How to Prevent Spam on WordPress

5th Apr 2013 | Posted by Eko S. | No Comments

Nowadays spammers use lots of tricks to populate legitimate websites with links to irrelevant or malicious content (spam, adult, phishing or malware). Internet community and national governments take efforts to disclose and eliminate the major botnets (remember closing Grum botnet in 2012), but this fight probably will never end. Spam attacks are still the daily and inescapable burden on the administrators and website owners.

Website admins have to keep their sites free of improper links and if they don’t, then such websites will be heavily hit by spammers and flooded with myriads of malefic outbound links, which directly lead to Page Rank fall. One of the reason for the website positions drop in Google or Yahoo happens after the search robots analyze all links at a website and discover this site connected to any kind of improper content, even via links posted in sections meant for user-generated content, i.e. comments and forum. Improper links might also violate AdSense policies, causing your account suspension. That’s why accidental links can strongly harm your project and no suspicious comments or forum posts should be tolerated.

There are dozens of sufficient anti-spam WordPress plugins, both paid and free. Unfortunately, despite all wealth of choice, there is no perfect solution for all the troubles we might face when dealing with spam attacks as spamming methods keep evolving.

Here are three major methods that can be used to mitigate or prevent link spam on your WordPress website or forum (along with their vulnerabilities):

Method #1: Human verification tests (CAPTCHA, etc)

Such tests can be added into registration or comment forms to prevent their automatic submission. This sort of verification means certain textual or visual challenge, like answering a question or solving a small puzzle, which should be pretty much a cakewalk for a human, but difficult for bots to pass. It’s a quite good and popular security option delivered by many special WP plugins. However, even the most sophisticated human verification tests can be easily passed by a human spammer or hacked during so called relay attacks when human operators are involved to do the tests.

Method #2: Solutions that use blacklisting techniques to screen out spam automatically (Mollom, Akismet, etc)

There are some popular WP plugins with different “intelligible” mechanisms to recognize and filter spam comments or forum posts in automatic mode. Owing to proprietary methods such plugins can detect, blacklist and block spam attempts by IP address, presence of blacklisted links/words in posts, etc, so the vast majority of spam is discarded at the entry. This is a quite effective way to rebuff spam attacks, however, it isn’t 100 percent reliable. Due to certain technical mistakes, like availability of suspicious words in a post or other “false alarms”, a chunk of valid comments can be rejected, while certain portion of spam omitted. In other words when you employ such a solution for your WP-based site, you should be ready to stay yet watchful and manually clean up links that were missed, or drag something valuable off the spam queue.

Method #3: Manual moderation of comments and posts

You have to manually check and moderate each bit of user-generated content to be sure there are no spam links. Spammers can be tricky though – lets say they might not blatantly ‘spam’ your site with tons of malicious links in every post making them easy to see and discard, but they can hide a link in the dot within some half-wit post to complicate your task. So this method implies that you have a sufficient group of moderators and, after all, it appears much more time-consuming, expensive and less efficient when you come across a large volume of comments and posts submitted for review. In fact you just risk to spend all your time moderating comments and posts to keep your site safe, but not developing it.

As you can see using these methods separately or in a combination can’t guarantee complete safety for a site and its visitors who still remain in a risk zone and their PC might be infected with malware or occasional breach of unwanted content. So let me introduce you the strategy our team of enthusiasts have created for spam prevention on our own projects. This strategy involves the last line of anti-spam defence (in addition to all other methods) and contains definite basic strategies that many webmasters can make use of:

• When a suspect data appears among your website user-generated content it should be automatically turned into indirect link in order to evade relating your site to any unverified web resources. This decreases the possibility of occasional PR drop or AdSense account suspension.
• Posts and links shared by regular users and visitors should be out of danger to be rejected or blocked.
• Internet audience, following any suspicious links, needs to be protected or be aware of opening the potential spam content (adult, malware, spyware, etc.). Such links should be accessed via interstitial pages, indirectly, and with certain precautions to get the users out of risk.
• The other important factor to be mentioned is the shortening of links. Links may contain some inappropriate words and affect the quality of your content.
• Malicious websites must be cut off from tracking the source from which the user is redirected. This approach decreases the possibility of new spam attacks.

Sur.ly WP plugin is based on these principles, and it can work both independently or as the last line of your anti-spam protection to ensure complete safety. It replaces all potentially dangerous links with secure ones to interstitial pages on Sur.ly so your site is secured against getting into “bad neighborhood” due to spammers. You are welcome to share your ideas and use our plugin for free.

- Written by Alex Dobrov, freelance web developer, member of Sur.ly team, tool to make outbound links at your site surely safe -