Means.Us.Com

Website DIY - tricks and solutions

WordPress: hiding your site from comment spam bots

I recently posted about how automated comment spammers find blogs by using identifying “footprints”.

This follow-up explains how to remove these footprints from your WordPress blog.   The last section also shows how to remove another type of footprint that may be used by hackers and future generations of spam bots.

What are Footprints? (a quick refresh):

Search for pages with comment forms on WordPress blogs about cars

“Text footprints” are bits of text on a site’s pages that identify it as, for example, a Wordpress blog.

This text is indexed by search engines; so you can use Google to find sites with these footprints.

Blog spamming tools automate this search harvesting thousands of links for pages with comment forms.

3 commonly used WordPress footprints.

If you are using WordPress your pages may contain some of the text shown in the image to the left.

These are the 3 footprints most commonly used by spam bots to find WordPress sites.

By removing these footprints you could drastically reduce automated spam.

Removing footprints will not stop spam instantly. Google will continue to  list your site in footprint search results until it has re-crawled and re-indexed your pages.

Removing footprints by using a theme’s custom settings:

1. Part of the job may have been done for you: Some themes remove the WordPress Tagline or change the comment form text. This blog uses Trending (by Theme Hybrid); it doesn’t display the message about email address (but does display the other 2 footprints). My other blog uses Themify’s iTheme2 and, unmodified, displays all 3 footprints.

2. Most themes can be customised, to some extent, via the Wordpress Dashboard. Your theme may allow you to remove the WordPress Tagline or alter comment form text.

Trending: Appearance -> Themes -> Customize

The Trending Theme allowed me to customise the page footer. I changed the yellow highlighted text to “Running“; and the WordPress tagline on  this site now displays as  “Running WordPress“.

Change “P….d by” to “Running”

Changes made to custom settings are normally retained when you update your theme to a newer version.

Changing footprints by directly editing files: Advice and Caveat:

Changing a theme’s custom settings is the easiest and least risky option. If there are no suitable custom settings for your theme:

1. Back-up your site before making changes.

2. The changes detailed below will work for many themes – but not all.

3. Although the changes are fairly simple, it is impossible to guarantee that they won’t mess up your particular site.

4. If you edit the theme’s files your changes will be lost whenever you update to the latest version of the theme, and you will have to re-apply them. If you are currently using, or know how to create a child theme, then you can avoid this by applying your changes to the child.

5. I use FTP  this allows me to back-up copy the original file and edit a new version on a home computer; and because I don’t use the WP Dashboard editor I can set more secure access permissions for the site’s files.  If my edited file messes up the site, I can quickly replace it by uploading the original.  However, FTP is another topic so the explanation below uses the WordPress theme editor with which many of you will be familiar.

Changing the WordPress tagline:

In most cases you will be able to make the change by editing your theme’s “footer.php” file:

Changing Themify iTheme2 via the WordPress Theme Editor

From the WP Dashboard:
1) click “Appearance”, 2) click “editor”, 3) select your site’s active theme, 4) click “footer.php”
5) If the file contains “P…..d by” change it to some other text of your choice e.g. “Running”. Click “update file” and then check your site.

Changing Comment Form Text:

The code below provides a generic solution that will work with many themes running on WordPress 3.0+ sites (I’ve tested it on twentyeleven and Themify’s iTheme2). It requires little more than cutting and pasting code, but you will need a beginner level knowledge of PHP to know where to place it within existing code. An error here could disable your whole site including your dashboard.

