Message Board

Newbie/Basic Questions

Older Posts ]   [ Newer Posts ]
 How to catch comment spammers in wordpress
Author: L.Lawton   (17 May 09 8:06am)
I'm definitely a noob, but want to fight spam. Just looking for advice on where to paste links to my honeypot in my wordpress.org blog. I've looked around in the files with words like "comment" in the filename, but too nooby to figure out where I can put the links. Can someone help?

Thanks.
 
 Re: How to catch comment spammers in wordpress
Author: M.Prince   (20 May 09 7:45pm)
Anywhere will do. Generally higher on the page is better than lower since some bots don't download the full page. Can't hurt to include multiple links in multiple places hidden in multiple different ways. The more links you have to your honey pot, the more likely it is that bad bots will stumble across it.
 
 Re: How to catch comment spammers in wordpress
Author: B.L5   (24 May 09 5:37pm)
Try putting them in your template files.

Post Edited (26 May 09 2:34pm)
 
 Re: How to catch comment spammers in wordpress
Author: R.Filatov   (18 Sep 09 3:03am)
Sorry guys, a total numpty here.

I moderate a forum, which is under attack from a comment spammer. I registered with QuickLinks. Am I right in understanding that all I need to do is simply cut and paste one of teh QuickLinks into, say, my signture to the posts?

I don't have admin functions.
 
 Re: How to catch comment spammers in wordpress
Author: D.Alder   (23 Jan 10 12:03pm)
For WP - install the plugin Bad Behavior. It won't catch then all but it will greatly reduce the number. You can get it from http://wordpress.org/extend/plugins/bad-behavior/
 
 Re: How to catch comment spammers in wordpress
Author: A.Degives Mas   (22 Mar 10 9:56pm)
Just to be sure...

There are TWO components that are relevant to web admins of sites; the same applies to WordPress installations.

1) Checking visitors against the http:BL API which can be unnerving to set it up properly, but it's something which for self-hosted WordPress sites is a cinch, thanks to the http:BL WordPress plugin, which you can find here:
http://wordpress.org/extend/plugins/httpbl/

Of course, you DO need a valid http:BL key in order to input it in the appropriate field in the plugin's settings.

As an alternative to the http:BL WordPress plugin, there's Bad Behavior, which has been named here, and does the same thing - but with a VERY important difference: it ALSO does content / behavior checks on every visitor. Bad Behavior is, in effect, a highly efficient (and powerful) first-layer defense as well as http:BL checking solution. Because Bad Behavior also looks at the visitor's "profile" (it checks to see if e.g. the visitor shows the UA of a web browser, yet attempts to send a trackback? In that case, access is denied!) it is MUCH more complete as a defense. Having said that: the author of Bad Behavior (Michael Hampton) is adamant about complementary protection measures, i.e. using Bad Behavior as well as (e.g.) Akismet is highly recommended, because in that case whatever spills through Bad Behavior (after also checking against http:BL which could happen if we're talking about a very novel and/or low-profile comment spammer) it still has a good change of being caught by Akismet, based on its inspection of the payload's CONTENT (something which is of course helped by their enormous exposure to spam on their free hosted wordpress.com blog platform) which by the way also uses its own blacklist servers.

The Bad Behavior plugin for WordPress can be found here:
http://wordpress.org/extend/plugins/bad-behavior/

Now, if you do choose to use the great and recommendable Bad Behavior plugin I STRONGLY recommend setting Bad Behavior to "strict" checking, except when you're desperate for visitors arriving via proxies, such as AOL users - every visitor will be checked against the http:BL database, assuming they are otherwise well-behaved. The "strict" setting is indeed strict, but as far as I'm concerned, security trumps exceptional conditions that cause relaxed security. It's also for the benefit of the greater internet that I refuse people with suspect BHOs installed (you know, those cute smilie laden browser bars).

Now, this first component / aspect of using http:BL also interacts with the http:BL system, but doesn't have the "honeypot" element that you need to truly "give back the love" to the community. Still, any riff-raff caught via the http:BL check method is also flagged, so it's still contributing, albeit more passively.

2) The "core" Project Honey Pot function of having "spamtrap" links is a DIFFERENT aspect, for which the self-hosted WordPress site amin has another, different plugin available, which is plainly named WP-HoneyPot and can be found here:
http://wordpress.org/extend/plugins/wp-honeypot/

That plugin does the automatic insertion of "spamtraps" for you. It does that using one of two methods, the same that are "advertised" on this site:

a) - Using a "proper" honeypot script file, which you can generate and download from this site - just drop it in the root web folder (usually named as public_http or www folder) and you're almost done - just paste the publicly visible URI to that folder - say: www.example.com/snafugalore.php if that's the name of it) into the WP-Honeypot settings and you're ready to catch the bad guys!
b) - You can also use quicklinks, that you can generate also on this site. Paste the URI of that quicklink into the WP-Honeypot settings and you're done.

Either of the two works, of course a) is preferable. Just paste in the URI to either the script or the quicklink into the WP-HoneyPot settings, and you're ready to catch more bad guys out there.

Concluding: if you run your self-hosted (to be perfectly clear: I mean an installation of a WordPress site that is NOT hosted on the www.wordpress.com servers) and want optimal protection as well as "give back to the community" use Bad Behavior (together with Akismet) and the WP-HoneyPot plugin.

