User generated spam is a problem, most bloggers and many webmasters are familiar with. In fact, it has become such a big issue that even Google felt it was necessary to discuss it. If you are having troubles with user-generated spam – or would like to protect your site against it – keep reading.
Identifying User-Generated Spam
It might sound like a bad joke that one can’t see right away, what’s spam. The fact is though, that spammers can get so creative, when it comes to posting, that beginner-bloggers have difficulties realizing that it’s spam, they’re dealing with.
Among the most wide-spread spam types are:
- A comment, congratulating you on a great post or agreeing with you in another way. No links are included in the comment itself. When you look closer, you find out that the user name is something like FreeBacklinks, CheapViagra or something similar, and it’s either accompanied by a website link or the user name itself is the anchor text of the link. This kind of spam is especially difficult to spot for beginner-bloggers, as they don’t always notice the fact that the user name is clickable or consists of suspicious terms. Also, new bloggers simply need this form for confirmation by others that they’re doing a good job. It’s therefore sometimes a difficult task to delete the spam comment.
- A comment, describing a very good opportunity of sorts, typically a product or a service. It sounds like a bad commercial and this is exactly what its purpose is. Usually, it ends with a link and a promise that clicking on the link will literally change your life, business or whatever it’s supposed to change. I’ve personally received a spam comment advertising some on-page SEO plugin that does the whole thing automatically, while you sit and drink coffee. Sounds too good to be true? Than chances are that it isn’t true.
- A comment, including nothing but one or a few links. The links could easily lead you and your site readers to a website with malicious content. This kind of comments are potentially the most dangerous ones, as you have absolutely no idea where the link points to. Even in cases where the link is readable, clicking on it can present a serious security risk, as what seems as a URL can simply be anchor text for a completely different link.
- A comment that seems to be relevant to the topic on hand but all it does is to promote a link. It usually sounds something like: “Great description of the issue! Here you can read even more about it: link”. In a forum setting, it can be masked as a legit answer to a question that though serves the only purpose to promote a link to external web resources. Because links in comment treads can actually add value to the discussion by making it possible to dig deeper in a topic, it’s often a question of subjective judgement, whether something is spam or not. As a rule, commenters who post links in most of their comments, are labelled as spammers.
- Pingbacks and trackbacks are usually a form of notification you get, when someone links to your page from another blog, for example in a comment or in a blog post. They appear as a comment to your content and contain a backlink to the origin-site. Because pingbacks and trackbacks are an easy way to bypass registration and comment approval, they are a preferred tool for spammers.
- A user-generated blog post with what seems to be fine content on a relevant topic. The trick is that one or more of the included links are meant to lead you to a specific external URL. Additionally, the text is specially tailored to get readers interested in clicking on links. Here, as well as in the case of link-posting commenters, it’s a question of creating yourself an overview of the situation and investigating, whether the included links are spam or not. Very often, bloggers use guest-blogging as a way to promote their own blogs. In quite a lot of these cases, this ends as spam due to lack of experience or understanding of the importance of delivering quality, also as a guest-blogger.
- An image, added to a blog post or comment. Images can easily turn into spam, because they can be set to point to a specific URL, of a spam website for instance. It’s therefore necessary to keep an eye on added meta data, if you allow users to upload or edit files.
- Bot-spam. It can be registrations, filling out forms, posting automatic comments, etc. It’s very disturbing for website owners, as it often means tons of cleanup afterwards, drops in website performance or directly crashes.
Defeating User-Generated Spam
Counteracting user-generated spam is rarely a one-stop solution. The reason is simply that, as described above, spam comes in all forms and shapes. Therefore, here you’ll find the best anti-spam advice as a list of actions, you can pick from.
- Disallow comments. Comments aren’t crucial for any blog’s success, even though they can help engage site visitors. However, when you experience that 99 % of all comments are spam, it’s rarely worth the effort to moderate for hours in order to publish the very few real ones. You can disable comments by clicking on Settings->Discussion and uncheck Allow people to comment on new articles. If you’re worried about missing out on the opportunity to engage people with your content, try to encourage them to connect with you/your company on social media instead.
