Comment spam seems to be one of the most common wordpress blogger problems. There are many tools to fight it, but it seems few of them are only the real solution to the problem. In this post, I’ll explain what wordpress comment spam is and how to defend yourself from it, as well as some of the really bad effects of spam to your website.

Since the beginning of wordpress, comment spam has became really popular SEO and eMarketing tool. Yes the people who do it are very well paid, and this type of website marketing is really popular and very dangerous. The biggest problem with it is that most of its utilizes are pharmaceutical companies and all their vendors which seem to be millions. I’m not sure what kind of money are involved with the whole thing, but I can ensure you that many search engines tried to stop them, but they still seem to be fully active. Just try to Google some pill and you’ll find around 50 million paged dedicated only to the V-pill and pretty much the same on other alternatives. Unfortunately to get such high results you’ll need massive — yes I most definitely mean virtually millions of pages — to rank on the first 100 results and that’s where WordPress and other blogging software comment spam comes in play.

There is a large discussion in the SEO world of the negative effect of commend spam. It is considered that link spam quite bad since most of the links are from the so called “bad neighborhoods”, but Google (the Search Engine’s) point of view is devious. Some say that websites are be penalized if they link to spam sites, others say that spam is simply part of the real life and websites are not penalized. Well, I’m not sure which one is right, but to be on the safe side I strongly recommend that you don’t link to any of those and therefore protect your site from nasty comment links. It is not only that they are bad links, they are also links which leak your PR and your website is devalued, therefore they really BAD. We should not even think about duplicate content because 100% of this comment spam is also on other sites which brings down your overall website quality drastically.

Comment Spam is a relatively simple technique which uses automated commenting scripts to inject into different type of website applications. If you’re a wordpress user and your website has some backlinks you’ll be most definitely getting few hundred comment spams a day, and maybe even thousands for larger websites. This massive spam required software developers to come out with different defense techniques, some of which are extremely popular as the Akismet plugin for wordpress, which seems to be pretty much the best solution out there. Unfortunately Akismet should not be the only anti-spam application you are running.

Lately I’ve been having rather strange problem. My website seemed to overload quite a bit, and all my efforts to optimize it with WP-Super-Cache and other similar plugins did nothing. This made me look a bit deeper into the whole problem and try to figure out what exactly caused its high load. I saw that there are few hundred akismet spam messages filtered every day, but I didn’t think that it is possible for them to do all this load. After a bit more careful analysis I found out that they can and they do cause all my high CPU load. It seems that a comment is first processed by wordpress and akismet in some weird way to figure out if it may be a spam, then a automated request for verification is sent to the wordpress API page where a pass or fail signal is sent. This delay in processing the request seems to be generating some of the load, and combined with few hundred other message injections it ended up into a considerably high amount of resources wasted on spam comments. This made me look a bit further into wordpress ani-spam plugins.

The first good wordpress spam filter seemed to be the CAPTCHA type of plugins. Ironically most simple captchas are already broken and crafty comment spam software seems to be able to avoid them (well, I figured out that after testing few different apps for a day or two). The best one, which also seemed most user friendly as it supported Audio text narration for the really unreadable text, seems to be ReCaptcha. It is a free “service” which requires a free registration. You can install it with the Automated WordPress Plugin Installer just search for reCatcha and you’ll find it. After installation it will give you the url for registration and you can get the API code from there.

It is quite unfortunate that reCaptcha and Akismet didn’t fix my load issue although they stopped 100% of the wordpress comment spam, which is still a great achievement. It seemed that reCaptcha was testing the client/visitor side, but the nasty spammers injected their comments directly into the wordpress-comments.php script which somehow bypassed it. I needed better defense system. This is where low level web server protection comes in.

I accidentally found out that most of the comment spam software is utilizing Pearl CGI scripts, and fortunately for all of us, pearl has special signature which is easily recognizable by firewall software. For this type of applications the low level apache module called Mod_Security seems to be the ultimate weapon in our wordpress defense program. By setting up a simple pearl crawler block which is actually built-in the default mod_security definitions. After a day of testing I’ve noticed 50% load decrease while all the visitor traffic was the same.

The best thing I found, which I already wrote about in some previous posts on War against the Content Scrapers where I’m commenting my problems with duplicated content issues as also mostly utilizing pearl and php scripts. Mod_Security also has option to block all unknown user-agents which is pretty much what I’m suggesting in my previous post. In this way you protect yourself from comment spammers as well as duplicate content scrapers.

I think I forgot to mention that mod_security is apache module and therefore you will have to recompile apache with it. To do this you will have to have root access to the server and if you don’t have your own VPS or Dedicated Server then you have to check if your web host can set it up for you. If your host doesn’t have it, you can check out our $3.95 per month wordpress hosting service from which supports mod_security as well as Suhosin (another wordpress protection server module).

If you have better suggestions please keep me posted. I’m 100% spam secure now so don’t try to spam me he he he ..