As a WordPress user of over 8 years with over 100 WordPress blogs I’ve seen my fair share of comment SPAM.
Until yesterday I swore by Akismet comment SPAM plugin, have Akismet installed on all my WordPress blogs and thought it was blocking a lot of SPAM comments.
Yesterday I discovered a serious Google SEO performance issue with Akismet v3.0.
Akismet SPAM Plugin
I’ve used Akismet as a matter of course for years, one of the first plugins I activate on a new WordPress install.
However, Akismet v3.0 is adding three javascript files to the front end of posts with comments enabled. Don’t know exactly why Akismet needs these javascript files, I’m guessing some sort of SPAM honeypot.
Akismet Honeypot code added to comment pages:
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="b23de1ea17" /></p> <p style="display: none;"><input type="hidden" id="ak_js" name="ak_js" value="190"/></p>
I guess the second line uses the CSS ID ak_js to rename the hidden input using Jquery (all three of the JS files added are Jquery code) on the fly so smarter comment SPAM bots can’t learn the name of the hidden nonce comment input and NOT add content to it: SPAM honeypots tend to work by being hidden input forms, if a commenter manages to add content to a hidden form you know it’s a comment SPAM bot (real users can’t see the hidden form box).
These are the javascript files Akismet 3.0 adds:
http://domain.com/wp-includes/js/jquery/jquery.js?ver=1.11.0
http://domain.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
http://domain.com/wp-content/plugins/akismet/_inc/form.js?ver=3.0.0
That’s way over 100KB of javascript for a comment SPAM honeypot!!!
I found this javascript issue because I’d just built a new responsive WordPress menu that didn’t use Jquery for Stallion Responsive v8.1. My old v8.0 responsive menu required Jquery (the first two files listed above) which has a negative SEO impact on PageSpeed, so I made a responsive menu that only used CSS (uses no javascript, much better Google SEO performance wise).
During my tests using the Google PageSpeed Insights Tool I found on WordPress posts Jquery was still loading and tracked it down to Akismet 3.0.
I could add a feature to Stallion Responsive to prevent Akismet adding those three javascript files, but before adding the feature decided to see how good the Stallion Responsive comment SPAM features work without Akismet active.
Block Comment SPAM
Stallion Responsive has 3 types of comment SPAM prevention built in, activated under “Stallion Theme” >> “Advanced SEO” – “Block Comment SPAM ON”, below are the three methods for blocking SPAM:
X1 – Some SPAMBOTS (used for adding SPAM comments to our blogs) are poorly built and lack a HTTP_REFERER, selecting Block Comment SPAM ON will stop many of them before they post a comment.
X2 – Adds a nonce to the comments form in to stop comments being submitted remotely.
X3 – A SPAM Honey Pot in the form of a hidden (via CSS) textfield, many SPAMBOTS fill all textfields, since this one is hidden only a SPAMBOTS could fill it, all comments that trip the HoneyPot (fill the hidden text box with content) are automatically marked SPAM.
I’ve never tried running a WordPress site just with the Stallion Responsive SPAM blocking turned on, always have Akismet active as well.
Yesterday I turned Akismet 3.0 off, this solved the PageSpeed SEO performance issues caused by the three javascript files. Stallion’s SPAM blocking features do not require any javascript and will have no negative impact on performance.
This website has been running for less than a day with Akismet turned off and Stallion responsive has caught 658 SPAM comments and missed 2 SPAM comments that were added to the Pending queue for manual checking: I temporarily turned Akismet on, clicked the Check for SPAM button and it put the two comments in the Pending queue into SPAM.
As expected Akismet deals with SPAM comments better than Stallion Responsive SPAM checking, Stallion has no way to find real visitors who manually SPAM comments (the majority of SPAM comments are added automatically by SPAM bots), so it will miss manual SPAM. that being said detecting 658 SPAM comments out of 700 SPAM comments is awesome. Manual SPAM comments are the minority and Akismet will miss some of them, Akismet could have missed those two SPAM comments yesterday because it has to learn what is SPAM: also makes mistakes with false positives, especially in the make money online niche.
I can handle a few SPAM comments added to the Pending queue to prevent Akismet ruining my websites performance metrics.
Goodbye Akismet.
