Wipe Out WordPress Comment Spam Without Driving Your Readers Nuts

Word Cloud of Spam Comments Submitted to The Hobby Blogger

Last day of comment spam on The Hobby Blogger (generated using Wordle).

Check out the word cloud above. It has the most common words from all the spam comments submitted to my blog in one day back in February. 153 comments submitted by spambots that I had to sift through and delete.

In the nearly five months since that day, I’ve had a total of four spammy comments. I’ve virtually wiped out all the comment spam from my blog.

And I’ve done it for free!

How Spambots Work

A spambot is simply a computer program that helps automatically send spam. In the case of WordPress blogs, most bots attempt to automatically fill out comment and contact forms.

They can do this because, by default, the comment forms on all WordPress sites have the same input names for the Name, Email, Website, and Comment boxes (author, email, url, and comment, respectively).

Once a bot finds your WordPress blog’s posts, it can fill out the form very quickly by directly accessing the

wp-comments-post.php

file without even having to visit your site.

How to fight comment spam

Blocking empty referrer requests

You can block some spambots by making sure comments can’t be submitted unless the form is filled out directly on the web page containing the post. I’ve explained this technique here.

However, as I’ve experienced, this technique only goes so far. More sophisticated spambots can fool your server into thinking the comment was submitted from the post’s comment form.

Change it up a bit

To make it harder on the spammers, you need to add a wrinkle to your comment form—something different that a spambot can’t easily anticipate. For instance, you can require readers to complete an additional task before a comment can be submitted, such as a solving a CAPTCHA, or clicking a checkbox.

You’ve probably seen these before. CAPTCHAs are the “squiggly word” puzzles solved by figuring out the text and typing it into a text box. See my contact form for an example. Other times you might see a check box at the bottom of the comment form saying something like, “Confirm you are NOT a spammer.”

In both cases, the extra input box (usually added with a plugin) is not part of the default WordPress installation. You’ve made extra work for the spammer to figure out how to automatically fill out the form. After adding the extra task, spammers will usually prefer to leave your blog alone and target other unprotected blogs.

Don’t make it too hard on your readers

Unfortunately, the extra input also makes it harder on your readers to submit comments. Some tasks, like the checkbox, are easy for humans. Others like reCAPTCHA, are more difficult, if not frustrating for people to perform.

The key is to find the right balance between making submissions hard for spammers, and relatively painless for legitimate readers. While blocking spam is great, you don’t want reduce your blog’s reader engagement.

I created the graph below to help visualize the issue using some common (and free) WordPress plugins.

WordPress Comment Plugins: Reader Burden vs. Spammer Burden

While not exactly scientific, the graph shows the relative burden created for spammers and readers in order to submit comments.

With the yellow zones, you’re picking your poison. Either you maintain reader engagement and have to moderate a ton of comments, or you limit spam at the expense of legitimate comments.

By default, submitting comments on WordPress blogs is very easy for spammers and genuine readers alike. Most bloggers start out this way until the spam becomes a significant hassle. On the other end of the spectrum, reCAPTCHAs can be hard for people to solve, and some people just hate math and won’t solve the equation-based form offered by CAPTCHA. In this case, blocking spam isn’t worth frustrating your readers.

Obviously, stay away from plugins in the red zone, where plugins make it easy for spammers and hard for readers. Though I’ve never come across a plugin that would be categorized in this area.

Finally, plugins in the green zone are the Holy Grail—they make it a pain for spammers without your readers giving a second thought about completing the task. Two such plugins are Growmap, and Conditional CAPTCHA.

When I was getting slammed with spam earlier this year, Growmap is the one I decided to use.

Growmap Anti Spambot Plugin (aka G.A.S.P)

Growmap is a free WordPress plugin by Andy Bailey, the developer of CommentLuv, which adds a checkbox to your comment form. Readers have to click on the checkbox before they can submit a comment. Just scroll down to the comment form on this post to see it in action. In fact, try it out and leave a comment!

It’s a simple plugin with several useful features:

  • You can change the name of the checkbox – If spammers somehow figure out the name of your checkbox and spam starts getting through, all you have to do is go to Growmap’s settings panel, change the name, and the spammers are back to square one. I haven’t had to change the name of my checkbox once so far.
  • You can edit the label – Feel free to change the “Confirm you are NOT a spammer” label to suit your blog.
  • Reader friendly – If a reader forgets to check the box, a nice little reminder message pops up. The message is customizable.
  • Basic heuristics – If the bot does get past the checkbox, Growmap lets you set simple logic to detect possible spam based on the number of words in the comment name field or based on how many web URLs are in the comment text.

How well does Growmap stop spam?

To see how awesome Growmap works, check out the graph below.

Number of Daily Spam Comments on The Hobby Blogger

Late last year, my comment spam slowly began to increase. Then at the beginning of this year, it really took off. At one point, I was getting well over 200 spam comments a day. And since I get emailed every time someone posts a comment, it was a big hassle to wading through tons of email and trashing all the comment spam.

You can see from the graph that once I installed Growmap, the comment spam virtually stopped. I’ve had only four spammy comments, and those were submitted by people who actually visited the my blog, not bots.

