Your Site vs. The World

705 views
570 views

Published on

If you've got a WordPress site, you're probably getting your fair share of spam comments. Spam is on blogs is a fact of life.

This presentation will show you how to combat spam directly by getting hands on with your WordPress configuration.

The original presentation included animated GIFs, but those don't translate well to PDF. Sorry about that!

Published in: Internet, Technology
2 Comments
3 Likes
Statistics
Notes
No Downloads
Views
Total views
705
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
3
Comments
2
Likes
3
Embeds 0
No embeds

No notes for slide

Your Site vs. The World

  1. 1. YOUR SITE VS. THE WORLD
  2. 2. HEY THERE. I'M JASON COSPER.
  3. 3. I'M THE SENIOR TECHNOLOGY ADVISOR AT WP ENGINE.
  4. 4. THAT MEANS I GET TO PLAY WITH WORDPRESS FOR A LIVING.
  5. 5. I ALSO SPEND a lot OF TIME ANALYZING & NEUTRALIZING SECURITY THREATS.
  6. 6. IF YOU ASK MY WIFE, PROBABLY TOO MUCH TIME.
  7. 7. BUT IT'S REALLY FUN.TO ME, AT LEAST.
  8. 8. ANYWAY.
  9. 9. LET'S TALK ABOUT SPAM.
  10. 10. IT'S THE WORST, RIGHT?
  11. 11. Comment spam is a fact of life if you have a blog.
  12. 12. THAT IS A QUOTE LIFTED DIRECTLY FROM THE CODEX.
  13. 13. ONE OF THE BIGGEST REFERENCE LIBRARIES OF ALL THINGS WORDPRESS.
  14. 14. YOU'D BE SURPRISED HOW FEW PEOPLE HAVE TAKEN THE TIME TO SET UP ANTI-SPAM COUNTERMEASURES.
  15. 15. AS WORDPRESS CONTINUES TO TAKE ON THE ROLE OF CMS, LESS PEOPLE USE IT TO BLOG.
  16. 16. BUT THAT DOESN'T REMOVE THE BLOG FUNCTIONALITY. IT'S STILL THERE.AND SPAMMERS ARE ITCHING TO HIT IT.
  17. 17. THERE'S VERY LITTLE BUILT INTO WORDPRESS TO BATTLE SPAM.
  18. 18. THAT'S NOT A BAD THING. THE LESS CRUFT IN CORE, THE BETTER.
  19. 19. FORTUNATELY, YOU CAN GAIN A LOT OF GROUND WITH A FEW SIMPLE CONFIG TWEAKS.
  20. 20. BUT FIRST,LET ME ASK YOU A QUESTION.
  21. 21. ARE COMMENTS EVEN WORTH IT?
  22. 22. OF COURSE!IF YOU HAVE A TRADITIONAL BLOG OR COMMUNITY SITE, THAT IS.
  23. 23. HOW CAN YOU BATTLE SPAM WITH A STOCK INSTALL?
  24. 24. DISCUSSION SETTINGS!
  25. 25. FIRST:Pingbacks & Trackbacks
  26. 26. TRACKBACKS WERE CREATED almost 12 years ago TO PROMOTE CONVERSATIONS BETWEEN WEBSITES.
  27. 27. IT WAS A NICE WAY TO SAY "Your post inspired me to write one of my own. Here's the URL."
  28. 28. BUT THERE WAS NO VERIFICATION.
  29. 29. YOU KNOW WHO LOVES THINGS THAT DON'T REQUIRE VERIFICATION?
  30. 30. SPAMMERS.
  31. 31. PINGBACKS ADDED A VERIFICATION PROCESS TO COMBAT THIS. BUT THAT DOESN'T MEAN THAT PINGBACKS CAN'T BE SPOOFED.
  32. 32. IF I HAD A NICKEL FOR EVERY SPOOFED PINGBACK I'VE RECEIVED I COULD AFFORD A BETTER IDIOM.
  33. 33. THIS MIGHT BE A CONTROVERSIAL OPINION BUT...