David
Stop Blog Comment SPAM Performance Issues
In Stallion Responsive 8.1 I’ve added more comment SPAM blocking measures and changed the way possible SPAM comments are handled to reduce their performance impact.
The problem with WordPress comment SPAM is two fold.
First with popular comment SPAM measures (Akismet for example) the comment SPAM is still added to the WordPress database. This domain is currently receiving up to 1,000 SPAM comments a day which means every day 1,000 comments are added to the database, the resources used to add a SPAM comment is a waste of server resources: with many host setups you will find MySQL access can be a bottleneck that reduces a sites performance.
I don’t know how much of a performance hit 1 SPAM comment requires, but it’s pretty obvious stopping 1,000 database entries a day (365,000 a year) is a good thing to aim for, so stopping the SPAM comments from being added to the database in the first place is a desirable outcome.
Second webmasters have to regularly delete the comment SPAM from their SPAM folder, this takes time and if you don’t want to miss any real comments a LOT of time.
If you run Akismet for example you will find Akismet SPAM filtering is not perfect, it does add comments to the SPAM folder by mistake. In the Internet marketing community there is a fine line between promoting a website and comment SPAM, some Internet marketers skate the grey line between reasonable promotion and comment SPAM. Akismet can’t tell the difference between an Internet marketer who isn’t a comment SPAMMER per se, but some blog owners are marking their comments as SPAM: Akismet is like a crowd source vote of who is a comment spammer, if enough blog owners mark your comments as SPAM as far as Akismet is concerned comments associated with your email address are all SPAM.
I guess you could damage another users email address by comment SPAMMING using their email address: I’ve had my comments marked as SPAM on sites I own and I never comment SPAM, barely ever comment on other sites. If you run Akismet on a popular WordPress blog you might have thousands of comments added to the SPAM folder and have no idea if a few are real comments, only way to know for sure is manually check thousands of comments! I don’t have time for checking thousands of comments, I delete the SPAM and hope none are real comments, I’ve almost certainly deleted some good comments over the years.
Solved all the above problems in Stallion Responsive 8.1.
Stallion includes 5 SPAM protection measures:
1 – HTTP_REFERER check.
This basically checks if the commenter is using a browser, if not they get an error message: no comment added to database.
2 – Adds a nonce to stop comments being submitted remotely.
Similar to the above, basically it’s a unique code to check the commenter is on the site and not posting using SPAM software. If not on the site they get an error message: no comment added to database.
3 – Two SPAM HoneyPots, these are form fields real users can’t add content to, but SPAM bots tend to fill them tripping the SPAM honeypot. Had this feature since Stallion Responsive 8.0, but in 8.1 rather than adding the comment to SPAM the commenter gets an error message: no comment added to database.
4 – SPAMMERS tend to post long URLs in the author URL box, if a URL is longer than X characters (you set X: default 60) it’s marked SPAM: the comment is added to the SPAM folder so you can manually check it.
5 – 10 duplicate field checks, if a SPAM bot adds the same content to two fields it generates and error message: no comment added to database.
The benefit of the error messages over being added to SPAM if a real commenter accidentally trips a SPAM measure (adding the same content to two fields for example) they receive a message what the issue is an advice to go back and fix it.
Some SPAM bots are smart enough to avoid some of the SPAM filtering above, but highly unlikely to avoid them all.
That being said I’ll be looking for automated SPAM comments that get through the above filters and see how and find a fix. For example if a SPAM bot is built well and the spammer isn’t too dumb their comments will be in the moderation queue waiting for approval or deletion.
BTW the above checks are made on ALL comments, there is no white listing (like WordPress core previously approved comments option) which means even if a SPAMMER managed to add a manual SPAM comment you approved so they could SPAM your site** the above checks will checks all their new comments.
** One way to SPAM a site would be post a quality comment to a popular blog, wait for the owner to approve, if they have the previously approved comments option set the user can now post anything they want as a comment with no checks.
If you’d like to see one of the new SPAM filters in action write a comment below and set the author name and the comment title with the same content, add some text and submit the comment. You’ll see an error message two or more fields are the same and go back and fix it, if you were a SPAM bot you wouldn’t go back.
David
Stop Blog Comment SPAM Performance Issues
WordPress Comment SPAM Filters
If anyone trips these comment SPAM filters let me know by email (or comment if you can get past what you tripped), had one user who has tripped the nonce check.