So I’ve made it pretty hard for spammers to leave comments, but what about burdening my readers? Did Growmap make it too much of a pain for readers to leave comments?

Not at all.

The graph below shows the number of legitimate comments submitted to The Hobby Blogger per month.

Number of Comments on The Hobby Blogger

Growmap didn’t affect legit comments.

My comment rate stayed consistent after I installed Growmap even though I posted only twice during that time span.

What About Akismet?

Yes, Akismet seems to be the de facto standard for dealing with comment spam. After all, it comes pre-installed with WordPress. But I have a few qualms with Akismet.

First, if you monetize you blog in any way, then it costs $5 per month to use it. Second, you still have to moderate spammy comments. Akismet is not perfect and there’s still a chance that legitimate comments will get flagged as spam. If you care about your readers, you will still have to take time to sift through the comments in the spam bin to make sure genuine comments didn’t lost.

On the slightly more technical side of things, Growmap prevents spammers from submitting comments. Akismet allows spam to be submitted, then it just moves the comments to the spam bin. So Akismet makes your server work harder by accepting the spam, bloats your WordPress database by storing the spam, and makes you work harder by having to review and empty the spam bin.

However, if your blog gets huge amounts of traffic, spammers might take the time to figure out the name of Growmap’s checkbox and bypass it. In that case, Akismet makes more sense.

For the average blog, Growmap is the clear choice.

One Alternative – Conditional CAPTCHA

If you really want to use Akismet, then check out Conditional CAPTCHA. The Conditional CAPTCHA plus Akismet combination is probably the best of both worlds. When used together, Conditional CAPTCHA will require the reader to solve a CAPTCHA only if Akismet thinks the comment is spam.

Most readers will never have to solve a CAPTCHA, and your spam bin won’t fill up. The cool thing is that you can choose to serve a simple CAPTCHA, or the more difficult reCAPTCHA if you think it’s necessary.

I haven’t tried Conditional CAPTCHA. I can’t confirm that it’s all it’s cracked up to be. It does have a 4.9 out of 5 rating in the WordPress Plugin Directory, though, so it’s worth checking out.

What do you use?

Well, that’s what works for me. How about you? Tell us of your battles (victories and losses) with spam in comments.

A Google Reader Alternative is Already Here – Feedly

Dude Freaking Out

Licensed under Creative Commons by bark on Flickr

If you’re a Google Reader user like me, you’re probably freaking out about Google’s announcement that they are retiring Google Reader, effective July 1st, 2013.

Reader is/was a great RSS reader because it allows me to quickly scan the feeds of the many sites I follow across multiple devices. There are a bunch of RSS readers out there, but Google created an API (Application Programming Interface) that allowed other developers to create apps to view and manage your feed subscriptions.

If I marked a post as “read” on my laptop using the Google Reader in my browser, that same post would be marked “read” on my phone’s RSS reader, Feeddler Pro (a great app by the way). That’s the power of their API.

Now that Google is killing Reader, and it’s API, Feeddler will become useless.

What’s the alternative?

As I began to search for alternatives, I came across a CNET article with five alternatives to Google Reader. The first one was feedly, but it syncs using Google’s API, so I passed it over along with the other five. However, in the article’s comments, someone posted a link to an announcement on feedly’s blog that they’ve been building a clone of the Google Reader API. Codenamed Normandy, the project arose because feedly’s been expecting the Reader shutdown for a while.

If you begin using feedly with Google Reader before July 1st, you won’t notice any changes. The changeover will be seamless. I figured, what the heck, I’ll give it a try.

If you’re using Chrome, Safari, or Firefox, Feedler is a free browser plugin, and their Android and iOS apps are also free.

Getting to my Reader feeds in feedly was easy. First, I just clicked on the feedly Chrome Web Store link on their blog page. Then click on the blue “Add to Chrome” button at the top right.

Feedly Add to Chrome Button

Next, click the Add button to confirm you want to add the plugin to Chrome.

Feedly Plus Permission to Add to Chrome

Up comes the feedly login page. If you’re already signed into the same Google Account that uses Google Reader, all you have to do is click the “Connect to Google Reader” button.

Connect Feedly to Google Reader

You’ll see one more confirmation pop-up to let feedly access some of your Google Profile information. Click the “Allow access” button.

Feedly Permission to Access Google Profile Info

Be patient. If you’re trying out feedly soon after the Google Reader announcement, it’s a bit slow. No doubt they’re getting slammed by all the disgruntled Reader users.

In order to ease the transition from Google Reader, feedly has published some tips to help adapt to it’s desktop interface.

Also, there are two versions of feedly – a regular and a “plus” version. The main difference is that feedly plus has a toolbar button that shows the number of unread articles and gives you a way to quickly launch feedly.

Feedly also says that the plus version will “evolve into a tool for power readers.” Perhaps that means it will eventually become a freemium service, which is something to keep in mind before getting too attached to it.

One other cool thing I read in feedly’s Normandy announcement is that they are inviting third-party developers who use the Google Reader API to get in touch if they’re interested in using Normandy for their apps. Maybe I won’t have to get rid of my iPhone’s Feeddler app after all, which would be nice in case feedly doesn’t work out.

