You can defend against spam in several ways:
• Forbidding all comments. This is obviously a drastic, ironclad approach. To
disable comments, you turn off the “Allow people to post comments on new
articles” checkbox on the SettingsÆDiscussion page. But be warned that if you
do, you’ll sacrifice the lively conversation your visitors expect.
Verdict: An extreme solution. The cure is worse than the disease.
• Using moderation. This is the default WordPress approach, and it’s the one
you learned about in this chapter. The problem is that you just can’t keep
moderating a site that’s growing in size and popularity—it becomes too laborintensive.
It also has a distinct drawback: It forces commenters to wait before
their comment appears on your site, by which point they may have lost interest
in the conversation.
Verdict: Not practical in the long term, unless you combine it with a spamcatching
tool (like Akismet, which you’ll meet in a moment).
• Forcing commenters to log in (for self-hosted sites only). To use this approach,
you need to add each visitor’s ID to your WordPress site, or create some
way for them to register on your site themselves. This approach definitely isn’t
suitable for the average public blog. However, it may work if you have a small,
captive audience—for example, if you’re building a site for family members only,
or for a team of coworkers.
Verdict: For special cases only. You’ll learn about multiuser blogs in Chapter 11.
• Making commenters log in, but allowing third-party log-ins. A third-party
login verifies your guests through an authentication service—typically one
provided by WordPress.com, Facebook, or Twitter. This requirement may work,
because many people already have Facebook or Twitter accounts that they don’t
mind using (whereas they definitely won’t bother creating a new account just to
leave a single comment). Still, forcing logins may drive away as many as half of
your would-be commenters. And it’s still not truly spam-proof, because clever
spam-bots can create Facebook accounts, just like real people can.
Verdict: A good idea, but not a complete spam-fighting solution.
• Using Akismet or another spam-catching plug-in. Many WordPress administrators
swear that their lives would not be livable without the automatic spamdetecting
feature of Akismet. It isn’t perfect—some site owners complain that
legitimate comments get trashed, and they need to spend serious time fishing
them out of the spam bucket—but it usually gives the best spam protection with
the minimum amount of disruption to the commenting process.
Verdict: The best compromise. It’s also essential if you turn off moderation.
The pros and cons of managing comments by moderation versus spam-fighting are
a lot to digest, even for seasoned webheads. But the evidence is clear: Most Word-
Press pros eventually start using a spam-catching tool. They may use it in addition
to moderation, or—more likely—instead of it.
NOTE If you don’t have a spam filter, you are the spam filter. And given that an ordinary WordPress site
can attract dozens of spam messages a day, you don’t want to play that role.
If you’re ready to ditch comment moderation in favor of a livelier, more responsive,
and less controlled discussion, choose Settings→Discussion and turn off the checkboxes
next to these settings: “An administrator must always approve the comment”
and “Comment author must have a previously approved comment.” Then click Save
Changes at the bottom of the page.
WordPress’s Other Spam-Catching Options
WordPress has a few built-in spam-fighting options on the
Settings→Discussion page. In the past, they were a practical
line of defense that could intercept and stop a lot of junk comments.
Unfortunately, spamming evolved in the intervening
years, and now these settings are only occasionally useful.
• “Hold a comment in the queue if it contains 2 or more
links.” Use this setting to catch posts that have a huge
number of links. The problem is that spammers are on to
this restriction, so they’ve toned down their links to make
their spam look more like real comments.
• The Comment Moderation and Comment Blacklist boxes.
Try these boxes, described earlier (page 253), as a way
to keep out offensive text. They also double as a way
to catch spam. However, don’t rush to put in obvious
spammy keywords, because you’ll just end up doing a
clumsier version of what Akismet already does. Instead,
consider using these boxes if you have a spam problem
that’s specific to your site—for example, a certain keyword
that keeps coming up when spammers target your posts.
• “Automatically close comments on articles older than
14 days.” Unless you set it, this option isn’t switched on.
However, it’s a potentially useful way to stop spammers
from targeting old posts, where the conversation has
long since died down. And you don’t need to stick to
the suggested 14 days. You can type in any number,
even making the lockout period start a year after you
publish a post.