  34. 34. Pingbacks & Trackbacks are bullshit.
  35. 35. THAT'S WHY I DISABLE THEM.
  36. 36. 1. UNCHECK "ALLOW LINK NOTIFICATIONS FROM OTHER BLOGS".
  37. 37. 2. DROP THIS CODE INTO YOUR MYSQL CLIENT OF CHOICE. UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'post'; UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'page';
  38. 38. SECOND:Other comment settings
  39. 39. THE WORDPRESS DEFAULT IS TO CLOSE COMMENTS ON POSTS AFTER 14 DAYS. BUT THAT CAN BE LIMITING.
  40. 40. MAYBE THAT'S WHY THAT SETTING NEEDS TO BE ENABLED MANUALLY.
  41. 41. I FIND 30 DAYS TO BE A HAPPY MEDIUM.
  42. 42. YOU DON'T have to ENABLE THIS IF YOU HAVE OLDER POSTS WITH ACTIVE CONVERSATIONS.
  43. 43. BUT IT HELPS.
  44. 44. THIRD:Comment Blacklist
  45. 45. THIS IS the MOST OVERLOOKED SPAM FIGHTING TOOL IN WORDPRESS.
  46. 46. PROBABLY BECAUSE CREATING & MANAGING A BLACKLIST CAN BE TIME CONSUMING.
  47. 47. WHAT IF I TOLD YOU THERE WAS A SHORTCUT?
  48. 48. THAT'S WHERE THE WORDPRESS COMMENT BLACKLIST COMES IN. HTTP://COSPER.ME/COMMENT-BLACKLIST
  49. 49. 119KB OF BEAUTY.AND IT KEEPS GETTING BIGGER & BETTER.
  50. 50. IT BLOCKS... 1. Spam keywords 2. Spam URLs 3. URL shorteners 4. Non-English comments
  51. 51. ALL YOU HAVE TO DO IS COPY & PASTE IT.
  52. 52. IF WORDPRESS FINDS A MATCH, THE COMMENT GOES TO SPAM.
  53. 53. THESE KEYWORDS PROCESS before AKISMET. THAT MEANS LESS EXTERNAL API CALLS.
  54. 54. AND YOU CAN CUSTOMIZE IT TO YOUR HEART'S CONTENT!
  55. 55. NEED TO ALLOW A URL SHORTENER? REMOVE IT FROM THE BLACKLIST!
  56. 56. CONVERSE IN THAI? GET RID OF THOSE CHARACTERS!
  57. 57. I'VE SEEN FOLKS HAVE A SIGNIFICANT DROP-OFF IN SPAM USING JUST THIS BLACKLIST.
  58. 58. BUT YOU SHOULD STILL USE AKISMET.
  59. 59. WHY AKISMET?DOESN'T IT, YOU KNOW, COST MONEY?
  60. 60. IF YOU'VE EVER DEALT WITH A SPAM RUN, YOU KNOW HOW crazy town banana pants IT CAN BE.
  61. 61. IS YOUR SANITY WORTH $5 A MONTH?
  62. 62. MINE'S WORTH A LOT MORE THAN THAT. YOURS SHOULD BE TOO.
  63. 63. AKISMET'S TRUE POWER LIES IN THE NUMBER OF SITES IT'S ACTIVE ON.
  64. 64. THE MORE PEOPLE RUNNING AKISMET THE MORE SPAM IT SEES.
  65. 65. THE MORE SPAM AKISMET SEES THE BETTER IT GETS.
  66. 66. AKISMET 3.0 MADE SETUP stupid EASY.
  67. 67. JUST ACTIVATE THE PLUGIN. IT'S INSTALLED BY DEFAULT WITH WORDPRESS.
  68. 68. THEN, GET AN API KEY FOR YOUR SITE.
  69. 69. ONCE AKISMET HAS AN API KEY...
  70. 70. SET IT UP TO DISCARD THE VERY WORST SPAM.
  71. 71. AKISMET HANDLES SPAM SUBMITTED THROUGH... 1. Comment forms 2. Contact forms 3. BuddyPress 4. bbPress
  72. 72. THAT'S COOL AND ALLBUT WHAT ABOUT SPAM USER REGISTRATIONS?
