“Cool post. I wrote one similar at [insert link here]. Check it out!”
“Great idea, [user name]. I wrote about this at length on my blog [insert link here].”
“Thanks! [insert link here]”
And my personal favorite: “[insert link here] 🙂 [insert link here] 😉 [insert link here]”
See something you recognize? Of course you do. Anyone who runs an online community of any sort has dealt with spammers. Whether it’s a community run through blog comments or a WP forums-based community, the spam can be ridiculous. Users sign up, throw a boilerplate reply into every thread, and are never seen again. It’s not too hard to stop that kind of WordPress forum spam these days, though.
Preventing WordPress Forum Spam
Spammers tend to be pretty nefarious. We hear a lot of stuff about botnets, machine learning, AI algorithms, and so much more all the time. The folks who end up giving the world so much WordPress forum spam are people who want to get backlinks to their shady sites in any way possible, or to trick people into heading to their online virus incubators in hopes of being today’s lucky winner! or something just as enticing.
In general, there are a couple of preventative measures you can take that are so simple that setting them up may take you no time at all.
Don’t Remove rel=”nofollow”
This one literally takes no time. WordPress automatically adds rel=”nofollow” to any links to comments. Don’t use a plugin to remove it. That’s it. Just leave it alone.
That way, people won’t spam you with comments like the ones above just to get backlinks because you’re offering them low-hanging fruit. And yes, there are ways to use search engines to find WP comments that are dofollow. No, I won’t tell you how.
Keep your Forums Password Protected
If you’re running forums where you can password protect the forum content itself, do it. I don’t mean lock posting behind being a registered user (that can lead to a number of issues in terms of spam registrations), but locking the forum content itself behind a password.
You can do it in different ways depending your forum software. If you have something like WPForo that uses standard WP pages in it, you can always use the Password Protection option under the display options before publishing.
This way, even if you have people trying to register to your site, they can’t actually spam your forums since they can’t access it. (Your real members can get the PW emailed to them or something like that.)
Plus, if Google can’t crawl the page (and it can’t because you didn’t give Big G the password), nothing inside gives away link juice. So the dofollow/nofollow stuff doesn’t even apply.
Use Forum-specific Measures
Some forums like bbPress and BuddyPress (that are basically an official WordPress forums because they’re made by Automattic) have tons of built-in features that you can tweak to help prevent the nasty WordPress forum spam they know is coming. See some of the top forum plugins for WordPress. You can often forums to private and hidden (no-index, too) and close topics and forums except for certain member ranks.
For lots of software, you can even add editing/posting limitations based on time. That way, a spambot can’t post a topic or reply that gets past any filters, then go in and edit their reply once you stop paying attention to include their underhanded links, malicious code, etc.
Check your particular forum’s software and make sure you take advantage of any built-in protections they offer. Any minor inconveniences they may cause (like a shortened window for editing posts) are totally offset by preventing an insurgence of spambots into your community. bbPress itself has a whole codex entry all their anti-WordPress forum spam features. (They take this stuff seriously, apparently.)
Plugins and External Protection
Spammers are pretty savvy, even if they’re despicable. They often find ways to circumvent the security measures we put in place, and most software companies can’t quite keep up. That’s why WP being open-source is awesome because not only does that open up the software itself to a plethora of security updates across multiple companies, but it also gives those same companies a platform to release their products as plugins to us as quickly as they can get them shippable.
WordPress forum spam gets hit pretty hard by some of these plugins. Which means you should totally look into them.
Stop Signup Spam
This one’s cool. The plugin itself is simple: when someone signs up for your site, it runs an API call to the Stop Forum Spam database (yes, one exists, and it’s awesome), and if the user/spambot who’s trying to ruin your day is listed, they don’t get to register. Good stuff, right?
For now, the developer shows support for the core WP registration form, GiveWP, Restrict Content Pro, and MemberPress — all of which are major players in the WP forums scene.
WP-SpamShield
After some drama in 2017 regarding it’s free version, WP-SpamShield relaunched itself as a premium plugin. It only costs $28 USD, so that’s not really much for the security it can provide you. The biggest boon for this plugin is not just that it protects you from a ridiculous amount of spam from behind the scenes (without nasty CAPTCHAs and questions and UX-breaking drudgery).
WP-SpamShield has a great reputation, and it supports integration with nearly every form, registration, membership, and forums software you can think of. The part that I am personally impressed by is how they handle the flagged users. The plugin page says that when something is “blocked as spam, the user is given instant feedback and has a chance to correct” whatever was wrong. That’s how it’s done, y’all.
When your users are treated like people, they feel appreciated. When spambots are treated like people, they…keep being spambots and get blocked from your forums.
Yep, you read it right. Akismet. The default, spam-fighting plugin that comes with each and every new WordPress installation. You definitely, absolutely want this puppy running in the background of your site. Why’s that?
