JasonMorrison.net

With all the comment spam, trackback spam, and pingback spam out there, developers have created some pretty powerful anti-spam tools. So why did I create a small, not-so-powerful anti-spam WordPress plugin like O RLY?

Here’s a screenshot of my pending comments a little while back. Notice the second comment, which slipped past Akismet:

Apparently some dude named Casey Fronczek wanted to let my readers know about his fishing trips. I clicked on the O RLY button, and here’s what Google had to show me:

This spam comment showed up about 17,000 times!

This is an interesting case because it shows that spammers aren’t always looking to place links or pass PageRank. They are always looking for some kind of payoff though, and you can see the roundabout technique here. Hopefully anyone interested in fishing trips in southern Florida will Google this guys relatively unique name and result in a sale. You may also see phone numbers, ICQ or other IM accounts, and similar contact information in some comment spam.

This is a little tougher to automatically delete because a spammy link is a really good signal for an automated filter. Hopefully if people have enough little tools, we bloggers can improve the state of the web as a whole. Get the plugin from WordPress.org, and please let me know of other good anti-spam plugins in the comments.

One of the great things about having a blog is getting comments on your posts. It’s particularly gratifying when someone takes the time to tell you that your post was helpful, entertaining, or well-written.

Spammers know this and exploit it by generating compliment spam. They’ll put together a few lines of general praise and slather them across the web, hoping that bloggers will fall for the trick and post their spammy links.

Abusive social engineering like this really annoys me, so when in doubt I always do a Google exact phrase search to see if the compliment is really for me and not from a bot. This is tedious, so I created a simple WordPress plugin: O RLY Comment Spam Search.

You can get the plugin directly from WordPress.org, where you can also give it a rating to tell other webmasters how great (or non-great) it is. By the way, the plugin browser/installer added in WordPress 2.7 is very cool, and makes it much easier to try out plugins.

Judging by the thousands of blogs my O RLY searches have found, this sort of spam works. But why do spammers do it? Since WordPress (and most major blog systems) nofollow links in comments by default, the spammers can’t expect to gain any PageRank from these links. My guess is most of this spam is either intended to get traffic via clickthroughs or is generated by naive site owners, SEOs and marketers who don’t really understand how things work.

Take a look and let me know if it’s useful in the comments below. Also, let me know if it’s breaking on certain comments or otherwise buggy.

The web has evolved into this amazing place filled with user-created content, blogs, wikis, photo sharing sites, and users can enter comments on just about all of them. But there’s a problem – commenting in Blogger, Flickr, and some random self-hosted WordPress blog requires you to create user accounts or type in tedious contact information separately in each one.

As a user, you probably want to spend your time commenting rather than remembering usernames and passwords.  As a blogger, you no doubt want to make it as easy as possible for your readers to comment on your posts.  What we need is some really powerful identity management system to make this all possible.

OpenID is an attempt at creating such a system that seems to be growing quickly.  Instead of hundreds of usernames and passwords you have a simple URL that you control.  I just added it to my WordPress blog to see if it’s helpful, and I’ll walk you through the steps you need to take to use it and allow your commenters to use it too.

How to use your blog as your OpenID

First off, you need to get an OpenID.  Luckily, you probably already have one.  Major sites like Blogger, LiveJournal, Flickr, and Yahoo are supporting OpenID so you can just go with what you have.  You can also go with a specific provider.  Which one should you use?  It doesn’t really matter, since you can use your site’s URL as your OpenID and switch providers whenever you want.

Now that you have a URL, you need to use delegation to allow your site’s URL to stand in.  In WordPress, this means opening up the header.php and adding a few lines to your <head> section.  If you’re using Google’s Blogger (like me), the links would look something like this:

<link rel=”openid.server” href=”http://draft.blogger.com/openid-server.g” />
<link rel=”openid.delegate” href=”http://blogname.blogspot.com/” />

One side note – if you view the source of this page, you won’t see these lines.  I’m using my root domain instead.

For more information, see this post by Sam Ruby.

How to use OpenID for comments in WordPress

This part is simple – like everything else you want to do with WordPress, there’s a plugin.  Just download and install the WP-OpenID plugin and activate it.

You should notice a little OpenID icon in the fields for the comments below this post.  Go a head and test it out.

Everyone has tag clouds all over the web, but are they really useful?  Altocumulus is an attempt to use tag clouds as a real navigational system in WordPress blogs.

Install the plugin and it will automatically put a cloud of related tags at the top of all your Category and Tag pages.  Hopefully this will serve two purposes:

1. Users who end up on a general category page can click through to a more specific (or more relevant) tag page, and
2. It should give users a general idea of the topic of the posts on that archive page, increasing the information scent.