I’m sure a lot is going to happen in the RSS reader arena in the near future as a result of Reader’s retirement. Help us all find the best alternative, and let us know in the comments what you’re using instead of Google Reader and how you like it.

Free Simple Social Media Icons for Your WordPress Blog

Simple Social Icons by StudioPress

Simple Social Icons by StudioPress

StudioPress has just released an awesome WordPress plugin that allows you to easily link your social media profiles to simply styled icons that you can add to your blog’s sidebar, the right side of your header, and even your footer.

Simple Social Icons is a free plugin that lets you tailor the social icons so that they will look great with just about any WordPress theme. And because this plugin isn’t limited to the Genesis Framework, it’ll work with any WordPress theme, too.

Currently the plugin offers icons for seven social media platforms (Dribble, Facebook, Google+, LinkedIn, Pinterest, StumbleUpon, and Twitter), as well as icons for email and RSS feeds. Because the icons are designed in-house by StudioPress, they’ve been adding new ones as users request them. A YouTube icon will probably be added next.

I don’t have any social media profiles yet, but I’ve already installed the plugin and played around with it on my development site. What’s so nice about the plugin is—using a simple form—you can add and customize the icons right from the WordPress Dashboard’s Widgets page with just a few clicks.

Here’s exactly what you can customize:

  • Simple Social Icons Admin WidgetIcon size – Choose from sizes of 24, 32 and 48 pixels.
  • Icon Border Radius – Change how sharp the corners are. If you want circles, set the radius to half the icon size.
  • Icon Color – Standard hexadecimal notation for the main color of the icon.
  • Hover Color – The color of the icon when the cursor is above it.
  • Alignment – Set whether the icons are flush with the left or right side of the widget area.

To add an icon to your widget, all you have to do is enter URI (Uniform Resource Identifier, aka the address) of the profile in the appropriate box.

The great thing about this is you can add icons on the fly as you build up your social media presence without have to mess around with any CSS code.

One suggestion I’d make is not to check the “Open links in new window?” box. While advertisers might like to keep readers from leaving your site, the option annoys some of your readers by altering they way they expect their browser to behave. If readers want to open the link in a new window, they can do so by right clicking or holding the control key down when they click. Let them decide.

It’s no secret that I’m a fan of StudioPress. My blog uses their Prose theme, and I’m also one of their affiliates. Part of the reason why, though, is that they are the only major WordPress theme developer I’m aware of that gives away plugins and other small freebies to the WordPress community that are useable outside of the Genesis Framework.

So if you’re considering a new look for your blog, check out their themes and see if there’s anything you like.

One final note that the plugin is still in beta. There may be a kink or two still left to be worked out, but they’re rapidly updating it.

A Free Must-Have Plugin for Cloning Your WordPress Blog

Brick Wall

Image copyright Kuraman Creative – iStockphoto.com

Thump! Thump! Thump!

That’s the sound of my head banging on a brick wall with a shoddy mortar job.

Okay, not really, but that’s what it felt like over the last three nights while trying to install a copy of The Hobby Blogger on my laptop. Fortunately, I found a great free plugin that allows you to easily copy your blog to another location.

I wanted to start changing the look of my blog, but I needed somewhere other than the live site to test and view the changes. It’s not a good idea to make changes that can be seen by readers while they’re actually trying to read the blog. And testing plugins on a live site risks crashing it.

I thought about creating a test (aka development) site on the same server that hosts this blog, but I don’t want to slow down the live blog, and I also want the ability to tinker without an internet connection.

So I began trying to copy my blog to my MacBook. Since Apple’s OS X comes with web (Apache) and database (MySQL) servers built in, I thought setting up the clone site would be straightforward.

The process:

  1. Copy my site’s WordPress folder to my laptop.
  2. Export the database from the live site.
  3. Create a new database on my laptop.
  4. Search and replace references to thehobbyblogger.com with the web folder name on my laptop.
  5. Import the modified database to the one I just created on my laptop.

I almost got it to work. For some reason that I wasn’t able to figure out, the permalinks would not work. The homepage looked fine, but if I clicked on a link to a given post, I’d get a 404 error.

I searched for and tried various fixes to no avail. Figuring it was worth $75 to quit wasting time, I almost resorted to purchasing BackupBuddy to fix the problem.

Still hesitant to pay the cash, though, I did a little more digging and happened on Duplicator—a free plugin that will let you move your WordPress site to another location in three simple steps. Cory Lamle, the plugin’s developer, has a nice step-by-step how-to on his site.

Initially, I tried to use Duplicator with the Mac OS web server, but I was still having the same issue with broken permalinks. I then tried installing the XAMPP web server package that Cory recommended in his how-to post, making sure to disable the Mac OS web server.

Ding! Ding! Ding! We have a winner!

I now have a clone of The Hobby Blogger on my laptop that I can tweak until my heart’s content. If I want to update the clone so that it has the live blog’s most recent posts and comments, syncing them up again only takes a couple minutes.

Duplicator is beta software, so you might come across some bugs, but I highly recommend giving it a try.