Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Beating Spam On Your WordPress Website - WordCamp Melbourne 2013

  • 27,321 views
Uploaded on

...


Presentation slides from Vladimir Lasky's talk "Beating Spam on Your WordPress Website", presented on Sunday 28th April at WordCamp Melbourne 2013.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
27,321
On Slideshare
27,317
From Embeds
4
Number of Embeds
1

Actions

Shares
Downloads
6
Comments
0
Likes
0

Embeds 4

https://twitter.com 4

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1Beating Spam On Your WordPress SiteBeating Spam On Your WordPress SiteVladimir Laskyhttp://wpexpert.com.au/WordCamp Melbourne 2013
  • 2. 2What is Spam?What is Spam? Unsolicited and often untargeted electroniccommunication Persistent phenomena due to the extremely lowmarginal cost of sending it over the Internet Even a minuscule response rate from targetsmakes it profitable
  • 3. 3What Do Spammers Want?What Do Spammers Want? To get recipients of spam emails to purchaseproducts and services. Common examples:– “Get Rich Quick” schemes– Products to enhance reproductive organs orreproduction process– Weight loss To take advantage of the ranking/popularity ofyour site to promote theirs– If your site gets many visitors and/or ranks highly insearch engines, they will receive a portion of yourtraffic
  • 4. 4Why is Spam Evil?Why is Spam Evil? A parasitic phenomenon Wastes owners time in dealing with emails andmoderating comments comments and discussion boards less useful towebsite visitors Search Engines lower the rank of websites thatlink to spamblogs and low quality sites Increases load on web servers and eats throughdata transfer and storage quotas
  • 5. 5Types of SpamTypes of Spam Types of spam that WordPress siteowners often encounter include:– WordPress Comment spam– Trackback spam– Contact form spam– Email spam
  • 6. 6Comment Spam ExampleComment Spam Example
  • 7. 7Trackback Spam ExampleTrackback Spam Example
  • 8. 8100% Surefire Plan To Prevent Website Spam100% Surefire Plan To Prevent Website Spam1. Don’t publish your email address2. Don’t have a contact form on your website3. Don’t let visitors comment on posts4. Disable trackbacks/pingbacks
  • 9. 9Our More Practical Spam Reduction PlanOur More Practical Spam Reduction Plan Promoting visitor engagement by making iteasy to communicate, comment or providefeedback Preventing and Detecting attempts to leavespam to the best of our ability using freeautomated tools wherever possible
  • 10. 10Know Your EnemyKnow Your Enemy Spambots– Automated computer programs running onservers that trawl the internet and post spam– The vast bulk of today’s spam Human Spammers– People who manually post spam, often are paid todo this
  • 11. 11Spambots (Machine-Generated Spam)Spambots (Machine-Generated Spam) Strengths– Very fast, can bombard lots of websites in a givenperiod of time Weaknesses– Only can do what they are programmed to do– Can only adapt to countermeasures by beingreprogrammed
  • 12. 12Human Spammers (Human-Generated Spam)Human Spammers (Human-Generated Spam) Strengths– Humans can adapt and work around many anti-spammeasures Weaknesses– Slow – usually must visit websites in a browser– Expensive for spammers to employ humans– People employed to spam often have a limited educationand can be tricked using intellectual means
  • 13. 13Email SpamEmail Spam Problem:– Email harvesting robots trawl the net scanning websites foremail addresses, which are then sent spam emails Common Mitigation:– Not publishing email address, relying on contact form Side Effects:– Not having a visible email address on your website lowersresponse rates
  • 14. 14Comment Form SpamComment Form Spam Problem:– Spammers leave comments on posts Common Mitigation:1. Not have comments2. Require comments to be approved before publication3. Use a CAPTCHA Side Effects:1. No participation2. Reduces participation3. Moderation time
  • 15. 15What is a CAPTCHA?What is a CAPTCHA? A test designed to distinguish between a human visitorand a bot (computer program).– E.g. Asking the user to type a distorted randomly picked phrasecontained within an image, difficult for a computer to extract When used on a web page, normally placed at thebottom of a form, before the submit button.
  • 16. 16Should You Use CAPTCHAs?Should You Use CAPTCHAs? No longer recommend Legitimate visitors often find image-basedCAPTCHAs hard to read and annoying Increase hesitation and site abandonment These types are less annoying:– Math CAPTCHAs– Classification CAPTCHAs
  • 17. 17Pingback/Trackback SpamPingback/Trackback Spam Pingbacks/Trackbacks are sent to your blog by others that havelinked to one of your posts. These are listed in the comments andcontain the URL of the referring site. Problem:– You may receive trackbacks from spam blogs, or even faketrackbacks that point to an arbitrary website Common Mitigation:– Disable Pingbacks/Trackbacks Side Effects:– Reduces SEO from legitimate sites– Lose information about readership of your posts
  • 18. 18List of Free Anti-Spam WordPress PluginsList of Free Anti-Spam WordPress Plugins1. Cookies for Comments2. Bad Behavior3. Jetpack Comments (part of Jetpack)4. Simple Trackback Validation with Topsy Blocker5. Minimum Comment Length6. Email Address Encoder
