel]

I found that on our wordpress site, and especially on our seperate blog part of the site, the spammers always found some way of getting around the plugins.

I ended up just erasing the PHP code that called on the comments.php file. Now no-one can even see the comments boxes, let alone post loads of spam :redface:

Website URL is in my sig if you want to see what I mean, OP.

 

[Deleted member 119645]

Si Captcha is a great program, yet makes sure the configuration is set up ok.

Previous discussion on some of the other forums, such as Vbulletin which have shed loads of span 'users' suggest asking a question.. such as what colour is a sunflower. Simple question but difficult for scripts..

 

[manchester web design]

Me also used to post comments on wordpress blog. For my business publicity I have never experienced this sort of spaming. Possilan thanx for this info about wordpress spaming. I will check it personally then join u.