Community Forums › Forums › Archived Forums › General Discussion › Problem with Comments and Spam
- This topic has 16 replies, 4 voices, and was last updated 10 years, 11 months ago by Bill Murray.
-
AuthorPosts
-
April 23, 2013 at 4:22 pm #37264April 23, 2013 at 4:42 pm #37269Bill MurrayMember
Completely stopping this is hard.
You might want to check out this technique for htaccess modifications if you're on an Apache webserver. Be sure to adjust the "yourdomainname" in the script. Other approaches would involve using htaccess to redirect anyone attempting to access the comment script to somewhere else, since anyone accessing it is a bot. Techniques that involve removing or modifying core WP won't survive WP upgrades, so they should be avoided.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
April 24, 2013 at 3:11 am #37341FabioParticipantOh wow,
I didn't think it was so hard/impossible to stop.
So basically all of you out there are facing this problem everyday?
To be honest I don't even know what Apache webserver is... is there any easier way?
April 24, 2013 at 7:21 am #37367Bill MurrayMemberYou can try contacting your host, pointing them to the link I mentioned, and see if they can help you with htaccess changes.
You can try spam plugins like Akismet, which should classify most spam comments as spam and after a period of time they'll be automatically deleted, but Akismet won't stop spammers from posting the comment in the first place.
As I said earlier, putting a complete stop to this isn't easy and usually takes some set up on your web server (e. g., the htaccess stuff I mentioned).
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
April 24, 2013 at 10:32 am #37429FabioParticipantThanks Bill, I got my host to paste that code in my htaccess and lets hope it works.
Thanks!
April 24, 2013 at 11:14 am #37437Bill MurrayMemberI trust that you explained to them they could not paste the code without modification. You have to include your domain name, as described in my earlier post.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
April 24, 2013 at 11:18 am #37439FabioParticipantYes, basically simply change yourdomainname with letstalksex.net
or something else?
April 24, 2013 at 2:54 pm #37463Bill MurrayMemberI don't think you need to use the .net, since the script already says .*
Note that this technique is only blocking spammers when the referrer is not your own domain. Since you've removed the comment form, it's virtually impossible for the referrer to be your site unless the spammer spoofs this value in the header. In other words, this technique is NOT foolproof. A better technique would be to redirect every access to the comment form, regardless of referrer. Consider this a good 1st step, and if the problem continues, go back to your web host and see if they can help with more advanced techniques.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
April 24, 2013 at 11:10 pm #37526SummerMemberI've been using this method for several years successfully, but several interesting things happened with this .htaccess technique when I updated to WP 3.5.1
I used to have those rules outside of the #END WordPress block, because that code would vanish any time I updated something that updated the permalinks... all my .htaccess customizations would be erased and I'd be back to the default WP .htaccess and I'd have to paste all my rules back in.
But after updating to WP 3.5.1, all .htaccess rules outside of the WordPress block were ignored by WordPress... my spam blocks, my image hotlinking preventions, all stopped working with WordPress until I put them back inside the WP block.
I discovered this when I had to uninstall the MP Spam Block plugin because it wasn't playing nicely with WPMU's Comments Plus, and wham, I started getting over 500 spam comments a day without fail. When I put the antispam rules before the #END WordPress line, it started working again, dropping down to a more manageable 200 spam comments per day, and I still had to add Deny rules for a couple of specific IP addresses. When while using MP Spam Block I was getting 5-10 per day maybe, but I realized it was also blocking all trackbacks, including legit ones from my other sites, so maybe it was TOO good.
Same for the image hotlinking rules... they were ignored by WordPress until I moved them inside the WP block, so make sure you keep a backup of your .htaccess just in case you do something where you have to update permalinks... my guess is those customizations might still "vanish"... I haven't tested it out to see if that's still the case, though.
WordPress / Genesis Site Design & Troubleshooting: A Touch of Summer | @SummerWebDesign
Slice of SciFi | Writers, After DarkApril 25, 2013 at 5:42 am #37607FabioParticipant@ Bill:
First of all thank you.
Second, you say:
"A better technique would be to redirect every access to the comment form, regardless of referrer."
And how do you do this?
Also, considering the interesting comment of Summer above ^ is this copy n paste going to last the next WP update? is there any danger for my site to crash?
Thanks both!
April 25, 2013 at 10:45 am #37674Bill MurrayMember@Fabio - First, while I have general knowledge about htaccess, I'm not an htaccess guru, because htaccess is something that is connected to Apache web servers, and none of our web servers run Apache. Therefore, there are probably better sources of info on htaccess than what I might say. Further, you can easily break your site with changes to htaccess, so I'm also reluctant to encourage editing of this file via a support method like this, especially by those who don't understand the consequences or aren't in a position to quickly fix them. Therefore, I encourage you to work with your web host to modify htaccess because it's a safer route.