  • 19. 19What About the Akismet Plugin?What About the Akismet Plugin? Good, but only free for non-commercial sites
  • 20. 20Plugin: Cookies for CommentsPlugin: Cookies for Comments Action:– Reduces comment spam Mechanism:1. Each visitor to your site will be issued with a trackingcookie2. If they try to leave a comment without having the cookie, itwill be blocked. Most spambots do not accept cookies3. Option setting: If an attempt is made to leave a commentwithout having spent some time on your site, it will beblocked
  • 21. 21Plugin: Bad Behavior - IPlugin: Bad Behavior - I Action:– Reduces all types of spam Mechanism (in standalone mode):– Uses various indicators (e.g. User agent, HTTP headers, contentsof URL) to identify requests from clients that are known to be orlikely to be spambots– These visitors will receive a 403 Forbidden error message andwon’t be able to see your site Limitations– Plugin may not be aware of newly created spambots and couldinadvertently block legitimate search engines on occasion– Updates should address these issues
  • 22. 22Plugin: Bad Behavior - IIPlugin: Bad Behavior - II Mechanism (combined with Project Honey Pot):1. Project Honey Pot operates a network of websites designed to attractspammers, in order to record their IP addresses2. WordPress owner obtains a free http:BL key from Project Honeypot andconfigures Bad Behavior to use it3. Every website visitor will be checked against Project Honey Pot’sdatabase to see if significant amount of spam has been detected fromtheir IP4. If so, Bad Behavior will block them Limitations:– Small overhead when checking Honey Pot database– Spammer must have already spammed the Honey Pot websites
  • 23. 23Plugin: Jetpack Comments - IPlugin: Jetpack Comments - I Action– Indirectly reduces comment spam from spambots Mechanism– Replaces your existing comment form with one hosted onWordPress.com, embedded within HTML iframe– Most spambots will not find a comment form on your site
  • 24. 24Plugin: Jetpack Comments - IIPlugin: Jetpack Comments - II Limitations– Requires a modern theme that calls the comment_form() function(introduced in WordPress 3.0)– Incompatible themes require modification by a PHP developer– Will change the look of your comment form Configuration Note– If using this together with the Bad Behaviour plugin, enable theBad Behavior setting:• Security->Allow form postings from other web sites
  • 25. 25Plugin: Minimum Comment LengthPlugin: Minimum Comment Length Action– Indirectly reduces comment spam Mechanism– Rejects comments that are shorter than a specified minimumlength, e.g. 15 characters– Many spambots/spammers leave a token comment with a URL oftheir website Limitations– Antispam benefit is small, but also discourages humans fromleaving useless comments like “Great Post!” or “I agree”
  • 26. 26Plugin: Simple Trackback Validation w/Topsy BlockerPlugin: Simple Trackback Validation w/Topsy Blocker Action– Reduces Trackback Spam Mechanism– Confirms that the IP address of trackback sender matchesthe IP address of the site the trackback URL points to– Accesses the trackback URL and confirms that the contentcontains a link to your post Limitations– Some trackback spam will still pass both those tests
  • 27. 27Plugin: Email Address EncoderPlugin: Email Address Encoder Action– Reduces Email Spam Mechanism– Encodes email addresses in your WordPress site contentand widgets and into decimal and hexadecimal HTMLentities, foiling the majority of email harvesting spambots Limitation– It is possible for a spambot to be developed that can dealwith this sort of encoding
  • 28. 28Other Spam Reduction TipsOther Spam Reduction Tips
  • 29. 29Disable User RegistrationsDisable User Registrations Only authors or members should have accounts onyour site. In WordPress admin, uncheck the following:– Settings->General->Anyone can register
  • 30. 30Authenticate CommentersAuthenticate Commenters Jetpack Comments and other plugins allow commenters toauthenticate using their facebook, twitter and other socialsharing accounts without requiring an account on yourWordPress site
  • 31. 31Comment Moderation TipsComment Moderation Tips Recommend approving comments before they’republished (if you have the time) If you have a crowd of regular fans/commenters,enabling the following will save you time:– In Settings->Discussion Settings->Before a Commentappears, check the box “Comment author must have apreviously approved comment”
  • 32. 32To Disable Pingbacks & TrackbacksTo Disable Pingbacks & Trackbacks In Settings->Discussion->Default article settings,unselect the following:– Allow link notifications from other blogs (pingbacks andtrackbacks)
  • 33. 33Dealing with Human Email/Contact SpamDealing with Human Email/Contact Spam Most common human-generated spam is for SearchEngine Optimisation services. If these are a problem, try the following:– Publish an email address for SEO and Ranking enquiries– Have an “SEO/Ranking” department on contact forms This may help separate those enquiries from allothers
  • 34. 34ConclusionConclusion Project Honey Pot:– http://www.projecthoneypot.org/– Provides http:BL key to use with Bad Behaviour plugin– You can also contribute by joining their network of honey pots Questions and Comments:– http://wpexpert.com.au/contact-us/