Next version I’ll add an options screen where you can change the number of tags, placement, etc.

Please drop me a note if you run into any bugs or are using it on your blog.  Let me know if you have any ideas you’d like to see implemented, too – I am all about implementing and studying folksonomies.  The more folks who are interested, the more likely I am to add features.  Thanks.

Download the Plugin Here

Spam, it’s not just for breakfast and email anymore.  Webspam is a huge problem – if you run a blog or a forum, you’re probably familiar with the gobs and gobs of gibberish being posted all over the web by spammers.

This humble blog, which only gets a few hundred visitors per day, has had over 17,000 spam comments since I moved over to WordPress last year.  Having your site inundated with comment spam can be just as big a headache as getting hacked.  No one wants to spend hours every day sorting the good posts from the bad.  I’ve already written about how to totally clear out a spammed forum and erase all traces of it’s reputation-marring existence, but the best solution is prevention.

Here are some steps you can take to help prevent spam on your blog or forum.

Keeping Spam off Your Blog

This section assumes you’re hosting your own blog and can add plugins and make configurartion changes, and my examples will be WordPress-heavy because I’m more familiar with WordPress.

Option 1:  Close or restrict comments. Most blogs give you some options to restrict who can comment on articles.  In WordPress, you can require that users create accounts to comment under Settings -> General.  This might not help too much since I’ve seen hundreds of automated user accounts created right alongside the spam.

You can also require that comments are approved before they appear – in WordPress look under Settings -> Discussion.  This will stop your blog from being graffitied without your knowledge but also requires manual effort.  You can also disallow trackbacks and pingbacks, which are really cool in theory but a major avenue for automated spam.

You can also shut down comments completely, or disable comments on old posts.  At that point you may be throwing the baby out with the bathwater, but it’s certainly effective.

Option 2:  Make sure commenters are real people with a captcha. Even if you’re not familiar with the term, you’re familiar with captchas.  They’re the little widgets at the end of a form where you have to decipher some scrambled text from an image.  Many blogs have captcha options built in, but if you’re looking for a captcha plugin be sure to balance usability with security.

I’ve used the Did You Pass Math plugin with some success.  Jeff Atwood has used an extremely simple captcha for years on his high-traffic blog.  Recaptcha is a really cool project that helps fight automatic posting and digitize old books at the same time.

Option 3:  Use an automatic filtering system. If you’re using WordPress, I have three words for you:  Akismet, Akismet, Akismet! Seriously, Akismet is so good at automatically marking spammy commetns and trackbacks that it’s almost scary.  If you’re not using WordPress, you may still be able to find an Akismet plugin for your blogging platform.  There are other systems worth trying as well such as Spam Karma but I have less experience with those.

Keeping Spam off Your Forum

Again, I’m assuming you are hosting the forum yourself or can otherwise make config changes.  I’ll use phpBB (version 3) as an example because I’ve used it in the past.

Option 1:  Restrict user accounts. This can be a tough call, because when you start a forum you want to make it as easy as possible for people to join in the discussion.  Unfortunately, allowing anyone to register and begin posting without any admin approval also opens the door for spammers.

In phpBB this setting can be found in the Administration Control Panel under Board Configuration -> User Registration Settings.

Option 2:  Again with the captchas. Captchas aren’t 100 percent garanteed to remove spam but they do help.  If your forum software doesn’t have a captcha or a captcha plugin, I would seriously consider upgrading to a version that does or switching forums completely.  I know it’s a huge pain but waking up one morning to find 10,000 spam posts is even worse.

In phpBB3 look under Board Configuration -> User Registration Settings for a setting called “Enable visual confirmation for registrations” and make sure it’s turned on.  You can change the details under Board Configuration -> Visual confirmation settings.

Option 3:  Try to find an automatic filtering system. This is harder than for blogs.  There was an Akismet phpBB mod but it’s apparently not being maintained.  There’s a workaround involving the Spam Words mod that you can read about here.  The Spam Words mod might be worth trying on it’s own too.  Here’s a thread with more options for phpBB2, search around and find what’s available for your forum software.

Even without automated filtering, you can try to slow down the spammers by setting a time limit between posts (most human beings don’t type as quickly as spambots do).  Other options, such as disallowing links and BBCode, are pretty drastic but might make your blog less enticing.

Just for fun:

Spam, spam, bacon, and Spam

I just wrote a post about buying a new camera, and because I want to compare specs on several different cameras and lenses, I’m going to need a spreadsheet.  Luckily there are some great online spreadsheet programs to chose from.  I’m going to use this as an opportunity to explore how to use Google Docs and Spreadsheets in blog posts.