- Disallow registrations. The standard WordPress registration is absolutely not recommended to use, as it’s often used by spammers as a way to infiltrate someone’s website. The reason is that it’s a two-minute process, allowing users to remain completely anonymous. As long as you let people register this way, you can expect a large number of spammer attacks. You can disallow registrations by clicking on Settings->General and unchecking Anyone can register. You’ll still be able to add users manually from within the Admin panel (click on Users->Add New and follow the process). If you need to allow registrations for the public, there’re much safer alternatives to WordPress registration you can implement, as discussed in point 4.
- Always keep New User Default Role as Subscriber. You can set a new user default role – and you must do it – under Settings->General in the Admin Panel. Be aware that this setting isn’t dependent on allowing or disallowing the standard WordPress registration. This means that you can still set the default user role to, for example, Editor, and manage registrations manually or via a plugin. It’s highly recommended that you don’t give privileges to all new user by default, as new users can present serious security risk, especially when your site gets a lot of new registrations. If you need to give privileges to some users, you should either add them manually or edit their privileges manually, after they’ve registered. Choose though carefully which users you promote to avoid loss of data, rewrites of your site’s code and content or hijacking of your whole site!
- Use social login or a membership software. If you want to allow registrations, it’s a very good idea to use special membership software or a social login plugin. The reason is that such plugins/software include different options for increasing security and screening members. Social login plugins are an especially good – and often completely free – solution, in case you simply want to allow commenting and keep spammers away. Membership software offers more sophisticated options for managing user access rights, while securing essential parts of your site. It’s though very rarely free.
- Use reCaptcha. reCaptcha can’t save you from human spammers but it can – for the most of the time – stop the annoying bot spam in form of comments, registrations, filling out of forms, etc. Unfortunately, spam bots are continuously developed to handle reCaptchas but you can simply try the different options (numbers, text, half-text-half-picture, and pictures) and see what works best for you.
- Disable links in comments. This is basically your best weapon against spammers, who passed all other checks and ended up posting a spam link. Spam links are dangerous both for SEO and site users. By disabling links you remove the backlink from your site to the spam URL, which diminishes the SEO danger. Be though aware that a disabled (not-clickable) link can still trick your site users into following it! It’s therefore necessary to manually remove spam comments as quickly as possible. You can disable links in comments either by installing a plugin (see the plugin section of this post) or by adding remove_filter(‘comment_text’, ‘make_clickable’, 9); in your theme’s functions.php file, just before the closing tag (?>). OBS! If not working with a child theme, you’ll need to repeat this action every time your theme updates.
- Disallow pingbacks and trackbacks. As noted above, they can be a strong weapon in the hands of spammers or hackers. In the same time, they don’t add any value to the discussion, as they aren’t real comments but automated notifications. You’re therefore advised to disallow pingbacks and trackbacks. This is easily done by clicking on Settings->Discussion in the Admin panel and unchecking Allow link notifications from other blogs (pingbacks and trackbacks) on new articles.
- Blacklist spam words. Blacklisting obvious spam words can help you control comments, especially in cases where it’s difficult for you to moderate all comments on time. WordPress gives you the opportunity to create a list of words triggering either moderation or deletion of comments, containing one or more spam words. You can create these lists under Settings->Discussion by adding them into the respective field, Comment Moderation or Comment Blacklist.
- Manually approve comments. No matter how many comments your blog gets and how much time is needed to manually review them, this is the one bulletproof solution against spammers. Review all new comments and check for links or spam words in user names, contact fields, and text fields. Be aware that some spammers are good at hiding their real message and purpose, so don’t approve any comments lightly, even when they are posted by trusted users. If you can’t manage this task, consider to either disable commenting or get/hire someone to help you.
- Manually approve user-generated posts and keep an eye on updated posts. If you allow users to publish content on your site, it’s important to control and approve every post. It might be that some users have earned your trust but it’s still risky to not moderate everything that gets published on your site. Be also aware that, depending on user role capabilities, some users can edit published content! If you have empowered users to such a level, ongoing control with published content is necessary as well.
- Keep an eye on very active users. Even though it might be that some users are simply engaged by your content, it’s considered unusual activity when a single user posts multiple times a day or every day. Make therefore sure that their activity doesn’t undermine your efforts to deliver quality content and encourage discussion.
- Deactivate old comment threads that you aren’t keeping an eye on. Especially if you run a content-rich website with hundreds or thousands of posts, it is an impossible task to manually moderate all comments. Therefore, you need to optimize commenting. As a rule, it’s mostly new posts that generate “real” comments. Old posts, on the other hand, are often used by spammers to post spam links, as there’s the expectation that moderation of old-thread-comments isn’t as strict or as fast as moderation of new-thread-comments. You can deactivate old comment threads by clicking on Settings->Discussion in the Admin panel and checking Automatically close comments on articles older than XX days (you choose how old the articles should be) under Other comment settings.
