I’ve been running the WordPress forum plugin bbPress 2 since it was released and have really enjoyed the ease of integration into my WP based sites. Like all forum software applications, bbPress unfortunately attracts a great deal of spam. The more popular your site gets the bigger the problem becomes.
As I tend to run small forums it is important that posting is easy, I therefore like to have anonymous posting switched on where possible. This of course makes spam management that much harder!
Fortunately there are a few ways to keep the problem under control. In this post I take a look at the plugins I use to keep spam out of my bbPress forums.
This plugin comes with WordPress and is a great start when it comes to spam protection. You are probably already using it to protect your posts from spam comments.
Akismet is easy to integrate with bbPress, there is a little tick box near the bottom of the Forum Settings page, make sure “Use Akismet” is checked.
Stop Spammer Registrations
This a great little plugin that hooks up with the Stop Forum Spam site. New registration attempts are checked against their central spammer database and are very quickly rejected if there is any history of spam from that ip / email.
The plugin also has a range of other common sense checks, such as looking for sensible header information, checking the time it takes for a bot to navigate the site, etc. And a few sneaky tricks too, such as setting traps and fake forms to trip bots up.
Stop Spammer Registrations goes a long way to solving my spam problem, it brings it right down to a manageable level. However some rogue posts do get through and this requires my time to sweep them up – I hate having spam on the forum!
The moderation plugin allows me to leave my forum alone, I can do my periodic approval of the moderation queue but mostly my forums can live spam free.
It works by holding back any new posts in a queue, they won’t show on the forum until the post is approved and subsequent posts from that user will go through. This is a minor inconvenience to new users but one that most people understand and accept.
Regular users are unaffected and can go about their business.
I add this one as bonus, it could be worth a look if other solutions aren’t working for you. reCaptcha requires your forum users to read one of those squiggly words and type in the answer before the post is accepted.
Unfortunately this type of anti spam device, whilst effective, provides a horrible user experience to your users. I would really consider this as a last ditch attempt. Or used in conjunction with anonymous posting.
It’s not a plugin I have activated at the moment, but it’s there if I need it.
QI Country Block
I resorted to using this on one site that was getting a vast number of spam registrations every day despite having other measures in place. This plugin uses the Maxminds geoip database to locate users and associate them with a country.
Depending how brutal you feel you can then cut off entire countries at a time until your spam falls to a decent amount. The down side of this is that you may exclude numerous innocent users but if nothing else this method can be effective.
It’s not perfect though as spammers are known to rent proxy servers in their target country to get round this type of block. Hopefully such proxies are quickly blacklisted by other services such as StopForumSpam. It is also possible that the GeoIP database will incorrectly identify the source country so you are very depedent on the accuracy of this database.
Country blocking can work well when your site is targeted directly at one country.
Rename WP Login
Sometimes the simple ideas are the most affective. This proved an instant and long lasting win on one particular site that was getting 1000’s of spam registrations a day. These automated spam scripts are generally set up to look for standard files. There will be a bot crawling the web for WordPress sites and then when it finds them it will start posting to the standard WordPress pages.
In the case of fake user registration a bot will look for wp-login.php. So let’s make sure that file doesn’t exist on our system.
This plugin will ‘rename’ the login page, it doesn’t actually change the name of the file but uses WordPress’s internal functions to rewrite the location of the login form.
The solution is not foolproof. Many fake users are created by real people working for a pittance out in the far East. More sophisticated bots will probably be able to locate the new location, or could at least be re-pointed to the new form by the spammer (remember to change the new page name from time to time!).
Even so, it will cut out the low rent spammers and make life harder for the others.
This isn’t actually a WordPress plugin but is rather a security script that you can setup to run every time a WordPress page is loaded up.
Installing ZB Block on WordPress is easy enough.
- Upload the script files into a “zbblock” folder
- Run the setup.php script: example.com/zbblock/setup.php
- Follow the instructions and add the generated code to wp-config.php (if you don’t know how to edit wp-config and alternative method would be to add it to your theme header using the WordPress built in editor.
The script uses a number of techniques to help protect php files from a variety of attacks, it also helps pick up and block spammers.
I would love to hear from other bbPress users, how have you got your forum’s spam problem under control?