Incredible: I got spam INSIDE the text of the post!

I am running WordPress 2.13

WordPress 2.1.3 has a major security hole, and you should upgrade to WordPress 2.2 immediately.

prevents 100% of the spam without the enormous burden on server resources that Akismet imposes

Akismet doesn’t put any burden on your server, it puts the burden of spam checking onto Akismet’s servers. They’re the ones doing all the work.

And renaming the comments file just means people can’t leave any comments. Which is fair enough, but seems a long way to go in order to prevent spam. I mean, yeah, I could not get any spam in my email if I didn’t use email.

Thanks Otto for the heads up on the security hole.

Regarding Akismet, what I meant is with Akismet on, you are still processing hundreds of comments a day, whereas by renaming the comments file you don’t process anything, the SpamBots simply fool around with a fake comment form.

And please see that I renamed, not eliminated, the comments file so that legitimate visitors have no trouble whatsoever leaving comments. So it’s not like you say. You give a new name to the real comment file, change the name of the file in your theme, and then leave an empty comments.php file for the spambots to play with.

Regarding Akismet, what I meant is with Akismet on, you are still processing hundreds of comments a day, whereas by renaming the comments file you don’t process anything, the SpamBots simply fool around with a fake comment form.

Few problems with that notion:
1) Spambots can load your webpage and see the form just as easily as anybody else can. Easier, if they wanted to write them to do so. And it’s only a matter of time before this minor change is implemented in the bots and they start using “the form” like everybody else.
2) 95% of spam I see now is Trackback spam anyway, which doesn’t use comment forms or comments.php.
3) The *actual* right way to do what you’re suggesting would be using a nonce.
4) But mainly, the Bad Behavior plugin would block all this pretty much without any processing overhead and without having to mess about with the code and such like this. It prevents bots like that from even accessing the site to begin with by simply recognizing and blocking bots. Much simpler and more effective. It cut my incoming spam by 85%, just like that. No configuration. No interface. It just works. The remaining 15% of the spam goes on to Akismet.

Forcing registering to comment can help to prevent spam

Forcing registering to comment can help to prevent spam

Wrong! Trackback spam (read more carefully Otto’s post above!) doesn’t need any registering. Forcing registration is just an annoyance for legitimate commenters. I never comment on a blog if registration is required.

bolonki,

You haven’t provided a link to your site here or in any of your previous posts so I cannot check for myself so I cannot check for myself — do you know if you are using a sponsored theme? I ask because a eerily similar situation occurred recently where the post content was being appended w/ ‘spam’ links.

I’m willing to bet it’s the theme you are using.