Because it’s proven to work. And because it’s been proven to work, most reputable WordPress forums integrate with it natively. Heck, both bbPress and BuddyPress have dedicated Akismet pages on their respective codices that spell out exactly how the software natively interacts with Akismet.
And because it’s a native (if optional) part of Core, almost every other major forum has it integrated, too. As well as the other major spam blockers. So you rarely run into a conflict between different styles of blocking and filtering (like you do with the Jetpack anti-spam filtering, which is why that one’s not included here, but it is an option you can look into). If your secondary form of protection does happen to have a conflict, most of them have a way to disable Akismet integration without your having to disable Akismet itself.
With all that in mind, it’s probably a good idea to activate Akismet on your site. What have ya got to lose besides a few thousand spambots?
More Information (or install WordPress.)
Spam Will Never End
If it were possible for someone to completely eradicate spam from the internet, I am fairly certain the person who discovered how would win the Nobel Peace Prize. It would be that much of a humanitarian effort. However, since that’s about as likely as faster-than-light space travel, we are stuck figuring out which plugins and practices can filter out as much WordPress forum spam as possible.
No single tool can do it alone. You will probably need to double-up, if not triple-up, on the measures you take as your communities grow larger and larger. Thankfully, there are lots of options out there. If one doesn’t work, just experiment with something else. You’ll find something that works best for you and your community.
What are the most effective methods you’ve found for fighting WordPress forum spam?
Article featured image by Malchev / shutterstock.com
Akismet is not free anymore for anything but personal sites. The price is per month and per site so that really adds up if you run multiple wordpress instances for each client.
After receiving huge numbers of spam registrations with Akismet, I installed Wp-Spamshield and they immediately stopped for all the years I had it. Unfortunately they abandoned the free version when wordpress decided to drop them from the repository. I kept it until it started conflicting with other plugins since it wasn’t being updated anymore. There paid options are too pricey for clients running multiple wordpress instances because you have to pay full price for each.
I’ve now installed Cleantalk which works very well and is cheap. I looked at all the options before installing this one and it’s the winner.
Thank you Keeton!
Very informative article. I’ve never heard about StopForumSpam, This is a great tool.
And yes, spam will never end. i want to leave some info about wpForo Antispam features form my experience. wpForo Antispam is based on many features, it’s not only Akismet.
1. Built-in Antispam system, spam content filtering algorithms (Forums > Tools > Antispam)
2. Option to keep topics and posts unapproved until admin is not reviews and approved
3. Hard control of New Registered users (Forums > Tools)
4. Link and Attachment control
5. Built-in reCAPTCHA api for topics, posts, registration and login forms
6. Integration with Akismet, topic and post content scanning.
Surprisingly, I’ve been paying for the premium 3 site license for Clean Talk for the last 4 years, It sends monthly reports about apparently, blocking thousands of spam incidents. When I look in deleted spam with in WordPress admin, there is never any spam there. Akismet possibly removed it.
In Mid January 2018 I uninstalled and the Clean Talk plugin from all 3 sites, having made the decision not to renew the license and see what happens.
The reason for my decision being, I wasn’t getting any spam prior to installing the premium plugin, of course I have always had Akismet running in the background silently disposing of spam.
But after installing Clean Talk, I received monthly reports claiming to have blocked thousands of Spam.
Currently I have only Akismet running on all 3 sites and have not had one spam incident. All three sites run different forum plugins.
I have used and still use AntiSpam Bee on many client sites in addition to Akismet and never get any spam. Not in comments and not in forums.
Ever since I moved my comments system to Disqus, I’ve seen my spam drop to almost 0… In fact, I probably get 1 spam attempt per month now and it is always captured by Disqus anyway. So I would definitely recommend looking into it.
The downside is that Disqus will slow down your page load speed a bit as well…
But there are many arguments that Disqus comments are bad for SEO (of comments). How would you defy this Disqus issue? I agree that it provides hell lot of improvement to the traditional comments system, but takes away one of the biggest advantage of having good quality discussion under the content.
So far, I haven’t noticed any significant changes to seo caused by it. The comments are indexable now rather than coming through an API, so the discussions that happen can built up the seo content. I shall investigate further and let you know what I find.
I’d be interested to hear about that, too. A case study in that would be amazing to see. I loved using Disqus on my personal stuff, but the slowdown was a bit annoying, and I wasn’t entirely happy with the loss of SEO from the comments. I actually wasn’t aware they had become indexed now. So that’s great news!
We’ve been using the plugin “Anti-Spam by CleanTalk” for the last couple of years and its allowed us to completely do away with CAPTCHA across our entire site (and nobody likes CAPTCHA!). We’ve had no problems with spam on any of our website forms since implementation.
Wow! this plugin is amazing, I did not know it. I already read its features in the plugin repository.
+1 for CleanTalk. Same experience here. I’m surprised it wasn’t mentioned.
Dirt cheap, set it and forget it. I’ve not found anything better.