I am very careful about how, or even if, I allow comments on trivia. For example I disallow all comments on any post after a set period of time, I also refuse all comments until I have had time to read and thus moderate them. This cuts down on the type of rubbish often seen on blogs of the form:
“I read this and it was very useful to me. I have bookmarked your page and will come back later.”
Now whilst this may, in and of itself, appear fairly innocuous, it says nothing, and adds nothing, to the post. But the poster (usually a ‘bot) doesn’t care about this, they are only interested in getting their URL (which is almost guaranteed to be a site you should certainly not visit) posted to the blog along with the comment. Next time you view a blog post (including this one) take a look at the comment section. If you press the “Leave comment” button you will be presented with a form like this:
Note that below the actual comment field itself (which allows free form text entry) there are three additional fields: “Name”, “Email”, and “Website”. By default, wordpress will not publish the email address along with the comment, but will publish the name and website URL. In my view this is dumb – it simply begs for spambots to use those fields to publish dodgy URLs – and there is no simple way within wordpress to change this behaviour. It is also worth noting here that wordpress does absolutely no validation of the email address supplied beyond a simple syntactical check that the text entered is of the form “sometext@someothertext” so of course spambots usually leave rubbish email addresses too.
The biggest advantage of the native wordress commenting system is its simplicity and usability. Unless the wordpress site uses a “captcha” mechanism to add a hurdle (I used to do exactly this on trivia, but discontinued it precisely because it made commenting more difficult) it is relatively easy for a reader to quickly add a comment should they so wish.
But, there are several problems with the standard commenting system, beyond the risk of spam. For example, commenters cannot edit their comments after posting. This does not not matter in trivia’s case because I moderate all comments before posting, but it can matter to bloggers who wish to encourage an interactive community. Furthermore, commenters do not receive any notifications that their comment has been posted, nor do they receive any similar notification if their comment is in turn commented upon or replied to. Nor is there any mechanism for user feedback (upvotes, downvotes etc.) This can discourage interaction – which is exactly what a lot of bloggers actually want. Another drawback (or in my case advantage) is that there is no possibilty of interaction with “social media” sites so there cannot be linkages to such sites (as I say, I find this an advantage, others may not).
WordPress’ “comment” settings allows admins to both moderate comments and ban them entirely according to certain rules. In my case I enforce moderation of all comments before I allow them to appear on the site, but this takes time. I set trivia’s comment settings to email me whenever a comment is made, but this can result in my receiving shed loads of junk alerting me to the fact that some stupid bot has “commented” yet again and I need to clear it out. A better mechanism would be to send all such junk strainght to the bin, or disallow it altogether. The standard wordpress system attempts to mitigate spam by including the Akismet plugin. But as I have commented in the past, I dislike this mechanism and always disable it. So, in order to reduce my workload in spam moderation, I include in my discussion setting a “ban list” of key words and phrases which, if triggered, result in the spam going straight to trash. This list can also be used to ban IP addresses, but in my view this is largely pointless because the spammers come from a huge range of (ever changing) IP addresses.
I have recently been hit by a particularly prolific bot which continues to post the same drivel time and time again so I have been updating my ban list with common words it uses. Fortunately, this particular bot has been programmed by an idiot who has used the same name (and an unusual one at that) in many of its posts. This makes both finding where else it has been (all over the net) and blocking it, a little easier. It also contiunues to try to post the same URL, which again makes blocking a little easier. But I am getting tired of this game so I thought I’d investigate other ban mechanisms.
There are plenty of wordpress plugins out there (from the hugely complex but comprehensive jetpack, to simple “advanced comment form” plugins which allow modification of the standard comment mechanism, but all have the major drawback (in my view) of any wordpress plugin – they add complexity and possible vulnerability to my site. The wordpress core itself is updated fairly frequently and I’m reasonably confident (he said) that it is as “secure” as it can be given that is written in PHP, is nearly ubiquitous in the blogging world (and thus presents an attractive target for ne’er do wells) and has a history of unfortunate failures. Adding plugins which may not be updated very often, and which may not have been very well written in the first place, strikes me as possibly risky. For that reason I use as few plugins on trivia as I can, and I only add a plugin when I think it genuinely adds value to my site.
That said, I did consider augmenting the blacklist I use in my own standard comment setup – that is until I found this rather ironic example of how not to do things on a site called “Free web headers“. The site has a blog post entitled “WordPress Comment Blacklist Words, WordPress Comment Moderation and WordPress Comment Spam” which, of course, is how I found it. The post says:
To have complete control over which comments appear on your site, Keeping your comments clean from unacceptable, profanities, or untrustworthy words/phrases can greatly enable your visitors to interact with your website in a safe environment and that increases your traffic and of course, increase your website rank.
It goes on:
WordPress comment moderation helps you to prevent suspicious and unwanted comments from appearing on your site without the blog’s administrator approval.
Spam is an unrequested and unwanted message sent electronically in bulk, which appears on your site without your approval. Comment spam is one of the common forms of spam, and there are many other forms of spam such as; email spam, instant message spam, search engine spam, social media spam, and blog spam.
WordPress comment blacklist is the best defense against comment spam at the early beginning. To control your comment spam, always watch the latest comments in the comments list and quickly scan the comment activity, you can easily find the spam comments, take quick action and add the spammers to your Comment blacklist, this will effectively fight the WordPress spam in your comments.
I get the feeling that english is not the first language of the poster – but never mind. However, they then go on with possibly the most dangerous piece of advice I have seen on a wordpress related blog for some time when they say:
Another practical way to control and fight your comment spam; always visit the URLs of the visitors who leave comments on your blog to determine whether the poster is genuine and sincere or a spammer. If you find the page is suspicious, so delete the entire comment or at least delete the URL, then quickly add the site title, the URL, and email address to your blacklist.
No, absolutely no. Do not do that. My fear is that many blog administrators will do exactly that whilst logged in to their site as admin leaving themselves wide open to a cross site scripting attack. Please, please, please do not do that. If you must visit the URL posted then do so from the command line using something like wget or curl and check the contents thereafter in a dumb text reader. Better by far not to even bother checking the URL. After all it is quite probably obviously suspect – mine almost always are. Be particularly wary if the URL is in a shortened form (such as from bit.ly) because such blatant obfuscation is almost a guarantee that they have something to hide.
All that aside, one obvious failing of the poster is to notice that their own post is subject to comment spam with very suspicious looking URLs where the “name” should be. The first two comments are shown in the image below:
Read ’em and weep.