Anytime you play with htaccess, or PHP for that matter, there's a risk that even a small typo can cause your site to crash. That's why you have to understand what you're doing and have the tools to fix inadvertent mistakes, or put the job in the hands of someone who does.
@Summer & @Fabio - As a general rule, your WP rules in htaccess should be at the end. Your custom rules should be at the beginning. That probably contributed to Summer's custom rules getting overwritten, but since I don't use an Apache server, it's not something I can test or verify. If I'm right that putting custom rules at the beginning does not cause WP to overwrite them on upgrade, then that's the ticket to make them survive WP upgrades - put the custom rules first. And yes, I am aware that there are a number of articles on htaccess that say to put custom rules at the end of the htaccess file.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
April 25, 2013 at 10:49 pm #37778DerekMemberBesides having Cloudflare I have a captcha plugin for the comment area. That stops a ton of spammers from submitting a comment. I do get a few daily but i've been banned there IP address's. I'm used to handling spammer's. I'm a super moderator on a large webmaster forum. lol
Really good advice so far in this thread.
~’;’~
April 26, 2013 at 8:15 pm #37987SummerMember@Bill, in WP versions prior to 3.2, I can confirm through experience that having those custom rules before the WP rules didn't save them from annihilation 🙂 Having that happen more than four times was what caused me to move them.
My biggest question was why did they stop working outside the WP rules section, when they worked just fine separated in previous versions?
Normally I enjoy setting up more demolitions testing on one of my demo sites, but I don't have the time this weekend!
WordPress / Genesis Site Design & Troubleshooting: A Touch of Summer | @SummerWebDesign
Slice of SciFi | Writers, After DarkApril 27, 2013 at 7:48 am #38057FabioParticipantthanks, I didn't touch the .htaccess and I let my host do it. Hopefully they did it right...
To be honest, since then I haven't had any more spam bot comment but I started to get spam bot subscribers!
My host told me that it's like if the code we put in the htaccess deviated the spam to some 404 pages where they subscribed.
Of course now I've removed the subscribe form from my 404 page and also the spam bot subscribers problem seems to be vanished.
Thanks everyone for the help in this thread. Hopefully it will benefit many.
April 27, 2013 at 8:18 am #38063Bill MurrayMember@Fabio - Glad it's working.
@Summer - WP core only rewrites the rules within the # Begin and # End. That's been the case for as long as I can remember (7+ years). It's also a frequently used bit of code, since flushing permalinks triggers an update of the htaccess rules. If it was broken, we'd hear the screams from every corner. If that wasn't working for you, there was something else going on. Hopefully, you'll get a chance to do some testing.
For others reading this thread, there's a difference between over-writing and over-riding. You said the rules were being over-written, and I think we both know what that means - the custom rules were removed from the htaccess file. A rule in htaccess that appears later in the file will over-ride a rule that appears earlier, so one can have a situation where it seems that WP is ignoring a custom rule. I don't think that's your case though.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
April 30, 2013 at 10:33 pm #38673SummerMember@Bill, I don't know what to tell you, but I experienced that problem repeatedly between WP 2.9.2 and 3.2.1, as I was converting a bunch of sites to use Genesis. I had custom rules in between the # Begin and # End that were "erased" from existence, and I had them outside the # End and they still were obliterated, both scenarios leaving me with the "default" rewrites to handle the permalinks and nothing else.
It happened so much I changed the permissions on the file so that it couldn't be overwritten by WordPress. So the permalinks rules were being written, if that's what you're suggesting, but I also had my custom rules (the comments ones and the ones to prevent image hotlinking) wiped out of my .htaccess files on as many as 6 different websites several times over a 2 year period. I just got into the habit of keeping a copy of my rules in a separate file, and just pasting them back in whenever I had to click "Save Changes" in the permalinks section.
I'll test it out eventually, but I'm in the middle of a couple of projects and in no rush at the moment to debug. Sounds a lot like my wp-uploads settings problems that no one else but me had, either 🙂
WordPress / Genesis Site Design & Troubleshooting: A Touch of Summer | @SummerWebDesign
Slice of SciFi | Writers, After DarkApril 30, 2013 at 10:54 pm #38680Bill MurrayMember@Summer - Anything between the # Begin and # End will be wiped out. That's the expected behavior. The rest of what you experienced isn't, so it's either caused by your server setup, themes, plugins, etc. But it's not caused by default WP. Although our servers don't run Apache, I've used Apache with WP often enough to know that what you're seeing isn't the norm.
When you have the time, give it another look. If there's something odd about your server setup, it will probably strike you at other times down the road when it's less convenient.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
-
AuthorPosts
- The forum ‘General Discussion’ is closed to new topics and replies.