  73. 73. IF YOU RUN AN OPEN MULTISITE, BUDDYPRESS OR BBPRESS SITE SPAM USER REGISTRATIONS ARE PROBABLY THE BANE OF YOUR EXISTENCE.
  74. 74. THERE ARE A COUPLE great PLUGINS THAT FILTER SPAM USER REGISTRATIONS... ▸ WangGuard ▸ Anti-Splog
  75. 75. BUT THERE'S ONE THAT I LIKE MORE.
  76. 76. AVH FIRST DEFENSE AGAINST SPAM! THAT NAME IS KIND OF A MOUTHFUL, I KNOW.
  77. 77. AVH DEPENDS ON WIDELY USED, TOTALLY FREE ANTI-SPAM BLACKLISTS. ▸ Stop Forum Spam ▸ Project Honey Pot ▸ Spamhaus
  78. 78. THESE BLACKLISTS ARE NORMALLY LEVERAGED BY FORUM & EMAIL ADMINISTRATORS.
  79. 79. MOST SPAM COMES FROM THE SAME PLACE.NO OFFENSE, CHINA.
  80. 80. AVH ALSO HAS THE ADDED BENEFIT OF TOTALLY BLOCKING TRAFFIC FROM BLACKLISTED IP ADDRESSES. GTFO, SPAMMERS.
  81. 81. HEADS UP!HOSTS THAT CACHE heavily DON'T PLAY NICELY WITH AVH. A NUMBER OF MANAGED HOSTS LEVERAGE SOME OF THESE BLACKLISTS AT THE SERVER LEVEL.
  82. 82. TO GET THIS WORKINGYOU HAVE TO REGISTER FOR API KEYS FOR TWO OF THE THREE SERVICES.
  83. 83. REGISTER FOR STOP FORUM SPAM AT HTTP://COSPER.ME/SFS-SIGNUP
  84. 84. REGISTER FOR PROJECT HONEY POT AT HTTP://COSPER.ME/PHP-SIGNUP
  85. 85. ALL OF THE DEFAULT THRESHOLDS IN AVH ARE FINE. JUST MAKE SURE TO ENABLE ALL 3 SERVICES IN 3RD PARTY OPTIONS.
  86. 86. DON'T FORGET TO ENABLE THE COMMENT NONCE! YOU CAN FIND THIS IN AVH'S GENERAL OPTIONS.
  87. 87. WHY REQUIRE A NONCE?
  88. 88. A NONCE IS LIKE A KEY. IF YOU DON'T HAVE ONE, YOU CAN'T GET IN. OR, IN THIS STRAINED METAPHOR, SUBMIT A COMMENT.
  89. 89. THIS MEANS BOTS HITTING WP-COMMENTS-POST.PHP DIRECTLY WILL GET FLAGGED AS SPAM.
  90. 90. HONESTLY, NOBODY REALLY needs TO HIT WP-COMMENTS-POST.PHP DIRECTLY.
  91. 91. OKAY. ENOUGH ABOUT SPAM. WHAT IF AVH DOESN'T WORK ON YOUR HOST?
  92. 92. LOOK INTO A HOSTED WAF!(WEB APPLICATION FIREWALL)
  93. 93. JUST LIKE MANAGED HOSTS FOCUS ON JUST WORDPRESS. HOSTED WAF PRODUCTS CONCENTRATE ON MITIGATING RISKS AND DOS PROTECTION.
  94. 94. THE MOST FAMOUS HOSTED WAF SOLUTION IS CLOUDFLARE. BUT BOTH SUCURI CLOUDPROXY AND INCAPSULA ARE JUST AS GOOD. AND A BIT MORE FOCUSED ON SECURITY RATHER THAN SPEED.
  95. 95. SPOILER ALERT!ALL OF THESE COMPANIES CHARGE FOR WAF SERVICE.
  96. 96. THEY'RE totally WORTH IT THOUGH. SO FIND THE ONE THAT'S RIGHT FOR YOU AND PAY FOR IT!
  97. 97. YOU'LL SEE LESS SPAM, LESS FAKE REGISTRATIONS, LESS LOGIN ATTEMPTS.
  98. 98. SPEAKING OF LOGIN ATTEMPTS...
  99. 99. YOU SHOULD DEFINITELY INSTALL LIMIT LOGIN ATTEMPTS HTTP://COSPER.ME/LLA-PLUGIN
  100. 100. A LOT OF HOSTS ARE ADDING IT TO THEIR INSTALLS BY DEFAULT. WP ENGINE DOES!
  101. 101. THE DEFAULT SETTINGS ARE okay BUT I PREFER TO salt the earth INSTEAD.
  102. 102. OKAY.I THINK THAT'S MY TIME.
  103. 103. QUESTIONS?

×