The power of WordPress’s built-in comment moderation and blacklist, combined with Mr. Michael Hampton’s Bad Behavior plug-in and the little thing called “
application/xhtml+xml”, have done so well in the last couple of months, that I decided to unlock the comments for most of the articles on this blog.
More than a month has passed since I saw the last comment spam in the moderation queue and I am truly impressed!
Here’s why I believe I can safely reopen comments without being worried about spam anymore:
The Built-in Filters
WordPress (at the time of this writing, version 2.0.7) has these too features, in the “Discutions” menu under the “Options” tab, named “Comment Moderation” and respectively, “Comment Blacklist”, which allow me to add to the default list of most common spam words and create a refined filter against spam comments. The “Comment Moderation” list is the one responsible for holding in the moderation queue any comment that contains keywords defined in it and the “Comment Blacklist” is the one that kills, on sight, any comment containing the predefined keywords. It took a little while to shape them into something that would catch anything remotely spam-ish and, in the same time, let through the legitimate comments, but it seems I have managed to find a good balance, since I haven’t gotten any false positives in these last two months. I’ve been picking words out of regular e-mail spam too, as well as inspiring myself from anyone kind enough to share their spam words lists on the internet.
An important factor was turning on the “Before a comment appears author must have a previously approved comment” feature which, although requires me to check the dashboard more often, is not a real inconvenience, since I don’t get too many comments anyway. Also, I set the number of allowed hyperlinks to 1, which should trigger the moderation queue on 99% of the cases, since spammers perspire URLs wherever they go ;)
By far, the most useful, best written WordPress plug-in! In a nutshell, it denies access to any spam bots trying to sneak in, kicking them back to the originating location. It will let through anything that is not a known spam bot (or behaving like a spam bot) which basically means that is invisible —or insensitive?— to humans… I’m not really good with this sort of technical stuff so, for more information, visit the Bad Behavior website (or just Google for “bad behavior”).
Which leaves only the lo-tech spammers, those who actually visit the blog and attempt to post the comments manually. This is where I believe the little thing called “
application/xhtml+xml” shows up and takes care of the rest.
application/xhtml+xml as a Weapon
Let’s face it, 99.9% of the spammers are using Windows and 99.9% of them are using Micro$oft’s piece of shit known as Internet Explorer. Which happens to choke on web pages served as
application/xhtml+xml (with whatever flavor of DOCTYPE). Additionally, my websites are presented in Internet Explorer with a very basic, below plain-vanilla CSS, which literally makes them very ugly and difficult to navigate. It takes approximatively three scrolls to find any link that might take you to something along the lines of a comment form and three–four additional scrolls once you reach the respective page. Not only that, but the forms look kinda awkward too (I’m doing it on purpose, actually, since I have no intention to make it easier to the stubborns who persist using that fuck-up so-called browser).
So, after the awesome shield held by Bad Behavior, the equally thorough filters built-in WordPress —helped by the settings I mentioned above— and the usability/accessibility deterrent posed by the MIME type, there is little spammers can do with this website here. “Little” being a way of putting it, since, as I was saying, I haven’t received a single spam comment in the last two months.
Therefore, I decided no more locks are needed and I’ve reopened the comments on pretty much every article posted so far.
I am very optimistic about this and I think I won’t regret this decision, because there is one more weapon I have at my disposal —but haven’t had the need to use so far: Akismet. Which is also built in WordPress and all it takes is a click and a “Save Settings” to be unleashed.
And that’s all. I’m happy, the comment forms are happy too, everybody’s happy and the whole world is a pink, shiny, sweet, carefree, hippy–style happy-go-lucky, fluffy fucking thing.