What to Do When Your Blog is Buried in Pending Comments

Spammy comments are a danger to any blog. If visitors find
your site choked with spam, they’re far less likely to keep
reading or make a return visit.
But even if spam comments aren’t approved, they can still
pose a problem for your site. First, they clog your Comments
page in the dashboard, making it harder for you to find the
real comments. And because WordPress stores them in its
database, they can bloat it with meaningless content, wasting
space on your web host and making it more difficult and
time-consuming to back up your site.
The solution seems obvious—just delete all the spam—but it’s
not always so easy. If your site has the misfortune to fall victim
to an automated spam-spewing tool, you can find yourself with
thousands or even hundreds of thousands of spam comments
in short order. (It’s happened to us.) So what’s a WordPress
administrator to do?
If you use a spam-catching plug-in like Akismet, spam comments
end up in the spam folder. The good news is that you can
clean out all your spam with just a few clicks. In the dashboard
menu, click Comments, and then click the Spam link at the top
of the list. Finally, click the Empty Spam button. (Even better,
get your spam catcher to automatically clean out old spam, as
explained on page 280.)
If you’re not using a spam-catching plug-in, you’ve got a bigger
problem on your hands. That’s because the spam comments
will be pending comments, and the dashboard doesn’t provide
a way to delete a huge number of pending comments at once.
Even bulk actions can act on no more than a single page of
comments at a time. At that rate, deleting thousands of spam
comments is a several-day affair.
There are two solutions. First, you can use a plug-in that
removes all pending comments, such as WP-Optimize (http://

tinyurl.com/wp-opti). Or, if you’re a tech savvy person who’s
not intimidated by the idea of diving into your WordPress
database and fiddling around, you can use a tool like php-
MyAdmin to peer into your database and remove the junk. To
get started in this endeavor, read the walkthrough at http://

tinyurl.com/deletepen2.

What to Do When Your Blog is Buried in Pending Comments

Fighting Spam with CAPTCHA

Some WordPress administrators find that a traditional spam-analysis tool like Akismet
isn’t enough to stop the inevitable avalanche of spam. Others find that Akismet
consistently flags good comments as spam, creating a different sort of commentmoderation
headache. If you’re in the first camp, you might want to supplement
Akismet with something else. If you’re in the second camp, you might want to try
switching Akismet off and plugging the hole with a different tool.
Either way, one good candidate is a Captcha (which computer nerds translate into
the phrase “Completely Automated Public Turing test to tell Computers and Humans
Apart”). The idea behind Captcha technology is to force commenters to do something
that automated spam-bots can’t, at least not easily. If you’ve ever registered with
a site that asks you to retype a set of fuzzy letters or distorted words, you’ve seen
Captcha in action. Facebook, Hotmail, and Gmail all use it, for example.
The problem with Captchas is twofold. First, there’s no Captcha that’s too hard for
some spambot to crack. Second, there’s no Captcha that’s so easy that it won’t annoy
your readers, at least a little. But if you use an easy, unobtrusive Captcha, you just
might be able to reduce spam to more manageable proportions, without annoying
your visitors too much. (Hint: You don’t want to use the fuzzy letter system.)
To add a Captcha, you need to be running a self-hosted WordPress site, and you
need to add a plug-in. If you search the WordPress plug-in repository, you’ll find
dozens. Here are three worth considering:
• Growmap Anti-Spambot (http://tinyurl.com/growmapspam). This is almost
the simplest Captcha you can use. It simply asks the commenter to check a
checkbox. Thus, it annoys almost no one but still trips up the majority of automated
spam-bots.
• CAPTCHA (http://tinyurl.com/wp-captcha). This generically named plug-in lets
you use simple math questions, like “seven + 1.” Yes, shockingly enough, some
would-be commenters will still manage to get these questions wrong. However,
it won’t drive visitors away as quickly as a fuzzy-word-reading test.
• Anti-CAPTCHA (http://tinyurl.com/wp-anticaptcha). This plug-in performs
an invisible test. Essentially, it asks a guest’s web browser to run a snippet of
JavaScript. That snippet then sets a hidden value in the web page. Automated
spam-bots usually ignore JavaScript code, so they won’t be able to set the hidden
value that Anti-CAPTCHA looks for, and thus they’ll fail the test. Overall,
this plug-in catches the least amount of spam, but it presents no inconvenience
to your readers.
Remember, CAPTCHA isn’t foolproof. It won’t stop human spammers (who typically
account for less than 10 percent of all spam), and it won’t stop the sneakiest spambots.
However, it can reduce the total amount of spam enough to improve your life.