Add the following to the theme’s (or preferably child theme’s) functions.php:

<?php
# when copying this code do not include line above
# unless pasting into a new empty functions.php in a child theme

# FUNCTION 1: replace the default "le.v. a rep.y" heading
function change_comment_title ($arg) {
  $arg['title_reply'] = __('Have your say' );
  return $arg;
}
add_filter('comment_form_defaults','change_comment_title');

# FUNCTION 2: replace the default "em.il add.ess is not pub.ish.d" text
function change_emailnote ($arg) {
  $arg['comment_notes_before'] = __('<p class="comment-notes">' . __( 'email address is not displayed.' ) . ( $req ? $required_text : '' ) . '</p>');
  return $arg;
}
add_filter('comment_form_defaults','change_emailnote');

# when copying this code do not include lines below
# unless pasting into a new empty functions.php in a child theme
?> 

If this solution doesn’t work you may find a solution via your theme’s support forums. For general information on how the comment form works this post by Justin Tadlock, or the “related article” at the end of this post may help.
If support is unavailable and you know a little about PHP and WordPress; then checking out functions.php and comments.php in the theme’s “home” directory are good starting points. However, on this site (Trending theme with Hybrid Core framework) I had to edit a version of “comments.php” located below the theme’s “home” directory(trending/library/functions/comments.php); and had to replace these 2 lines:

'comment_notes_before' => '',

'title_reply' => __( '13ave a R3ply', 'hybrid-core' ),

with these

'comment_notes_before' => 'your email is not displayed',

'title_reply' => __( 'Your Comments'),

Because the edited file was in a sub-directory it wasn’t editable via the Theme editor so I had to use FTP. I have only mentioned my changes to Trending as examples of the type of generic edits you may have to make. If you use Hybrid core based themes like Trending you will find a better solution via Theme Hybrid Club support forums ($29 p.a and apparently well worth the money).

Meta Tag footprints – the future for hackers and spammers?

WordPress adds meta tags like these to your pages: <meta name = “generator content = “VVor…..s 3.0.1” />

Meta tag search for WordPress sites – identifying version used

It is now possible to use meta tags to search for sites using WordPress (or many other packages). Hackers or spammers could use this type of search to harvest links for sites using vulnerable versions of WordPress.

Luckily most search engines do not currently include meta tag search, and so, as far as I am aware this type of search has not been commonly adopted by hackers and spammers. However I suspect it is only a matter of time before one of the major search engines adds this functionallity.

Will removing this meta tag do my site any harm? As far as I am aware – no. I guess it is possible that Google/Bing do, or will at some point, make use of this tag to aid in understanding the structure of your site for analysis and indexing purposes.

5 ways to remove the WordPress meta tag:

1. Your theme may automatically remove it or provide you with the option via the dashboard.
2. Some Security Plugins may provide this option. Note: although one of mine provides an option to “remove the version number” from my site, when I checked my pages I found this removal did not extend to the meta tag.
3. Install a plugin like this (for WP 3.0 or higher).
4. If you already use your own custom header modification plugin you can incorporate the single line of code used in the above plugin within your own.
5. If you already use your own functions.php then you can modify it to include

function remove_generator() {
  return '';
}
add_filter('the_generator', 'remove_generator');

Notes: Depending on your version of WordPress and theme, methods 4 & 5 may break your site – only attempt them if you are competent with WordPress and PHP. Their use will also remove the WordPress identifier elswhere e.g. from your RSS/Atom feed.

Some of you may think these modifications are unnecessary and over the top, but hopefully they will useful to fellow learners and code hobbyists who hate spam.


Author: Andy W+

Enhanced by Zemanta

3 Comments

  1. Thanks Andy for providing such a good information. I am pretty confident that the info would definitely save my wordpress blog from spammers.

  2. Doing this will def reduce your spam. The more unique you can make your wordpress site then the less the chances that bots can scan for it and spam your site.

  3. That’s another method to stop comment spam, where you may charge a small fee for comment review. Most spammers will simply stop spamming your blog, leaving only person who legitimate. This way you will get compensation for time spent in comment review.

Comments are closed.

Copyright © 2012-2017  Means.Us.Com
This site recommends and is hosted by: Kualo Web Hosting.    
Theme: hemingway
 

Blog home  |  ↑ Top of Page ↑