Fighting Spam

Operating your own website or blog, you will soon realize lots of comments with nonsense content and embedded links to obscure websites. These are comment spammers making your life difficult. Everyday you have to clean up or moderate all comments. In the past I used a wordpress plugin “spam free wordpress” to protect my blog, and for long time it was working fine without any problems. Writing a comment to my postings, you were asked to copy and paste a password from one to another field in the comment form. Suddenly it was not working any longer, and I found out that the developer changed his policy: I have to pay a license fee. Maybe I also should change my policy, and ask for a license fee to download my AHP excel template? So I was searching for a new free plugin. I installed SI Captcha Anti-Spam from Mike Challis, but still spam comments were coming through. So I enabled the honeypot spambot trap and it seems to work.

What is a honey pot spambot trap?

I learned some new things about spam, and also found an interesting project “Project Honey Pot” on the web. There you can find out more about harvesters, spammers, dictionary attackers and honey pots. You can participate in the project, install a honey pot or implement a quick link to fight spam. A honey pot is a – for humans invisible – link to a dynamic website providing “fake” e-mail addresses and forms for spam programs. If the form is submitted or an e-mail sent to one of addresses provided there, then you can be sure it is a spammer and record/block his IP address. Here an example of a quick link (opens in a separate window, don’t submit.) Usually this link is hidden -only visible for bots, spider programs etc.

Project Honey Pot also provides a useful service HTTP Blacklist to check IPs against a list of known harvesters, comment spammers, and other suspicious visitors to websites.

Now I can monitor  suspicious activities on my website: within only two days I could see more than 100 attacks!

Check your own IP address.

Making your wordpress blog more secure

You find the individual steps easily in a web search. Most critical is the change of SQL table prefixes. I did it manually using phpMyAdmin. When finished, no link was working any longer. Reason: permalinks were set to %postname%. After switching first to default and then back to %postname% everything was fine.

I also struggled with the password protection. Inportant: add the line ErrorDocument 401 default, otherwise you might always get the “page not found” message.

Steps to do:

  • Move config.php file one directory above wordpress installation directory
  • Remove admin user
    (create new user with full rights and delete old user)
  • Protect wp-admin and wp-includes directories
    (read for owner and group only = 751)
  • Hide wordpress version and login error messages
    Add in functions.php (in your ChildTheme directory):
    <?php remove_action(‘wp_head’, ‘wp_generator’);
    add_filter(‘login_errors’,create_function(‘$a’,”return null;”)); ?>
  • Delete readme.html file from web root directory
  • Password protect wp-admin directory (I used CPanel to create .htaccess).
    Modify .htaccess file in wp-admin – add:
    ErrorDocument 401 default
  • Modify .htaccess file in web root:
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
  • SQL: change prefixes of database tables from
    “wp_”  to “new_prefix_”
;