Posted on Wednesday 14 May 2014
Okay – I think I can finally and tentatively declare Victory!
A few lessons learned from this ugly business. The biggest one was that while it was pretty obvious that most of the spammers were automatic, there were two types!
One group obviously used the comment forms on posts directly. Creating comments on random postings, but usually only one or two of them at a time ( postings that is – not comments LOL. )
Of that first group, there were those who just opened up a comment window and dumped their garbage in – but requiring them to pass a simple Captcha code caused their attempts to fail!
The second part of that first group obviously had the processing smarts to crack a normal Captcha ( those that use numbers and letters combinations ) – possibly by brute force…
Once I installed a simple graphic puzzle ( requiring no entry of characters at all ) the high number of Spam entries dropped to a small low of 10-20 at a time!
Those last 20 were using a new way to post spam. They actually bypassed the whole Captcha challenge entirely! They did this by using WordPress ( the engine I use for my blog ) against itself – sort of.
Since they knew that the site was written in WordPress they just called a special utility within it called wp-comments-post.php which is the tool that does the posting of the comments after you have entered them into the comments field.
I’d like to thank the website code.tutsplus.com for posting their 6 ways to combat Spam Comments. Their posting was instrumental in my fixing my problem. Now to be honest – all the Spam I was getting was going directly into the spam folder, none of it ever got posted on the website, so my original tools like Akismet were working – I just didn’t want to have to wade through the tons of Spam every couple of days looking for valid comments ( which has happened in the past unfortunately. )
So I added code.tutsplus.com‘s first recommendation to cancel the wp-comments-post.php attack – which was to put some special code into my .htaccess file. It seemed to work at first, but all at once they were posting again…
What finally did the trick was a special plugin called Cookies for Comments. I know there are mixed opinions about cookies on the Internet and I am against anything that tracks you over a period of time. But these are short duration things that are added and checked almost instantaneously! Essentially, the user will pick up a cookie from one of my pages and if he goes to post a comment, the cookie will be checked first! If it isn’t there the posting will be disallowed ( Because they are using the wp-comments-post.php tool not a page!)
I’m sure eventually, they will figure a way around this – what ever one man can construct another man can deconstruct – but for now the dam is holding.
I think WordPress themselves will soon have to address this direct access of code for spamming purposes – it’s too big a hole and needs to be fixed!
Till next time then…