Think it’s a session timing issue which should be resolved with a forced refresh (CTRL F5). Can live with this, the nonce number changes, if a user has been on the page a long time or the cache hasn’t refreshed it would cause the “Security check failed” message. The rare user being hit with this is worth removing 99.99% of comment SPAM (barely getting any comment SPAM now).
While researching the issue discovered the HTTP_REFERER check can be easily tripped by opening a URL in a new window/tab or copying and pasting in a browser window. Might have to remove the HTTP_REFERER check in an update if it’s being tripped by real users easily? Will first test how much new SPAM gets through with the feature disabled.
David
WordPress Comment SPAM Filters
Security check failed message
Hi Dave, the past few weeks I have started getting emails from blog readers that they are seeing the “security check failed” warning and not being able to post the comment.
This has happened with at least one regular commenter who comments a lot, the other(s) may not be regular (to give you a number, I have been told about this 2-3 times the past few weeks, after never being notified by anyone before, and I’d assume that those are just the ones that are taking the trouble to tell me so there are probably more).
Is this warning message generated by Stallion’s additional spam protection, or is it WordPress? Just trying to determine where the issue might be originating.
Thanks,
Erik
Security check failed message
Stallion Responsive Comment SPAM Checks
You are still running an old version of Stallion Responsive right?
That was a bug with an earlier version, fixed in the latest versions.
If you don’t want to upgrade you’ll have to turn the Stallion SPAM checks off.
David
WordPress Comment SPAM Stopped
It’s a bit disconcerting logging into a WordPress blog and finding no comment SPAM after years of expecting new comment SPAM hourly: I’ve had times where between “clicking Empty SPAM >> WordPress Deleting the SPAM >> WordPress loading the SPAM folder page” dozens of new SPAM comments have already been added to the database!
Early days, but the new Stallion Responsive 8.1 SPAM filters appear to have stopped all SPAM, just have to get used to not thinking WordPress comments are broken because I have no SPAM :-)
This site received up to 1,000 SPAM comments a day, just have to wait for some to get through to check why so I have something to analyze.
David
WordPress Comment SPAM Stopped
Stallion Responsive Important SPAM Filter Bug
A Stallion Responsive user has found a bug in the SPAM comment filters built into Stallion Responsive.
When under “Stallion Theme” >> “SEO Advanced Options”
These three settings are set:
“Hikari Comment Titles ON**”
“Author Links ON”
“Block Comment SPAM ON**”
If any of these are OFF it’s not an issue: on this site I have “Author Links OFF”, so this site not affected by the bug.
And a commenter writes a comment and doesn’t add an author URL AND a comment title (both have to be blank) one of the SPAM filters for blocking SPAMbots trips and the commenter gets this error message:
“Sorry, two or more comment fields have the same content which suggests you are a SPAMbot, go back and make all comment fields unique.”
I coded for this, but it’s not working (not checked why yet).
Stallion Responsive option fix:
Under “Stallion Theme” >> “SEO Advanced Options” set
“Block Comment SPAM OFF”
This turns off all spam filters, so you would need something like Akismet (it’s a performance hit using it) for dealing with SPAM.
Code fix
Or for a temporary fix until I figure out why my code isn’t working edit:
/stallion-responsive/plugins/stallion-stop-stupid-spambots.php
change the line:
to
Update: don’t do the above, have a proper fix, see bottom of comment.
This disables the comment title and author URL duplicate check completely, but leaves the rest of the SPAM checks intact.
This won’t be the end bug fix for this, I’ll figure out where my code has gone wrong and fix it so that check won’t trip when both are blank.
I’ve been working on the Stallion Responsive 8.2 update, since this is an important bug (very easy to trip) I’ll speed up the release schedule on 8.2.
Working on a social media feature (not an easy one to code) and want to get it done for the next update.
David
Update: Wasn’t hard to fix, took 10 minutes to find and fix.
edit:
/stallion-responsive/plugins/stallion-stop-stupid-spambots.php
find the lines:
And change to this code:
This will be the Stallion Responsive 8.2 bug fix. This adds an additional check for blank fields, and before comparing gives any that are empty a temporary unique string of text so two blank fields won’t trip the SPAM filter.
David
Stallion Responsive Important SPAM Filter Bug