The Complete Guide to Combating Comment Spam

2008 August 24
tags: , , , ,
by Kevin

Technically, you can’t have a blog without comment and trackback spam.  There is no doubt that spam is one of the biggest hurdles of blogging, right behind networking, commenting, and promoting your blog.  ”Spammers”, if you want to define the people that leave these keyword-oriented comments in your blog posts, are operating under one simple purpose - promoting a keyword/phrase, website (blog or affiliate site), in hopes of gaining search engine dominance or leads to that particular service.

Essentially, these people (large organizations and groups of people, in some cases), exploit bloggers to promote their own services, as it is a free source of traffic and link juice from people that normally would like to see comments and responses on their blogs.

Managing and approving the comments that are and aren’t spam typically doesn’t take a long time each day to do, even if you do receive a lot of comments.  However, over the long-term, this time adds up, distracting you from effectively writing on your blog, connecting with others, and promoting your blog.

In this post, I want to expose a few of the timeless ways to effectively manage your comments and tools that you can use to prohibit the spammers from ever leaving a comment on your blog again.  You can also view this post on how to determine whether a comment is “friendly” or not.

General Tips to Combat Spammers on Your Blog

  • Make Sure the “nofollow” Tag is Disabled - By default, WordPress has disabled the dofollow tag in hopes of alleviating the problems that were caused by the excessive number of spammers.  Through the addition of the nofollow tag to comments, spammers are wasting their time as they do not receive a pass of PageRank from your blog or any other benefits.
    There has been some controversy over the tag, and some bloggers have formed “You Follow, I Follow” groups, letting each other know that when they happen to leave a comment on their blog that it will transfer “link juice” back to their blog.
  • Close Comments on Posts Once They Reach a Certain Age - Typically, but not always, spammers look for posts that have little activity on them, as it is a sign that the author isn’t moderating it as often.  A quick way to eliminate this is by closing comments on posts that haven’t been updated or are older.
  • Add Membership to Your Blog - When you add a membership option in order to respond to comments on your blog, it greatly limits the number of people who do respond, but nearly all of them are “real” people.  In addition, you develop a closer relationship with the people who are members, plus you are able to keep them updated through email.
  • Form a Comment/Spam Policy - In this policy, state the types of comments that you will be deleting - whether their return link redirects to another spam website, contains a lot of keywords, doesn’t have relevance to the post content, or doesn’t contain enough words to qualify as a comment.  Enforce this policy one hundred percent of the time, so that you aren’t approving comments that aren’t legitimate.
    What Should Be Included:
    - Number of links allowed in comments.
    - Number of keywords/legitimacy of the comment.
    - Return link used - does it redirect?
    - Does the comment relate to the post’s topic? 
  • Use a Plugin that Asks Readers to Answer a Question/CAPTCHA, or Forces a Visitor to Validate Themselves - Using a tool that forces a commenter to answer a question may be the best way to combat spam left by bots, but is sometimes referred to as the most obtrusive, blocking some legitimate comments from being approved.  It can also be a drawback as people using screen readers won’t be able to detect the words/characters in the image.
  • Don’t Allow HTML in Comments - If a spammer/commentator leaves a comment with a link in it, it will break the formatting, exposing the fact that the comment author was trying to spam you.
  • Find a Spam Plugin and Configure It - Spam plugins were built specifically to do one job, and that is to keep your blog free of spam.  They eliminate much of the work that you need to do, as they are constantly checking commentator’s URLs against a long list of blacklisted links, eliminating the need for you to form one or monitor them.  
  • Use a Blog Platform that Eliminates Spam - There are some blog platforms built from the ground up that don’t require spam plugins/monitoring spam URLs, etc.  Instead of needing to use a plugin, the back-end of the system has the comment spam tools built in, disallowing all spam comments before they ever reach your blog.
  • Configure Your Blog Platform - While you may not have realized it, many of the free blog systems allow you to configure the “Discussion” or similar area, in which you may ban all comments that contain a certain number of links (your preference), form a blacklist, and hold comments that appear to be “spam.”
  • Disable Comments Completely - This option isn’t recommended, but if you can transfer comments from your blog to another location - forum or social networking space, it may be worth it if you can’t handle spam on your own blog.  It also isn’t worth doing, as you lose the entire community that you have been working at building.
  • Use .htaccess to Ban Spammers - If you notice repeated attacks on your blogs, whether to bring your blog offline/hack into it, or insert thousands of spam comments, you can add their IP addresses to your .htaccess file to ban their IP from your blog.  However, this should be a last resort to banning someone from accessing your blog, as they won’t be able to return until you remove it from this file.  This simple tool helps you to automatically create the code to ban the addresses.
  • Use a Plugin that Detects Spam in Your Contact Form - A commonly overlooked area of blog spam comes from your contact form, as it can be exploited much like typical comments.  Instead of using a default form, find a plugin that includes anti-spam measures, such as a math problem, CAPTCHA, or other method.