Fighting Spam with CAPTCHA

Using Akismet

Akismet integrates so seamlessly into WordPress’s comment system that you might
not even realize it’s there. It takes over the comments list, automatically moving
suspicious comments to the spam folder and publishing everything else.
To give Akismet a very simple test, sign out of your site, and then try adding a few
comments. If you enter ordinary text, the comment should sail through without a
hiccup. But type in something like “Viagra! Cialis!!” and Akismet will quietly dispose
of your comment.
Just because you disabled moderation and started using Akismet doesn’t mean your
comment-reviewing days are over. Once your site is up and running with Akismet,
you should start making regular trips to the Comments section of the dashboard.
Only now, instead of reviewing pending comments that haven’t been published, you
should click the Spam link and check for any valid comments that were accidentally
removed. If you find one, point to it and click the Not Spam link. If you find several,
you can restore them all with a bulk action—first, turn on the checkboxes next to
the comments, pick Not Spam from the Bulk Actions list, and then click Apply. You’ll
soon get a feeling for how often you need to check for stray messages.

Using Akismet

Understanding Akismet

Akismet is one of many spam-fighting plug-ins developers created for WordPress.
However, it has a special distinction: Automattic, the same folks who built WordPress,
makes it. It’s also the only spam-blocking tool with which WordPress.com blogs work.
Akismet works by intercepting each new comment. It sends the details of that comment
(including its text and the commenter’s website, email, and IP addresses) to
one of Akismet’s web servers. There, the server analyzes it, using some crafty code
and a secret spam-fighting database, to attempt to determine whether it’s legitimate.
Any one of a number of details can betray a spam message, including links to
known spam sites, a known spammer IP address, phrases commonly found in spam
messages (“free Viagra” for instance), and so on. Akismet quickly makes its decision
and reports back to your website. Your site then either publishes the comment or
puts it in the Spam folder, depending on Akismet’s judgment.
WordPress experts report that Akismet’s success rate hovers at around 97 percent.
Usually, when Akismet errs, it does so by flagging a safe comment as spam (rather
than allowing real spam through). However, Akismet’s success depends on the site
and the timing. When spammers adjust their tactics, it may take Akismet a little
time to catch up, during which its accuracy will drop.

NOTE Akismet uses an honor system, and there are plenty of sites that earn a bit of money but don’t pay
the Akismet fee. If you want a totally free business-friendly solution for a self-hosted site, you need to find a
different plug-in. Several good alternatives are described in the box below.

Understanding Akismet

Akismet Alternatives

I need a spam-catching tool, but I don’t want Akismet. Are
there other options?
If you run a self-hosted WordPress site, there’s no shortage
of spam-fighting plug-ins. Unlike Akismet, many are free for
almost everyone. (Some plug-in developers collect donations,
charge for only the highest-traffic sites, or make extra money
charging support fees to big companies. Others do it simply
for the prestige.)
Two caveats apply. First, if you plan to use Jetpack’s social
commenting feature (page 270), which lets visitors comment
using their Facebook and Twitter identities, your options are
limited. Currently, Akismet is the only spam fighter that works
with these identities.
Second, it’s impossible to know which anti-spam tool is the best
for your site—you need to try them out yourself. Anti-spam
developers and spammers are locked in an ever-escalating
arms race. The spam blocker that works perfectly this week
might falter the next week when clever spammers work around
its detection rules.
Three good Akismet alternatives include:
• Anti-spam (http://tinyurl.com/wp-anti-spam)
• Antispam Bee (http://antispambee.com)
• AVH First Defense Against Spam (http://tinyurl.com/
avhspam)

Akismet Alternatives

Spam-Fighting Strategies

You can defend against spam in several ways:

Forbidding all comments. This is obviously a drastic, ironclad approach. To
disable comments, you turn off the “Allow people to post comments on new
articles” checkbox on the SettingsÆDiscussion page. But be warned that if you
do, you’ll sacrifice the lively conversation your visitors expect.
Verdict: An extreme solution. The cure is worse than the disease.

Using moderation. This is the default WordPress approach, and it’s the one
you learned about in this chapter. The problem is that you just can’t keep
moderating a site that’s growing in size and popularity—it becomes too laborintensive.
It also has a distinct drawback: It forces commenters to wait before
their comment appears on your site, by which point they may have lost interest
in the conversation.
Verdict: Not practical in the long term, unless you combine it with a spamcatching
tool (like Akismet, which you’ll meet in a moment).

Forcing commenters to log in (for self-hosted sites only). To use this approach,
you need to add each visitor’s ID to your WordPress site, or create some
way for them to register on your site themselves. This approach definitely isn’t
suitable for the average public blog. However, it may work if you have a small,
captive audience—for example, if you’re building a site for family members only,
or for a team of coworkers.
Verdict: For special cases only. You’ll learn about multiuser blogs in Chapter 11.

