Fighting Spam on Your WordPress Website

WordPress

If only I had a calendar where I could schedule all my upcoming posts… Hold on a sec, I do have one! And it even helps me to promote it on social networks! Discover our new plugin!

Friday afternoon. Summer. You have finished the day’s work peacefully while your colleagues enjoy a well-deserved holiday. Relax, in two weeks it’s your turn. Everything went well during the day, so you’re getting ready to shut down the computer… and time to go home—see you next Monday, folks!

Back home you’re on the couch, enjoying the beginning of your weekend. Browsing the Internet for a while and seeing what’s going on seems like a good idea. You turn on your computer and there they are: over 500 support tickets! What the hell happened?! Everything’s broken and you’re alone to fix it? Lord, have mercy!

More than 500 support tickets in less than two hours. WHAT!
More than 500 support tickets in less than two hours. WHAT! Source: Giphy.

You put yourself together and say to yourself: not on my watch! It’s time to find out what’s going on and fix it. Fortunately, the pattern is easy to find. All the tickets that have been submitted so far are from the same email account (which I won’t mention here). It must be a bot, and so it must be blocked!

Fortunately, the ticketing system we use allows me to mark this contact as spam (in fact, they should have detected it themselves, but hey, we can’t always be that lucky). Done! No more tickets from them.

But how did all this happen?

Well, the answer is in WordPress. In our WordPress website, in fact. There are couple of contact forms whose submission is redirected to our support ticket system. Here’s where the problem started, in that couple of forms that, unfortunately, had no control to filter spam. They were the only ones on the web that didn’t have it….

F*cking spammers!

Damn spammers! You scared the hell out of me!
Damn spammers! You scared the hell out of me! Source: Giphy.

Luckily, it wasn’t that bad. I was able to fix it and it won’t happen again. And now it’s time to help you: this is what we do on our website to avoid spam, so you can also do the same and avoid it.

Finish Spam Bots on Your Contact Forms

All this problem I have explained to you here has happened because we didn’t have any protection against mass form submission attacks on two of the 14 forms we have on our web. It’s bad luck, but if you leave the door open, the spammers take advantage of it.

Had I not noticed this, I would have had hundreds of thousands of support tickets waiting on Monday and everything would have been worse. Luckily, this did not happen and the problem was not as big as it could have been.

For the contact forms on our website we use the Contact Form 7 plugin. Contact Form 7 in its latest versions already adds the possibility of using captchas in the forms. But the truth is, we hate Captchas. Every time Google asks me to choose images that show traffic signs, taxis, buses, or storefronts after telling it I’m not a robot, I get frustrated.

Come on, Google, I'm not a robot!
Come on, Google, I’m not a robot! Source: Giphy.

To avoid putting captchas on the forms on our website we use the Contact Form 7 Honeypot plugin. This plugin extends Contact Form 7 to include honeypots in the form. A honeypot is nothing more than a hidden field in the form which, if filled in, prevents the form from being sent.

Since most bots are idiots (at least in 2018), when they proceed to fill in the fields of one form they fill them all in. So in this simple way we avoid the submission of forms by bots. Users do not see the honeypot field of the form, so they do not fill it in and it is sent correctly.

A honeypot can save you from spam attacks on your forms by bots. The Honeypot Contact Form 7 plugin does its job really well.
A honeypot can save you from spam attacks on your forms by bots. The Honeypot Contact Form 7 plugin does its job really well.

Just by adding a honeypot field in Contact Form 7 forms you avoid most of the spam you receive through WordPress contact forms.

Remove Spam Comments From Your Blog

If you have a blog, you’ll have your comments open. Who doesn’t like to get feedback from their readers about their content? But there’s a catch: you’ll probably get thousands of spam comments too. Luckily, Akismet is a free plugin that works very well detecting spam in comments and blocking this type of spammers.

Akismet has helped us a lot in the fight against spam on our website.
Akismet has helped us a lot in the fight against spam on our website.

Look at our website: Akismet has protected our website from 100,000 spam comments so far! Pretty neat, huh?

If you activate it in your WordPress you can go to the comments section and you’ll see a section with the spam comments. You can review them, if you want, and delete them so they don’t take up space in your database.

Avoid The Registration of Malicious Users

On our website we do not have the user registration open. So it’s technically impossible for us to have any spam users. But if you do, you’ll probably have plenty of spam users. And I know because I’ve seen it: in the origins of Nelio, a few years ago when we migrated websites to WordPress, I had the opportunity to migrate databases of websites with thousands of users, and most of the sites we worked with were plagued with spam users. And I don’t think the trend has changed today.

Hi, I'm here to sign up for your website. I am a super normal user. Let me in, please...
Hi, I’m here to sign up for your website. I am a super normal user. Let me in, please… Source: Giphy.

If you open the registration of users on your website, you should keep an eye on it because otherwise it’s very easy to end up with thousands of registered users who are not real users.

How to prevent these users from registering on your website? Well, there are several ways. Here are the most common ones:

  • Akismet: Again, this plugin can save you by detecting spam user logs. Keep it active!
  • Verify the email address of new user registrations. With this plugin you can do it. Most bots will not confirm their email and you will prevent them from registering.
  • Add a captcha to the user registration form. Yes, I know I’ve been complaining about captchas, but if you’re getting a lot of trouble from spammers, you better do it. With All-in-one Security you can have them.
  • Change the default WordPress URL to register new users. Here‘s some more information about this topic.

Final Remarks

Nor in those moments when it seems that nothing strange or unusual should happen should you lower your guard on the Internet. If anything can go wrong, it will, just like our friend Murphy predicted. This is why you should be prepared and take care of your website so that it has everything in place to prevent the annoying spam.

Whether you like it or not, when you have a website on the Internet, you’re exposed to spam. It’s impossible to avoid it completely, but you can definitely reduce it to the minimum. As soon as your website has some traffic you will be the target of spammers, so it’s better to be prepared than to face the problem later.

Luckily, WordPress and its plugin ecosystem provide you with the perfect tools to be ready for the battle against spam. This is a battle you can win. Go for it!

Featured image by Scott Van Hoy on Unsplash.

PoorMehGoodVery GoodAwesome! (No Ratings Yet)
Loading...

by

Antonio obtained his PhD in Computer Science at UPC. He has several publications in the field of data mining and information retrieval applied to conceptual modeling and health informatics. He specialized in the design, development, and integration of web services and cloud applications. He's an active contributor to the WordPress community and participates in meetups, seminars and WordCamps.

Leave a Reply

Your email address will not be published. Required fields are marked *

I have read and agree to the Nelio Software Privacy Policy

Your personal data will be located on SiteGround and will be treated by Nelio Software with the sole purpose of publishing this comment here. The legitimation is carried out through your express consent. Contact us to access, rectify, limit, or delete your data.