Changing Comment Options in WordPress

Within WordPress, select Settings, then Discussion, to access the comment configuration area.  This is a mini walkthrough of how to configure this area to suit your individual needs.

Default Article Settings:

  • Attempt to notify any blogs linked to from the article - When checked, this option sends out a ping to all sites that you have linked to from your post, showing up in the linked blogs’ comment areas.  
  • Allow link notifications from other blogs - Turning this option off prevents other blogs’ links to your blog from showing up in your comments area as trackbacks/pingbacks).
  • Allow people to post comments on the article - This option turns off commenting on all posts, limiting the community that you are able to build directly on your site.  Better for static sites that don’t require comments.

Email Me Whenever:

  • Anyone posts a comment - This setting sends you an email whenever a comment (trackback or textual) is posted on your blog.  Turning off this setting reduces the number of emails you get should your blog receive a large amount of comments on a daily basis.
  • A comment is held for moderation - Checking this box sends you an email whenever a comment is being held for moderation.  It allows you to see, through email, which comments are being allowed or denied.
Before a Comment Appears:
  • An administrator must always approve the comment - This setting forces comments to be approved by a blog user or owner, even if they appear to be spam.
  • Comment author must fill out name and email - This should be enabled, or commentators won’t be required to submit their email or name before adding a comment.
  • Comment author must have a previously approved comment - When you enable this setting, comments that have been posted by authors already will be automatically approved.  If not, the comment will be held for moderation.  It is ideal that you enable this to eliminate spam comments from people who haven’t previously posted a comment.

Comment Moderation

At the top of the field, there is an area to place the number of comments that are allowed to be placed in each comment.  Two (or more) is the default, which reduces the number of comments that contain a number of links, characteristic of spam.  In the following field, you can place words, names, emails, URLs, and IPs that will go into the “moderated comment queue” page.  Place each item one per line.

Comment Blacklist:

Within this text box, you can add words, phrases, or any other terms (IPs, URLs, etc.) that will be automatically deleted as soon as the comment has been generated.  This area is also considered a last resort option.

Comment Administration Panel

In the WordPress admin panel, you will find the “comments” panel, which allows you to approve, mark as spam, unapprove, delete, and view moderated/approved comments.

Blog Plugins to Combat Spam

This list includes plugins available for both WordPress (mostly), Movable Type, TypePad, and other systems.  Most address comment form, while some are addressing contact form spam.  Every plugin is compatible with (at a minimum) WordPress 2.5, with some that work with version 2.7 (not released yet).

Several plugins are primarily used to secure your blog, but ultimately help minimize spam by blocking repeated attacks on your blog. 

