By nickel

Over the past couple of weeks, I’ve been experimenting with different methods for cutting down on comment spam on both FiveCentNickel and Raising4Boys. This all started when I upgraded to WordPress 2.1. In the past, I’ve used SpamKarma 2 and had great luck with it. But as it turns out, things have been rearranged a bit in WP 2.1, and the comment management links (e.g., mark as spam, delete comment, etc.) that come in the SK2 comment notification e-mails no longer point where they’re supposed to. Thus, I switched to Akismet.

Unfortunately, Akismet has a much higher rate of false-positives on my sites than does SK2. This wouldn’t be a huge deal if I didn’t get so much spam, but it’s virtually impossible to wade through my spam folder looking for legit comments that got accidentally filtered out. After a couple of days of struggling with this problem, I decided to be proactive. What follows is a rundown of the various things that I’ve tried, culminating with the winning combination…

First off, I installed the Akismet Worst Offenders plugin, which sorts through your spam, aggregates the common offenses into bunches, and then allows you to delete entire classes of spam all at once. This makes it dead easy to throw out the vast majority of your spam without actually looking at it. You can then sort through the leftovers looking for false-positives. The other nice thing about this plugin is that it automatically bans the offending IP addresses via .htaccess when you delete the associated spams. This is a great tool for spam management, but it doesn’t do that much to reduce your spam load, despite the IP blocking.

Second, I tried a cool .htaccess trick that I found in the WordPress Codex. In short, this allows you to deny spambots access to your comment form if they don’t have a valid referrer from somewhere within your site. The underlying theory here is that, because an most spambots hit wp-comments-post.php directly without following a link from one of your posts (as a valid commenter would do), you can block them automagically without interfering with legitimate visitors.

At first, this seemed like a dream solution. Spam slowed to a trickle, and all was good. Then I got an e-mail from a regular commenter saying that he couldn’t leave comments. It turns out that he was using a proxy server, and it wasn’t reporting a valid referrer. Since blocking loyal readers isn’t an option for me, I had to drop this one.

Next up: Installing a small check to test whether or not a commenter is human. I’m not a of graphic CAPTCHAs, so I went with a math plugin instead. While some spam bots seem to parse the math problem and still get through, this works pretty well, and my spam levels fell noticeably. A side benefit of this plugin is that it keeps profoundly dumb people from commenting. ;)

The final step that I took was to change the name of wp-comments-post.php to something else (thanks to Jim for the suggestion). As I noted above, many spambots hit this file directly, so if you rename it, they won’t be able to find it. This works great! The only trick here is to make sure you change any calls to this file from within your theme, otherwise your comments won’t work. Fortunately, this involved opening up comments.php and changing it in just one spot. Of course, since you’re renaming a core piece of the WordPress code, you’ll need to re-do this when you upgrade to the next version.

So that’s where things currently stand… I’ve renamed wp-comments-post.php, installed the math plugin, and I’m filtering with Akismet (helped along by the Worst Offenders plugin).

While this combination has reduced spam to about 10% of the original level, a bit still gets through. Thus, I’ve modified the text that surrounds the math problem to make the nature of the underlying test slightly less obvious (it’s a bit less “mathy” and a bit more “wordy”). Hopefully this will make the math problem more difficult to parse, and will push the spam levels even lower.

So there you have it… If you have any spam-defeating tricks up your sleeve, please share them here in the comments.

Note: Before anyone suggests Bad Behavior, I’ll just say that I’ve tried it, and it worked great. Unfortunately, it also blocked a small number of legitimate visitors and, as I noted above, that’s unacceptable to me.