It is a wonderful, wacky Wednesday and instead of an iPhone and/or iPad app, I am singing the praises of a WordPress Plug-in, Akismet, this week.
If you blog, you are targeted by spammers.
Google owns Blogger / Blogspot.com and zaps spam for you. But if you need to own and control your own blog the odds are that you are using WordPress. I hope that you are using a reputable host that provides some monitoring of the health and functioning of your site, they are out there. With those infrastructural considerations behind you all that remains is to manage and write your blog, right? Almost. Spam is more than annoying, it can be dangerous, and it is the first thing you probably want to address when putting up, moving, or renovating a blog. It is also easy to manage with Akismet.
The WordPress development folks are behind the Akismet plugin that as they explain, “checks your comments against the Akismet web service to see if they look like spam or not.” It is easy to install and activate from the Plugin GUI (Graphical User Interface) that is accessible on the sidebar of the WordPress Dashboard.
Something very much like this, below, should appear on your screen.
Click “Install Now” and you will only have to do a couple more steps on your own.
On another tab or window, go to https://akismet.com/signup/ and select the plan in which you you want. If you just have a personal blog you can select the personal option and pay nothing, or if you have a personal blog that is starting to turn into a business and you can afford a few bucks to support the Akismet project, select the amount you would like to give .
Once your have selected your plan and filled out the information, you will be given an API Key (save that key/code!) that you can enter back on the other tab where you will be asked to provideit, so copy that and go back to the tab or window where you did your Plugin search for Askimet.
Your have already done the install so now just click on the Settings tab:
Paste in the API key on the Settings page, and you should be ready to go.
When I first installed this I checked the spam cue until I was sure it was only catching spam comments and not real comments. I only had to retrieve false positive comments once, that I did that by simply clicking that they were not spam. I installed the plugin for Reason Creek when I was setting the site up and it has been working like a charm ever since then, and best of all no more CAPTCHA entries. CAPTCHA is the challenge and response system that computers cannot answer and theoretically humans can answer. But it causes so much frustration in readers that they often will not leave a comment. Akismet solves that problem.
I highly recommend trying this plugin out. I also recommend using as few plugins as possible and only installing them after you have researched them, found them to be extensively and positively reviewed, and gone through a few versions. Putting unknown code into your site is like having someone have you hack your own site for them. Don’t do it. Do your homework.
Once this is done you will just have to write, write, write and not worry about going through comments or losing readers due to CAPTCHA. Have fun!
Zombies! IP Deny Those Brain and Bandwidth Eaters.
Gotta love the attention getting factor that any exclamation of “Zombies!” carries. The CDC even understands this one. They used an outbreak of flesh eating zombies to reach a difficult to engage demographic group with information about emergency preparedness. I can’t believe I didn’t know about this until I Googled “Fox News Zombies.”
And look at how successful Fox News has been shouting “Zombie!” every time they want to distract from their own brain eating activity; actually they use a bait and switch tactic and substitute “Liberal” for the word zombie… but hey, really this is Fox we are talking about and strictly truthful reporting on them would be out of character with spirit and tone of how they stick to “truthful” reporting and their eating of mainstream American brains.
And how could I possibly have a contemporary discussion of zombies and brain-eating without mentioning spammers and their other nefarious Romanian kin. You know the word discussion is problematic, because if you are not out there reading this, we are not having a literary discussion and I am spending an awful lot of time impressing myself with my own cleverness…. but I digress. If you do not know about Romanian IPs then you are a sweet innocent person in the blog world and I’m not sure I want to poison your rosy colored view of the world. Read on at your own peril.
To take care of such techno zombies who will eat your bandwith at best and steal your server in the worst of living nighmares, you ban their IPs. To accomplish this on a self-hosted WordPress blog:
Start at your WordPress Dashboard > “Settings” > “Discussion” and enter the IP in the box labled “Comment Moderation.”
Now this sounds easy, and it actually is if you know how to obtain the IPs of your blog or site visitors. One of the easiest ways to find the IP addresses of your visitors is to add a stats/maps plugin.
Start at your WP dashboard > “Plugins” > “Add New”, > search box, just enter what you are looking for such as “Visitor Maps and Who’s Online” and install and activate if you want to do so. This plugin gives your the IP address of your visitors. You then know which visitors have which IP addies and you can can ban them via comment moderation as mentioned above.
I’ve always found out what IP addresses were accessing my sites through Cpanel, but if Cpanel is a vague concept, or perhaps group of physicians or politicians deciding for women about how women should give birth, then you may need this brief tech digression.
The easiest way, for me, to figure out which IPs are accessing my site, is to gets stats from the server that hosts my blog. I do this through Cpanel. I also like to ban them from this level because if they actually are getting far enough into my blog to comment, they are still eating my bandwidth even if I do ban them from commenting. But I do not recommend this for the novice or the faint of heart. You will end up in a world of hurt if you do not know what you are doing.
So I am just going to list a few of the key ingredients you will have to have on hand if you are going to whip up a dish without spam.
WordPress I primarily talk about WordPress issues and how-tos when I talk tech, but many of the same practices I mention are equally applicable to other blogging platforms, only the details for how to implement those practices vary. If you use another self hosted platform via a Cpanel installation, you can probably get to the IPs in the same way.