  • AJAX Force Comment Preview - A multi-purpose plugin, as spambots will not be able to post comments unless it actually tries to “preview” the comment, which adds some level of protection to the comments area.
  • AskApache Password Protect - Prevents attackers’ attempts to exploit vulnerabilities on your blog resulting in a hacked site.  It prevents attacks before they reach your blog through use of a .htaccess file.
  • Aksimet - Akismet is the plugin most commonly used with WordPress blogs, as it was developed by the Automattic team.  It marks comments that have been deemed as spam by checking an extensive list of blacklisted comments, IPs, URLs, names, and keywords.
    Cost: Free for blogs that make up to $500, otherwise between $5-$50/month for the Pro-blogger and Enterprise licenses.
  • Akismet .htaccess Writer - An add-on extension to the Akismet plugin, this helps judge Akismet spam, mark it appropriately, and deny IP addresses using your .htaccess file.
  • Bad Behavior - [Compatible up to WP 2.7]  This plugin can prevent spam on your blog, forum, guestbook, wiki, or content management system.  It is based on PHP, blocking link spam and robots that deliver it.  The core of the software has been released under the GNU General Public License, is easy to setup and configure, and eliminates spam on many platforms including WordPress, MediaWiki, Drupal, ExpressionEngine, and LifeType, although it can also be used (unsupported) on Movable Type, phpBB, and so on.
  • bcSpamBlock - A simple way to protect form comment spam, this plugin ensures that the comment is from a human using a small bit of JavaScript code on the comments page.  Users with JavaScript enabled will not notice anything, but users without it will need to enter a short code into a text box to confirm their comment.  Trackbacks must resolve with the IP request to confirm that the site that is “supposedly” linking to it does contain a link.
  • Captcha.net - The official source for a program that protects websites and blogs against bots by generating and grading tests that humans can pass but computer programs can’t.  Can be used to prevent comment spam in blogs, protect website registration, email addresses from scrapers, online polls, search engine bots, worms and spam, plus more.
  • cformsII - This plugin is a highly customizable, flexible, and powerful form builder that allows you to add spam protection to combat people who are using your email address simply to get you to buy products/services.
  • Cookies for Comments - Adds a stylesheet to load a cookie on the visitor.  If the user leaves a comment, the cookie is checked.  If it can’t be found, the comment will be marked as spam.
  • CryptX - [Compatible up to WP 2.5] You can hide all email addresses with/without a mail-to link, by converting them to JavaScript or UNICODE using a single configuration.
  • Defensio Anti-Spam - An advanced plugin that filters and adapts to your behaviors and those of your readers.  It features OpenID, detailed statistics, charts, RSS feeds, and includes a counter option.  It is designed to be an all-in-one anti-spam solution.  Not compatible with Akismet.
  • Deko Boko - Uses reCAPTCHA for handling spam, and can be used with the customizable contact form.
  • Minimum Comment Length - A plugin that forces comments to be at least fifteen characters (approximately three words) in length.  The comment will be disapproved if it is too short.
  • Mollom - Adds a CAPTCHA test to the comments field, unless the comment is not marked as spam.  It can block up to 99.7% of all spam comments.
  • MyCaptcha - [Compatible up to WP 2.5] Simply adds a CAPTCHA to the comments form to avoid spam, is configurable.
  • Ozh’ Absolute Comments - Comment manager that allows you to instantly reply to comments as well as manage spam comments more efficiently.
  • Ozh’ Auto Moderate Comments - Comments that are posted on older posts will automatically be marked as “moderated,” eliminating the number of comments that are posted on older posts without needing to close the comments form.
  • Peter’s Custom Anti-Spam - Forces visitors to identify a random word displayed as an image before commenting and optionally before registering to your blog.  Doesn’t require JavaScript, use cookies, and automatically generates audio for visually impaired visitors.
  • Project Honey Pot - This plugin allows you to verify a visitor’s IP address against the database that has been established by the creator of the plugin.  It also uses APIs, flags, logs, and other blogs to ban visitors that have a high threat score, helping prevent harvesters, spammers, and other suspicious bots from accessing your blog and leaving comments.
  • Recapture - A WordPress plugin that places the reCAPTCHA code in the user registration form.  It is easy to setup and includes several configuration options.
  • Sabre - A plugin that contains a set of counter measures against spam registration at your blog.  Prevents random people from signing up to your blog as well as bots.
  • TypePad AntiSpam - A free (for everyone) plugin that adapts to changing spam tactics, retains quality comments, is open source, and is 100% Akismet API compatible for previous users of the plugin.  it is compatible with TypePad, Movable Type, and WordPress 2.5.
  • WordPress Exploit Scanner - A blog protection tool that scans files, posts, and comment tables of your database for anything suspicious.
  • Worst Offenders - [Developers only] This is a plugin that identifies messages that have already been marked as spam as well as from other comment sources - links, text, etc.
  • WP-Ban - Displays a custom ban message when a banned IP, IP range, host name, or referrer URL tries to visit your blog.  The plugin also allows you to exclude certain IPs from being banned.  Includes statistics on how many times each person tries to visit your blog and allows wild card matching.
  • WP-BlockYou - Bans people from visiting your site using the .htaccess file.
  • WP-Hashcash - An anti-spam plugin that eradicates comment spam by moving comments to the appropriate site based on visitor feedback.
  • WP-SpamFree - Extremely powerful anti-spam plugin that virtually eliminates comment spam - trackback and pingback spam from bots, too.  Includes a contact form, which you can add by inserting a simple tag into your “contact” page.  No CAPTCHA’s to challenge your visitors.
  • Yawasp - (Yet Another WordPress Anti Spam Plugin)  This plugin does not require JavaScript, cookies, or sessions, doesn’t add a CAPTCHA to the comments field, false-positives are impossible, doesn’t require managing comments, and is easy to install.  It essentially allows you to focus more on blogging without requiring user interaction (hated by commenters).  
  • yaCAPTCHA - Adds an image to the comment form of your blog, requiring visitors to write the characters that are a part of the image.