Before you get started I’m assuming you already have a Google Docs spreadsheet ready to go.

1.  You can always just link to the document. By default your docs will be private so you’ll need to make them available to your readers.  To do so you’ll need to either go to the Share tab and check “Anyone can view this document WITHOUT LOGGING IN at:” or go to the Publish tab and publish the doc. Either way you’ll get regular URL to post, like this one:  http://spreadsheets.google.com/ccc?key=ppevxmL24UqmeiZSbqIU1DQ&hl=en

Links aren’t very exciting though, so how can you embed into a post instead?

2.  You can embed the content into the post.  If you’re wondering how to do it in WordPress, one solution I’ve come across is the Inline Google Docs plugin at Broken Watch.  This plugin gets the actual text/html of the spreadsheet and places it inline in your post.  So if you have a wide blog template, or a spreadsheet with relatively few columns, it should blend right in.  On the other hand, there’s no editing or other fun.

Here’s an example of what the output looks like:

NOTE: I had to disable this, it was throwing errors once I upgraded to WordPress 2.7. You mileage may vary.

3.  You can put the doc directly in the page with an iframe. This works really, really well with Google Presentations but is a bit trickier with a doc and even less optimal with a spreadsheet. You’ll get the best-looking results if you publish the document and use the published URL in the iframe. On the other hand if you use the shared URL collaborators should be able to make changes right in your blog post.

You’ll want to create some code like this:

<iframe src=”http://spreadsheets.google.com/pub?key=ppevxmL24UqmeiZSbqIU1DQ” width=”500″ height=”400″></iframe>

Make sure you put the code in the “HTML” editing mode of WordPress rather than “Visual” mode.  As a result you can see some of the info I’ve gathered about possible camera / lens combinations in the spreadsheet below.

The main issue here is the relatively small iframe window size. If you use a wider blog template this technique might work really well.

Why bother? Spreadsheets aren’t the most exciting thing in the world for most people, but play around with all the features of Google Docs and Spreadsheets and you’ll see why this can be pretty cool.  You can embed questionnaires and surveys, cool charts and graphs with Gadgets, and anything else you can think of.

I’ve already written about what to do once your site has been hacked, but let’s talk a bit about hack prevention.

I think it’s fair to say that most people manage their own WordPress installation because they have some programming background and want a little more control than you get with a hosted solution like Blogger or WordPress.org.  Webmasters like you and me usually know a bit about security and how important it is to keep things up to date.  The problem is that every minute spent upgrading your CMS to the latest version is a minute not spent writing or running your business.

So you know you should download the latest patch, make backups, disable, plugins, install… but it’s already 1 a.m. and you need to meet clients in the morning, so you put it on the back burner and your site ends up hacked.  What’s the solution?  If you’re Technorati, the solution is to motivate bloggers a bit more by threatening to delist them.  I can understand their point of view.  But how about something a bit more positive – automation.

There are two ways I’ve automated WordPress upgrades.  One is through Fantastico, which is a really cool script management system that your web host should probably provide.  I’m giving up on Fantastico, though, because it takes a long time for it to notice updates.

The second way I just tried out recently is the WordPress Automatic Upgrade plugin.  I’ve tried it out on three blogs now and so far so good – it hasn’t skipped a beat.  This functionality really needs to be folded into WordPress itself – with 2.5, they added the ability to automatically upgrade plugins but it seems like most security holes lately are found in the WordPress code itself.

That plugin is WordPress-only, but I recommend doing some research to see if there’s something similar out their for your blog software or CMS.  Even if WordPress never has another security bug, there’s always Joomla, and Drupal, etc…

If you’ve gone to any of my Category pages on this blog (my Academic papers, for example), you might have noticed I have a tag cloud with just the tags related to that category.  After I figured out how to do it I packaged it into a WordPress Plugin, called Altocumulus.

This goes along with my research interests into folksonomies and information retrieval.  I haven’t had the chance to study tag clouds empirically but my guess is that one giant tag cloud for an entire web site or blog might be more cool looking that useful for navigation.  I think that making use of tag relationships a bit more might show the strength of folksonomies for navigation.  So now, if you click to see my design pages, you can see the kinds of topics my designs cover.

For another example of this in action, take a look at Unsought Input, for example the Innovation page.

Go ahead and download version 0.1 now.   It requires WordPress 2.3 or higher.  This is my first WordPress plugin so I’m sure I’ll figure out ways to make it better over time.  If you have any bugs, pointers, or suggestions please leave them in the comments below.