Is it Spam? This week in Comment Spam

Every web, blog or social site is interested in attracting visitors. Generally, visitors find sites by using search engines. Improving the likelihood that your site will be among the links a search engine returns is thus extremely valuable to every site, especially ones that earn revenue from visitors. The higher your ranking is, the more likely your web site or hyperlink will appear on the initial page a search engine presents to users.

Like any other digital commodity that legitimate businesses value , criminals will inevitably attempt to profit by game ranking systems: this misbehavior is called spamdexing. Sites that allow comments are frequent targets for spammers who submit comments that serve no other purpose than to insert a hyperlink that points to a spammer's site. Comment spam shares many characteristics of mail spam, as these samples from my comment moderator panel at Typepad  illustrate:


If published, these comments would include hyperlinks to health improvement products. Some may be scams. It doesn't matter. The comments contribute nothing or may pose a risk to your visitors. And the mere existence of comment spam on your blog or site can suggest that you don't pay attention to comments.  

Show your visitors that you pay attention to your blog:


Moderate comments. Set up your submission form so that you can review comments before you publish them.

Require a sign-in or CAPTCHA for comments. These don't dissuade all comment spammers but they may defeat automated spamdexing.

Delete questionable comments. Treat this as a coarse filtering activity and be aggressive. You're better off having fewer comments at your site than frivolous, unrelated, poorly composed ones. 

ModerateReport Spam. Many blog or web publishing platforms have a comment moderation panel. If you're confident a comment is spam, report it. If you're uncertain, you can err on the side of caution and delete, or you can check the embedded links against comment spam block lists.

Projecthoneynet.org offers an IP check, and a directory of comment spammer IPs so extract the domain name from the URL, use dig or nslookup to resolve the name to an IP address, and check it. If you are being targeted for comment spam or the volume is too large to manage without automation, consider implementing some of the other Projecthoneynet services: subscribe to and use the Blacklist (http:BL), install a honeypot, or if you don't have administrator privileges and cannot install a honeypot, consider a Quicklink

Use These WordPress Plugins to Help Secure Your Site

Part I of guest Kim Crawley's multi-part series presented a multi-tiered strategy for protecting sites that run the popular open source WordPress content management system. In Part II, Kim examines plug-ins you can add to further improve WordPress security.


In How to Protect Your WordPress Site from Hackers, I explain that securing your web site's OS, web server, WordPress CMS, and PHP content will reduce your risk of falling victim to the kinds of attacks we describe in How Hackers Target and Attack Your Site. There are also a number of  WordPress plug-ins and configuration choices that I recommend you install. When used properly, these can harden your WordPress site very effectively.

(Note: Only install plugins offered through your admin panel or under the plug-in directory at http://wordpress.org. Officially released plug-ins are audited for security and scanned for malware. Third party plug-ins may be secure, but it’s best to not to take the risk.)

Follow these five steps to further secure your WordPress site from attack.

Scan for Vulnerabilities

In Part I, I mention the Exploit Scanner plug-in. Run this plug-in regularly against your site to check for vulnerabilities and compromise attempts. Use WP Security Scan along with Exploit Scanner. WP Security Scan will check file permissions, database security settings,  and dangerous default settings. The plug-in reports vulnerabilities it finds, and gives specific advice for how to mitigate these.

Keep in mind that attackers are very familiar with WordPress default settings. In Part I, I recommend changig as many WordPress default settings as possible. One often overlooked default setting is URL generation: hackers can identify yours as a WordPress site by the strings common to default generated URLs. To evade this kind of site fingerprinting, consider using the Stealth Login plug-in to create custom URLs for logging in and out of your site.

Secure your Admin Panel

Attackers want to gain access to your Admin panel. Use Login Encryption to encrypt your login credentials. The plugin uses both the DEA and RSA encryption algorithms to encrypt usernames and passwords and in doing so, protects your site from man-in-the-middle (MITM) attacks that look capture "plain text" credentials.

Protect User Logins

Configure the Limit Login Attempts plugin to prevent brute-force attacks.  With this plug-in, you can set a maximum number of login attempts, and also set the duration of lockouts in between. The User Locker plugin works in a similar way: you can set a maximum number of invalid authentication attempts before the account is locked.

Another excellent plug-in for securing your site’s login is Chap Secure Login. By using that plugin, all of your login credentials, except for usernames, will be encrypted with the Chap protocol and SHA-256 algorithm.

Take Measures to Thwart Spambots

WordPress sites are frequently targeted by spambots. First and foremost, moderate comments posted to your site. I have to spend a lot of time reviewing comments on my site, and the majority of my pending comments have to be marked as spam. Some comment spam simply attempts to increase linked traffic to an affiliate site, but other comments can include malicious, scam, or phishing URLs. 

Install Bad Behavior on your site and log your site’s HTTP requests so that you can better troubleshoot spambot issues. The plug-in can also be used to block access to your site the next time a discovered spambot visits. Use User Spam Remover in combination with Bad Behaviorto remove unused user accounts on your site. You can customize how you define "unused user account" and you can also configure a whitelist.

Add Layers of Protection

Some plug-ins are useful to detect or block suspicious activity. Add Block Bad Queries  block malicious queries made to your site.  This plug-in looks for suspicious strings such as eval( or base64 in request URIs, and also looks for request strings that are suspiciously long.

Add an anti-malware shield to your site.  AntiVirus plugin scans for viruses, worms, rootkits, and other forms of malware. Remember, as with desktop antivirus software, it's important to keep the virus definitions updated.

Closing Remarks

Keeping your WordPress site hardened for security is an ongoing responsibility, just like all other areas of IT and development security. You can’t just configure a number of settings or programs and then forget about it. Your WordPress site should be on a schedule for malware and vulnerability scanning, and logs should be kept and analyzed.

By keeping your WordPress site secure, you’re doing your part to prevent malicious activity that could not only harm websites, but also web servers and user’s PCs, tablets and smartphone devices. As WordPress is such a common CMS on the web, knowledge about the design and configuration of the console is readily available, and certain hacks could work on perhaps millions of websites. Fortunately, knowledge about WordPress security is abundant, for much the same reasons. In the ongoing maintenance of your website and web server, always be security minded. You can then have proper control over your web content, and do your part to make the Internet a better place.



Infographic : History of WordPress, N.S Gautham Raj

Hardening WordPress, wordpress.org

Exploit Scanner, wordpress.org

6 simple steps to hardening WordPress, Sam Devol

Hardening WordPress Security: 25 Essential Plugins + Tips, Daniel Smeek

How to Stop Your WordPress Blog Getting Hacked, David SEM Labs

Hardening WordPress Security, Brian Haddock

6 Tips to Secure WordPress from Hackers, John Phillips

Vulnerability Report: WordPress 3.x, Secunia.com