NoFollow Plugins

These plugins add the “nofollow” attribute to the comments or other areas of your blog to eliminate spam bots from targeting your blog to attain “link juice.”  However, some blog commentators will not leave comments on your blog if you have the “nofollow” tag, as they do not receive any return “juice” from your blog.

  • NoFollow Case by Case - [Compatible up to WP 2.5] Allows you to strip the tag from comment links, pingbacks, and trackbacks, or selectively apply the tag to comments or author links you do not want to support.
  • NoFollow Free - Adds the nofollow tag to author’s links and comment text links.  A new option allows you to replace the nofollow only when there are a certain number of comments and/or spam words are detected in the comments.  Available in multiple languages.
  • NoFollow Links - Allows you to append the “nofollow” tag to the “rel” attribute of selected links in your blogroll.  It doesn’t conflict with the link relationships already specified.
  • NoFollow Links in Posts - Enables you to add the “nofollow” tag into links in a post within a specified category, useful when publishing sponsored posts or for posts older than X days.
  • NoFollow Reciprocity - [Compatible up to WP 2.5] Adds “nofollow” tags to large sites that have commented or are listed on your site, thus increasing your blog rankings in search engines and redistributes PageRank to the smaller websites.
  • WordPress Tweaks - A multiple purpose plugin, has the optionof adding the nofollow tag to comment links, add it to “read more” links, the tag cloud links, “register” and “login” links, as well as the ability to remove the attribute from author or body links.

Conclusion and General Tips

There is no one solution to combat one hundred percent of the spam comments on your blog.  However, it goes without saying that you need to have at least one method for avoiding a massive amount of spam comments on your blog - through the use of a plugin, the “nofollow” tag or other method that you have produced.

Spam comments on blogs are generally a negative aspect of the “joys of blogging.”  You have to set aside a schedule for managing your spam, or you’ll quickly find it harder to manage comments (marking them as approved/spam) and people that visit your blog will be discouraged from commenting, as their comments will be scattered in a mess of both link backs from spam sites and random comments requesting you to purchase prescription drugs and donate money to foreign agencies.

What methods do you use to minimize spam on your blog?

from → Blogging
Subscribe to our RSS Feed
Share and Bookmark: Delicious, Digg, and StumbleUpon

Possibly Related Posts


Continue Browsing
« What is Meant by Being an Authority Blogger? | Self-Hosted vs. Hosted Blogging »

1 Comment leave one →
2008 August 25
JM Drupal permalink

Since we use Mollom for our Drupal installations Spam is basically non-existing anymore. Its a much better user experience and even we had relatively low spam levels, the few we had ceased completely. Mollom is generally free and the Module [at least for Drupal] is easy to implement. The captcha is only shown for suspicious posts and IP addresses - so ordinary user won´t even realize that there is a captcha.

Leave A Comment

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS