A Comprehensive Guide to Protecting Your Blog from Spam

Blog spam is something that every blogger fears. Spam appears in different forms. It can vary from trackback or pingback spam, comment spam, deliberate harsh comments to email harvesting and spam resulting from it.

Spam cannot be stopped. But by following a few good steps you can protect yourself from it.
This tutorial will teach you how to protect your WordPress blog from spam.

Before they hit you

This should be the first thing you do to prevent spam. I have found two very effective plugins which do the job very well. One is Bad Behavior and the other is Referrer Karma. I am currently using Bad Behavior on my blog. Optionally, you can add my Bad Behavior Stats Plugin to display the number of blocked attempts on your blog.

Yet another step to prevent bad bots and spam is to use your .htaccess file to block them. JavaScriptKit has a good tutorial on Blocking bad bots and site rippers (aka offline browsers). Simply copy-paste the code they give you into your .htaccess file and your ready.

As and when they hit you

Unfortunately the steps above alone will not protect you completely. Though the plugins above do an excellent job, I will admit that spammers are smart and they find a way to get through and you will suddenly see your blog filled with spam comments.

Some spammers do get through the above protection, and then you gotta take another step to protect you.

To prevent this one of the most effective plugins I have found to date is Spam Karma 2. It provides many checks and drastically reduces the amount of comment, trackback and pingback spam.

Once again, though SK2 effectively blocks most of the spam, it does struggle when a spammer personally enters the comment on your blog. On the surface it may appear rather innocent but infact is just another spammer in disguise pointing links to his site. And they rarely appear again on your site.

So, the next thing I did was install the Moderate Plugin for SK2. This plugin will ensure that new posters will land into moderation for your approval. So even if a person gets through Bad Behavior and Spam Karma 2, you can choose whether you want to approve this comment or not.
Remember though for this to effectively work you need to ensure that these two options are checked
1. “An administrator must approve the comment (regardless of any matches below)” (under Options ? Discussion)
2. “Comment author must have a previously approved comment” ( also under Options ? Discussion)

I have found by following the two steps above I have remained spam free for a long time now.

WordPress now comes bundled with an anti-spam plugin called Akismet. Akismet works in a different manner from SK2. Here, when a new comment, trackback, or pingback comes to your blog it is submitted to the Akismet web service which runs hundreds of tests on the comment and returns a thumbs up or thumbs down.

When the plugin catches something as spam it saves it in the database for 15 days in case you want to check it out manually and then automattically deletes it. In the unlikely event something gets incorrectly identified as spam you can correct it and it submits the “false positive” back to Akismet for analysis and improvement of our system. If a spam comment happens to get through and you mark it as spam within WordPress, it does the same thing. Akismet becomes more effective the more you use it.

Using Akismet is very easy. Download the plugin and enter your WordPress.com API Key.

You also have an Akismet Worst Offenders Extension that pre-processes the spam comments and identifies the worst offenders in terms of the domain that?s being advertised, or (perhaps more usefully) the IP Address of the spamming computer.

And to get the best of SK2 and Akismet get hold of the Spam Karm 2 Akismet Plugin. It is a plugin for SK2 that checks the comments with the Akismet web service and thus just making SK2 better.

Yet another plugin is WordPress Hashcash 3.0. Every four hours, your blog picks a random large number (close to 32 bits). Whenever a visitor visits your permalink pages, an ajax call is made which retrieves some javascript. This javascript first decrypts itself, then executes itself again to retrieve the secret value, which it sets in the form. Then it enables the submit button. If a comment does not have this value, it is rejected. If a comment is rejected more than four times, the user is blocked for a specified period of time.

Email Spam

In addition to protecting your blog from comment spam you can take one extra step and protect yourself from email spam from your blog.

The first and most important thing to remember is that putting a mailto: link on your website is an open invitation to spammers.

The best and highly recommended method to let visitors get in touch with you is to use a contact form.
Two popular contact forms for WordPress are PXS Mail and WP-Contact Form.

And if you really want to use your email address on the site then you can make use of either Transpose Email Plugin or EmailShroud Plugin. Both of these use javascript to obfuscate your email address thus prevent email harvesters from getting hold of it.

The former requires the user the manually enter in the code on their blog which is more work but won’t mess up your site.
The latter does this automatically but your links problems could be damaged.

Additional resources:

• Combating Comment Spam
• Spam Tools
• Tackling Comment Spam
• WikiPedia’s Spam in Blog

So what do you do to protect yourself from spam? If you have any suggestions or recommendations please do comment.

If you like this tutorial, please do digg it.