• Making commenters log in, but allowing third-party log-ins. A third-party
login verifies your guests through an authentication service—typically one
provided by WordPress.com, Facebook, or Twitter. This requirement may work,
because many people already have Facebook or Twitter accounts that they don’t
mind using (whereas they definitely won’t bother creating a new account just to
leave a single comment). Still, forcing logins may drive away as many as half of
your would-be commenters. And it’s still not truly spam-proof, because clever
spam-bots can create Facebook accounts, just like real people can.
Verdict: A good idea, but not a complete spam-fighting solution.

Using Akismet or another spam-catching plug-in. Many WordPress administrators
swear that their lives would not be livable without the automatic spamdetecting
feature of Akismet. It isn’t perfect—some site owners complain that
legitimate comments get trashed, and they need to spend serious time fishing
them out of the spam bucket—but it usually gives the best spam protection with
the minimum amount of disruption to the commenting process.
Verdict: The best compromise. It’s also essential if you turn off moderation.

The pros and cons of managing comments by moderation versus spam-fighting are
a lot to digest, even for seasoned webheads. But the evidence is clear: Most Word-
Press pros eventually start using a spam-catching tool. They may use it in addition
to moderation, or—more likely—instead of it.

NOTE If you don’t have a spam filter, you are the spam filter. And given that an ordinary WordPress site
can attract dozens of spam messages a day, you don’t want to play that role.

If you’re ready to ditch comment moderation in favor of a livelier, more responsive,
and less controlled discussion, choose Settings→Discussion and turn off the checkboxes
next to these settings: “An administrator must always approve the comment”
and “Comment author must have a previously approved comment.” Then click Save
Changes at the bottom of the page.

WordPress’s Other Spam-Catching Options

WordPress has a few built-in spam-fighting options on the
Settings→Discussion page. In the past, they were a practical
line of defense that could intercept and stop a lot of junk comments.
Unfortunately, spamming evolved in the intervening
years, and now these settings are only occasionally useful.
They include:

“Hold a comment in the queue if it contains 2 or more
links.”
Use this setting to catch posts that have a huge
number of links. The problem is that spammers are on to
this restriction, so they’ve toned down their links to make
their spam look more like real comments.

The Comment Moderation and Comment Blacklist boxes.
Try these boxes, described earlier (page 253), as a way
to keep out offensive text. They also double as a way
to catch spam. However, don’t rush to put in obvious
spammy keywords, because you’ll just end up doing a
clumsier version of what Akismet already does. Instead,
consider using these boxes if you have a spam problem
that’s specific to your site—for example, a certain keyword
that keeps coming up when spammers target your posts.

• “Automatically close comments on articles older than
14 days.”
Unless you set it, this option isn’t switched on.
However, it’s a potentially useful way to stop spammers
from targeting old posts, where the conversation has
long since died down. And you don’t need to stick to
the suggested 14 days. You can type in any number,
even making the lockout period start a year after you
publish a post.

Spam-Fighting Strategies

Facebook and Twitter Comments

Gravatars are a great idea, but they might not be practical for your site because
people might not bother to use them (or they might not even realize how to use
them). No matter—you can give visitors other comment options. For example, you
can let them log into your site using their Facebook or Twitter credentials, and then
post a comment. In such a case, WordPress grabs your guest’s Facebook or Twitter
profile picture and displays it next to that person’s comments.

If your site runs on WordPress.com, you already have the Facebook and Twitter
sign-in feature, and there’s no way to switch it off.
If you run a self-hosted blog, the best way to get Facebook and Twitter comments
is with the Jetpack plug-in (page 297). However, you won’t be able to see the comments
until you explicitly enable them. To do that, click Jetpack in the dashboard
menu. Look for the box named “Jetpack Comments,” and then click the Activate
button inside (Figure 8-21). Incidentally, this setting isn’t just for Facebook and
Twitter users—it also lets anyone with a Google+ or WordPress.com account join in.
TIP You might find that once you enable Jetpack comments, your comment section gets a new background
that doesn’t blend in with the rest of your page. To fix this, choose Settings→Discussion, scroll down to the
Jetpack Comments section, and try different options under Color Scheme. You can pick Light, Dark, or Transparent;
finding the best fit is a trial-and-error process.

Some people turn on Facebook and Twitter comments and enable the “Users
must be registered and logged in to comment” setting (which you can find at
Settings→Discussion). This creates a site that requires commenters to provide a social
identity. When a site owner takes this step, he’s usually thinking something like this:
“I’ve been flexible, and now I want something in return. I’ve given my readers
several good options for establishing their identity (Facebook, Twitter, Google+,
and WordPress.com). By making them use one, I can lock out spammers and force
people to bring their virtual identities to my site.”
Think carefully before you take this step. First, it only partly protects your site against
spam, because many spambots have fake Facebook identities. Second, it guarantees
that you’ll scare away at least some potential commenters, including those who don’t
have a social media account, those who can’t be bothered to log in, and those who
don’t want to reveal their social identities to you.

Facebook and Twitter Comments