WordPress.org

1. bolonki
   Member
   Posted 5 years ago #

   I can't believe it, but a spam bot was able to modify the very text of the post itself and enter a spam link!

   To make it clear, this is not the classic spam in a comment, but this is editing the text of my POST to link to some spammy Ucranian (.ua) site.

   Any info and tips to prevent this are very welcome.

   PS: I am running WordPress 2.13 and have renamed the comments file to prevent spam (prevents 100% of the spam without the enormous burden on server resources that Akismet imposes), but now the spam bots moved to the very post.

2. Otto
   Tech Ninja
   Posted 5 years ago #

   I am running WordPress 2.13

   WordPress 2.1.3 has a major security hole, and you should upgrade to WordPress 2.2 immediately.

   prevents 100% of the spam without the enormous burden on server resources that Akismet imposes

   Akismet doesn't put any burden on your server, it puts the burden of spam checking onto Akismet's servers. They're the ones doing all the work.

   And renaming the comments file just means people can't leave any comments. Which is fair enough, but seems a long way to go in order to prevent spam. I mean, yeah, I could not get any spam in my email if I didn't use email.

3. bolonki
   Member
   Posted 5 years ago #

   Thanks Otto for the heads up on the security hole.

   Regarding Akismet, what I meant is with Akismet on, you are still processing hundreds of comments a day, whereas by renaming the comments file you don't process anything, the SpamBots simply fool around with a fake comment form.

   And please see that I renamed, not eliminated, the comments file so that legitimate visitors have no trouble whatsoever leaving comments. So it's not like you say. You give a new name to the real comment file, change the name of the file in your theme, and then leave an empty comments.php file for the spambots to play with.

4. Otto
   Tech Ninja
   Posted 5 years ago #

   Regarding Akismet, what I meant is with Akismet on, you are still processing hundreds of comments a day, whereas by renaming the comments file you don't process anything, the SpamBots simply fool around with a fake comment form.

   Few problems with that notion:
   1) Spambots can load your webpage and see the form just as easily as anybody else can. Easier, if they wanted to write them to do so. And it's only a matter of time before this minor change is implemented in the bots and they start using "the form" like everybody else.
   2) 95% of spam I see now is Trackback spam anyway, which doesn't use comment forms or comments.php.
   3) The *actual* right way to do what you're suggesting would be using a nonce.
   4) But mainly, the Bad Behavior plugin would block all this pretty much without any processing overhead and without having to mess about with the code and such like this. It prevents bots like that from even accessing the site to begin with by simply recognizing and blocking bots. Much simpler and more effective. It cut my incoming spam by 85%, just like that. No configuration. No interface. It just works. The remaining 15% of the spam goes on to Akismet.

5. ganzua
   Member
   Posted 5 years ago #

   Forcing registering to comment can help to prevent spam

6. moshu
   Member
   Posted 5 years ago #

   Forcing registering to comment can help to prevent spam

   Wrong! Trackback spam (read more carefully Otto's post above!) doesn't need any registering. Forcing registration is just an annoyance for legitimate commenters. I never comment on a blog if registration is required.

7. whooami
   Member
   Posted 5 years ago #

   bolonki,

   You haven't provided a link to your site here or in any of your previous posts so I cannot check for myself so I cannot check for myself -- do you know if you are using a sponsored theme? I ask because a eerily similar situation occurred recently where the post content was being appended w/ 'spam' links.

   I'm willing to bet it's the theme you are using.

Topic Closed

This topic has been closed to new replies.