- Use antivirus software featuring spam protection or install an anti-spam plugin. Good antivirus software for websites often costs a lot and isn’t always necessary, simply because servers are usually well covered (in case you outsource hosting of your website). However, most hosting companies only offer certain level of spam protection to high-scale customers. It’s therefore a very good idea to find an effective anti-spam plugin. If you know that your server isn’t well protected or your website is a target for hackers, installing full antivirus solution with ongoing scans is also a must.
- Always use updated software. Software gets updates not only as a way to introduce new features but also to fix security issues. This is the reason why updating all the software you use, that is WordPress, themes, plugins, apps, and external software, is a priority one task. Some webmasters don’t update regularly due to a suspicion that it might cause incompatibility. This presents though a serious security risk and should be avoided. As long as updates do cause incompatibility, you are advised to either switch to another software solution or request a fix (depending on your contract with the provider).
The Best Free Plugins Fighting Spam
There’re in fact many very good – and free – social login plugins out there. One of the most popular and best rated ones is Super Socializer. It offers a combination of social login, sharing, and commenting, which is a good thing, as it reduces the number of plugins you need to install. The plugin allows you to customize a lot, including the position, shape, and size of social media icons. You should though be aware that it’s branded.
When it comes to reCaptcha, I’d advise you to trust Google. You can either get the current reCaptcha or wait for the upcoming invisible reCaptcha. It’s free and continuously developed. The only downside is that you’ll need to add a code piece to your site’s code and send a POST request from your server. While none of this is difficult, it can be problematic, if you for some reason can’t edit your WordPress theme’s code (the head and all forms where reCaptcha should appear) or if you don’t have access to your server.
If you feel that you can’t handle it yourself, you can install a plugin as Google Captcha by BestWebSoft, which is one of the most popular and high-rated plugins for integrating reCaptcha into WordPress. It has a free and paid version but most users should be just fine with the free version.
You can try to beat spam by introducing Facebook comments. This is brilliant, as it works as a social login and integrates with Facebook, making it less attractive to post spam. The only downside is that only Facebook users can comment.
Another smart move is to introduce user moderation of comments. You can let people report spam with a single click by installing a plugin as Crowd Control by Postmatic. Alternatively, you can add a Moderator user role and let trusted users moderate comments, without necessarily giving them the right to publish or edit other content on your website.
Disable Links In Comments
You can easily disable links in comment (make them not-clickable) by tweaking your site’s code. However, it’s not necessarily to do it, as long as you don’t know how. Instead, you can install a plugin that does the job for you. Remove links from comments is one of the most popular plugins removing the website field from the standard WordPress comment form as well as all links in author names.
Another plugin that seems to be gaining popularity, is Comment Link Remove. It does everything: removes the website filed from the comment form, removes links from author names, disables links in the comment field, removes link tag in comments, and lets you control your comment strategy globally by providing you with several powerful options.
If your site is a target for spammers or may become one, you must install a resilient anti-spam plugin. The most popular plugin is without a doubt Akismet. It has the advantage of being developed by Automattic, the company behind WordPress. This plugin helps you defeat spam by checking comments against data from their web service and revealing links in comments to avoid misleading anchor texts.
You should though be aware that you’ll have to create an account and get an API key from Akismet’s website to make it work. Even though the plans for personal blogs are free now, it’s worth to note that new plans are getting introduced at the moment – and will possibly replace the old ones at some point. The lowest price is 39 UDS/year for personal plans.
If you, like me, don’t care much for accounts and payments, you can try WP SpamShield instead. This plugin has more than 100 000 active installs and a five-star rating (more than 700 votes). It’s completely free and takes care of both bot and human-generated spam, not only in comments but site-wide. As a bonus, it eliminates the necessity of using reCaptcha, which affects user experience positively.
When it comes to antivirus plugins for WordPress, WordFence is the absolute winner with over a million active installs and a 4.8-star rating (2988 votes). The plugin offers you complete protection from known attackers, a firewall, cellphone sign-in, and live scans. Even though there’s a premium support option, it’s completely free to use all the vital features of the plugin.