If you want "simple" checks against the http:BL blacklist and still participate, use the http:BL WordPress plugin with the WP-HoneyPot plugin. Even in this configuration, also using Akismet is still highly encouraged.

I know this is a monster post, but I thought I'd better be verbose and complete rather than brief and perhaps unclear...

ADDED PS: many WordPress admins also want caching - for that, as things stand at this moment, I recommend using WP Super Cache because it plays VERY nicely with all components I've mentioned - including Bad Behavior. You can find the WP Super Cache plugin here:
http://wordpress.org/extend/plugins/wp-super-cache/

At this moment there's a new strong contender on the caching front, named W3 Total Cache, which is hosted here:
http://wordpress.org/extend/plugins/w3-total-cache/

However, as it is still very new and growing in maturity, as well as its incredible fine-tuning options, I recommend WP Super Cache for a hassle-free simple solution. Caching and compression are VERY complex things, and every server is a universe unto itself, which is why WP Super Cache is a more recommendable and above all simple to configure option for "newbies"

Also, while the original poster's question deals with comment spammers, the plugins I have mentioned above "track and flag" ANY of the categories of bad guys, be they comment spammers, rule breakers, or otherwise "bad guys" i.e. also when they attempt to engage in RFI (remote file inclusion) type attacks, as long as they visit one of the WordPress pages, they'll be monitored.

Post Edited (22 Mar 10 10:38pm)
 
 Re: How to catch comment spammers in wordpress
Author: O.D2   (28 Mar 10 4:05am)
I was trying to find how to edit the template code in wordpress but I cannot find it or I am blind. It is not installed on my server, I am talking about my wordpress on wordpress.com

Is it possible ? cause I am adding honey pots everywhere today :)
 
 Re: How to catch comment spammers in wordpress
Author: A.Degives Mas   (28 Mar 10 7:17pm)
If you use the WP-HoneyPot plugin, there's NO NEED whatsoever to mod (or even touch) your theme files. The plugin will take care of inserting the appropriate links to either the script (if you downloaded that from the Project HoneyPot site and activated it) or your QuickLink link.

Again, there's NO need to touch any theme (template) files!

You can find and download the WP-HoneyPot plugin from the canonical WP plugin server, here:

http://wordpress.org/extend/plugins/wp-honeypot/
 
 Re: How to catch comment spammers in wordpress
Author: T.Nelson2   (30 Mar 10 9:01pm)
Hi,
I've been using BadBehavior for some time, but without an http:BL access key. I looked into the WP-HoneyPot Plugin, but it appears it's no longer compatible with the newest versions of WordPress. I also have been considering the plugin called, AVH First Defense
http://wordpress.org/extend/plugins/avh-first-defense-against-spam/

However, in that I already have BadBehavior, (using it with "Strict checking" mode), do I need any other plugin like AVH if I instead add the http:BL access key to BadBehavior?

I assumed I could simply add my access key into the space provided in my BadBehavior settings page from my WordPress admin dashboard, save it, and that would be it, but this is what I'm confused about from your information here:

"If you are using your Access Key to activate the http:BL Apache Module, you should include the Access Key in the httpd.conf file. Follow the instructions included with the http:BL Apache Module. If you are using the Access Key to initiate DNS queries against the http:BL system directly, you should use the following format."

I don't have a "httpd.conf file" nor do I know if my host server config would even allow it, and in that I can simply add the access code into BadBehavior from my dashboard I assume I don't need to do anything else? I'm obviously confused here by what appears to be numerous methods possible, but for my skill level I need the simplest solution.

So, just to clarify my question:

1. If I add the access key to my existing BadBehavior 2.036 plugin, is there any need for AVH or any other plugin for HoneyPot?

Note: I've added the access key to my BadBehavior settings page, and it appears to working okay, by viewing the information in my BadBehavior log files.

Thank you for your help!

Post Edited (30 Mar 10 9:26pm)
 
 Re: How to catch comment spammers in wordpress
Author: A.Degives Mas   (1 Apr 10 3:11am)
You don't need AVH if you already have Bad Behavior, especially with Bad Behavior set to Strict mode. That's because Bad Behavior and AVH are somewhat "competing" as both are front-line, first line of defense plugins. However, it IS highly recommendable to also use a "second-tier" plugin, e.g. Akismet works very nicely as such together with Bad Behavior.

Now, to also have your honeypot links embedded throughout your WordPress site, you need (if you want it done automatically, that is) to also use WP-HoneyPot. This plugin works perfectly fine with WP 2.9.2. (I have serveral sites on WP 2.9.2 and zero trouble with WP-HoneyPot!)

And just in case: you can forget about the httpd.conf info for Bad Behavior - that's only for those who run a WordPress site on their own, dedicated server with direct server admin control. Trust me, you want to hire a specialist for that stuff *IF* you should need to deal with it! If and when that need should arise for you, he/she will know exactly what that httpd.conf stuff is all about. So, just install the plugin, punch in your Project Honey Pot http:BL API key and see the rejected hosts appear in your Bad Behavior logs (they appear typically marked as "IP address found on http:BL blacklist")

Post Edited (1 Apr 10 3:15am)



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–25, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email