Plugins Do Not, I repeat, do not add unverified plugins to your website. Check the details. How long has this person been around making plugins? What version of the plug in is it? Is it 0.1.2 or 1.5.9? Bigger is usually better. How many users have reviewed the software? If it is only three reviewers they are probably the maker’s mom and two friends. What do they say about it? Is the review detailed and does it refer to improvements over time in later versions? I am currently using the Bullet Proof Security Plugin. It is your choice to download and activate a plugin, I’m not recommending us of one, one way or another, and I soon may actually purchase site monitoring services from an interwebs security firm. But if you want to give it a go: Start at your WP Desktop and Go to Plugins > Add New, and in the search box just enter what you are looking for such as “Bullet Proof Security.”
And now to return to today’s theme of zombies. Zombies are such great allegorical vessels! This is the main reason I so adore the unfortunate undead. Only Godzilla rivals Zombies in mass cultural acceptance and symbolic adoption and adaptation of a cinematic character. (Say that 10 times, fast.)
Anyway, this “Z” post is the last entry for April’s A to Z Blog Challenge that I found out about through GBE 2. It has been a fun month, but May will be even better although I will not be posting every single day of the month. Can you hear my big sigh of relief?
Vigilance Is Your Best Security Option When Using WordPress
V is for Vigilant
vigilant |ˈvijələnt|
adjective
keeping careful watch for possible danger or difficulties
Yesterday I began talking about security through the routine installation of upgrades. This is probably the biggest single thing you can do to secure your self-hosted WordPress site. You need to be vigilant about upgrades to any software you use or have loaded on your computer, host, and mobile devices.
Upgrade WordPress to the current version. Why? Because these new versions have bug fixes and close security gaps. Most malware that can get onto or into your site comes through holes that bad guys have previously used. Of course there is always the time period between when a problem is discovered and when it gets fixed, and maybe there is nothing you can do during that time period. But after the fix is available you need to take advantage of it. If you don’t, a bad guy will sniff out your vulnerability and exploit it. You might as well be playing the poor damsel in distress and broadcasting, “Yoo hoo, hackers, come on over and f*** my site.”
When you log in to your WordPress dashboard, you should see a notification if there is a new version of WordPress available. If there is a newer version than the one you are using, you need to do a site or blog backup and then install the newest version. The current version as of this writing is 3.3.2 that was released on April 20th, 2012. There is another planned update on May 9th, 2012. How do I know this? Besides my brilliance and psi powers (Not!) there is a WordPress page that tells you all the release info in a nutshell: http://codex.wordpress.org/WordPress_Versions
Do backup your site first though, before you upgrade. If there is something incompatible on your site upgrades can “break.” It does not happen often, but it can happen. The most likely cause of an upgrade breaking something, according to what I’ve been told by trusted, informed guru-ish and nerdy sources is that incompatible plug-ins will not work and play nicely with the new code in the upgrade.
So how do you take care of that mess and prevent it from happening if at all possible. Plug-ins have upgrades too. Use only trusted, absolutely necessary to your purposes plug-ins. Plug-ins add some sort of functionality to a program that you use. In this case it is WordPress. Before you install any plug-ins, do your homework. You wouldn’t put just anyone’s doo-whichy into your doo-whatchy would you? Well, don’t do it with your computers, laptops, notebooks, iPads and mobile devices either! Geesh, it is just basic hygiene!
The best plug-ins don’t just do neato-keen things, they save you heartache from unwanted gifts that keep on giving, just like in the biological world. Akismet is my favorite plug-in that protects me from spam. It acts as a trap and catches comments that have some of the characteristics of spam. Even if you have clicked the Settings – Discussion options to have visitors leave a name and email and have a previously approved comment before you automatically allow comments, which is one thing that regular visitors and comment givers really like, bad guys and gals who are trolling for click-throughs or access to lesser secured areas of your site, may seem like sincere comment leavers at first. They are just waiting for you to let your guard down and then they will spam you with viagra ads or tempt you with wonderful sounding offers (often about security) but Akismet catches these and holds them for you to evaluate. At first glance nothing seems unusual in this real example of a spam comment:
I really like what you’ve done with the thmeme but I was asking myself if you are the one that created it or you just bought it and customized it?
This was a gateway spam comment. No links in it, but if I allowed this comment by the author there would have been another post that wasn’t captured through the discussion settings and then the spam would have hit. So how did I know it wasn’t real? Well for one thing saying nice things about your site is a standard way to try to gain trust through flattery. But I have WordPress and Elegant Themes links at the bottom of my pages so anyone actually interested in my changes would have said something more in depth. That and I checked the email address of the poster and it ended in .ro. Not that many people in Romania read my blog, and lots of attacks originate in the Eastern Bloc and former USSR states, so I will block those IP addresses that have sent spam. Often the originating site of the spam is only up and live for a day or two. That is how these hackers work. Akismet gets most of these and every few days, ideally every day, I check my Akismet spam folder and allow real posts from recognized readers through. Better safe than sorry.
So yes you have to update your plug-ins too. New versions of plug-ins most often fix holes just like with your platform. They are also noted on your WordPress dashboard.
This is such a huge and not fun to think about topic that I totally understand why lots of bloggers just don’t want to think about all the details involved in security. But like anything else in life, just work it into your routine and eventually it becomes second nature.
That is probably enough to leave your head spinning, so I will end this post. There are another few areas of basic site security that I want to make sure my readers know about, so there will be another installment in this “series” of posts. I want to talk about theme updates, some other easy fixes that minimize your risks, and I want to share a bunch of web resources at which you might want to take a look.