Support » Fixing WordPress » Spam getting through security?

  • I’ve been using Spam Karma 2 for a while – it works great against spam and I’ve NEVER had a spam comment get past it since loading it onto my wordpress powered site. Sadly, I had a different kind of comment problem – from actual people posting profane and insulting comments ad nauseum on my site, and I was forced to allow comments only from registered users, and disabled open registration (effectively giving only two people the power to comment, my own admin account, and one of my contributors/friends). Since then no one has been able to comment besides the two of us – until a few days ago. Without changing any options, I’ve seen SK2 harvesting a few spam messages a week now. Do you have any idea how they could be getting posted when comments are disabled from non-registered users? They are not coming from any registered account (ruling out any potential password leak). Any insight you could offer would be greatly appreciated!

    (I’m running WP v2.0.3 and my site is

Viewing 11 replies - 1 through 11 (of 11 total)
  • Probably those are trackbacks and not comments (they look the same at first sight) and posted not by humans but by automatic scripts.

    Could you elaborate? Trackbacks usually get through Spam Karma, whereas these comments do not. They all seem to be advertisements, also, not references to any blog entry (I’m not really familiar with how trackbacks work, though).

    I have seen the same behavior, but am not using Spam Karma (although will be looking to install it). Just over the past day, I’ve received about 200 spam postings, most from an online poker ad. I have a secured blog, comment moderation on, only registered users can comment, no email-based commenting enabled, no unknown registered users. Something is definitely defeating the security protocols and it’s causing me all kinds of headaches. My readers aren’t seeing them because all comments are moderated, but my inbox is filling up with comment moderation requests.


    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    A “trackback” is really not very different than a comment, it just comes in through a different door. Most of my spam comes in the trackback door nowadays. It’s blocked, of course, but that’s still how it happens.

    All a trackback is is a way for automated systems to send your blog a URL and some text without having to go through the comment form. That’s what it was designed to do. It’s a standardized way to do that.

    Now, WordPress basically turns these into comments. So disabling comments, while it will remove the comment form and disable the comment door, doesn’t affect trackbacks.

    This is not “defeating the security protocols”. This is how it was specifically intended to work. Trackbacks are trackbacks and comments are comments. Just because they end up in the same place doesn’t make them the same thing.

    Trackbacks can be enabled or disabled on a per post basis, but that’s not the right way to deal with spam, really.

    My suggestion:
    1. Install Bad Behavior. This great plugin stops like 80-90% of spammers dead in their tracks. No moderation, no queuing.. The spam just doesn’t appear anywhere. Works great.
    2. Install Akismet. This sends everything that gets submitted (comments and trackbacks) to Akismet’s servers, which analyses it and returns a pass/fail. It occassionally catches a valid comment (about 1 in 80 in my experience), but you can teach it which comments were real through a simple control panel. Scan it every few days, and no biggie. It gets better with time, and with all the contributions of bloggers everywhere.

    I have not used Spam Karma, but it’s effective as well, so I hear.

    Thanks for the info.

    Do “Bad Behavior” and “Akismet” also scan trackbacks? Additionally, can they work with each other (as well as Spam Karma) or can only one be active at a time?

    All of them can work together.
    Yes, they do kill TB, too 🙂

    With the combination of Bad Behavior and Akismet, I’m at a loss as to why any other anti-spam plugins might be required. These two are all that anyone could need to eliminate spam from their WordPress blog.

    Do they work together, or is it an either/or solution?

    nemt. you are just asking, asking, asking… Don’t you read the replies?

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    With the combination of Bad Behavior and Akismet, I’m at a loss as to why any other anti-spam plugins might be required. These two are all that anyone could need to eliminate spam from their WordPress blog.

    Agreed, 100%. The combination of BB and Akismet is overwhelmingly powerful. The flood of spam I was receiving turned into a trickle, which is all caught in Akismet’s bucket (good metaphor, eh?). 😀

    Currently there seems to be a new wave of spam anyway. My mail servers are just as battered by this.

    On the blogs I maintain the combo of BB and Akismet works perfectly.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Spam getting through security?’ is closed to new replies.