Spanking your meat

Hrm? What? *butter wouldn’t melt* (No, seriously; it wouldn’t. It’d frazzle.)

If you hadn’t come to expect a smidge of innuendo from me by now, then I’ve been slacking. What sort of meat-spanking did you assume I meant? Most likely not this sort:

Yeah, since I’ve had this blog the number of spam comment attempts has risen and risen until they went through the roof. Thank fuck for the Askimet plugin, is all I can say. But, even with Askimet installed, I still had to trawl through the multiple spam attempts per day, to ensure that no legitimate comments had been filtered out (such as for including more than one link, which WordPress automatically flags as potential spam, by default).

I started Virtual Bloke in May of 2013. As of just now, these are my basic spam stats:

That’s a fuckton of delicious processed meat, y’all. Monty Python would’ve been proud. At which point, naturally, we must pause for this:

Anyhow. I’d noticed two things about all of these attempts to spam the blog:

  1. Invididual posts were getting hit at a rate of two or three comments per hour. It got so bad that I actually disabled commenting on the worst offenders (these ones were getting upwards of ten comments per hour). But it went in phases. Never the most-recent post; always one that was a couple of posts back (I guess in the hope that I wouldn’t notice it).
  2. Even though each of these individual posts was getting hit (example: my One of Our Lindens Is Missing post got hit by spam comment attempts almost 60 times over the course of two days) these hits weren’t registering in the blog stats.

#1 wasn’t surprising, since I’d been spotting (and deleting) pingbacks where those individual posts were getting spammed as links  on various forums and other blogs. But #2 could mean only one thing: it was referrer spam, because the bots that dish out referrer spam don’t actually hit the page itself; they simply access the comments.php form, and that doesn’t register a hit on your stats.

This was, weirdly, good news, because there’s something you can do about referrer spam, and it involves a simple edit to one file in your directory: the .htaccess file. Most sites have one, and it’s a bloody handy file. I wasn’t sure of the exact commands to insert into the file (only that I knew I could use it to block referrer spam) so I went a-googling.

I found what I was looking for in the WordPress Codex (click here and scroll down to ‘deny access to no referrer requests’, then down further to ‘deny access referrer spammers’). Note how, in the first instance, you’re sending the spam-bot back onto itself (in much the same way a good HOSTS file redirects your computer to itself when it tries to show ads and blocked sites, effectively rendering it unable to show said ads etc).

In the second instance you can actually block individual referrer URLs. The Codex states:

Once you know which referrer URL you’d like to block, and believe me you’ll know, you can keep them out [ etc. ]

Believe me, I did know. If you’re getting referrer spam, you’ll see the same URLs cropping up as the ‘personal websites’ of these spammers time and again, viz.:

It goes without saying that, if you try to visit any of those sites? You’re daft enough to deserve anything that happens :p

The [name].adsuse spam had stopped, but I was still getting hit multiple times by the [name].usabestads and [name].adsboards spammers. So I not only added the first section of the referrer redirect to my .htaccess file, I also blocked those URLs directly, like this:

# BLOCK referrer spam
SetEnvIfNoCase Referer usabestads.com spammer=yes
SetEnvIfNoCase Referer adsboards.com spammer=yes
Order allow,deny
Allow from all
Deny from env=spammer

NOTE: No, that’s not a mis-spelling of ‘Referrer’. It has to be spelled ‘Referer’.

Prior to doing this last night, I was checking the spam stats every two hours, and that Lindens post was getting two to three comments every single hour. I edited .htaccess, then went to bed. I checked again this morning.

Not a single spam comment.

I checked again at each of my work breaks. Again, not a single comment. If I’d not added those two sections to .htaccess then, going by history of two comments per hour, that post would have received (between 9pm and 12 noon the next day) approximately 30 spam comment attempts.

It was only when I got home and checked again at around 3pm that I finally had a spam comment attempt, and it wasn’t referrer spam. In short, this shit works. Granted, it’s only been one day, but every single day so far has seen at least 10-20 spam comment attempts from these referrers, and today I’ve had just one ‘traditional’ spam comment attempt.

If you’re enduring the same batshit-annoying referrer spam on your (self-hosted; sorry, but you don’t get an .htaccess file if you’re not hosting your blog on your own website) WordPress blog, I want to share this with you.

– Look in your root directory for your .htaccess file and use your FTP client to download it to your hard drive.
– Make a backup copy of the original and stash it somewhere safe.
– Open the file using Notepad or any other simple text editor (NOT Word!)
– If there’s already stuff in the file, add everything I’m about to paste below after it.
– First, add the following:

# BAN Spambots
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*YOURWEBSITE.COM* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

– Replace YOURWEBSITE.COM with your own website URL. Don’t include the www bit.
– Leave a line, and then add the following:

# BLOCK referrer spam
SetEnvIfNoCase Referer SPAMURL.COM spammer=yes
SetEnvIfNoCase Referer SPAMURL.COM spammer=yes
SetEnvIfNoCase Referer SPAMURL.COM spammer=yes
Order allow,deny
Allow from all
Deny from env=spammer

– Replace SPAMURL.COM with the URL of the referrer (example: usabestads.com – again, no www or anything).
– Save the file. It should begin with a period/fullstop and have no suffix, so make sure you just save it as .htaccess
– Upload it to replace the old .htaccess file.
– Check to make sure your site’s still working. If it’s all good, leave it be and just watch your spam stats. Hopefully, like mine, they will reduce drastically.

These are my full Askimet stats since I began the blog. I’ll be keeping an eye on this, to see if the totals for February are much lower than recent months:

The spam subjects come in waves. In November and early December (killer months, both) I was getting an insane  amount of spam about NFL jerseys. Interspersed with all of that is the usual kidney disease, diabetes, Vuitton/Gucci/etc handbags bullshit. Sadly, the side-effect of having a blog about fashion (even if it’s virtual fashion) means that you get a ridiculous amount of fake designer clothing and accessories spammers trying it on.

And, seriously, if making this post means I can help one more frustrated blogger rid themselves of this fucking annoying shit, then it was worth it. Let me know how you get on, if you give it a go.

UPDATE #1

Since making this post, I’ve installed two further WordPress plugins. The first is Bad Behavior. Within half an hour, I could see exactly why  the blog has been loading so slowly for me. TENS of brute force attempts to log in via my wp-login.php file, to hack the site and gain access to it by using the default ‘admin’ username (HUGE hint: never, ever keep your WordPress login username as ‘admin’) and random passwords. We’re talking literally one attempt every second. Now, I know that WordPress regularly gets attacked in waves like that, but it was clearly the reason why the site was running so slowly for me. Here, this will give you an idea. Check out the times:

09:44:32, then 09:44:34, then 09:44:35. Every. Single. Second. In fact, between the times of 09:41:15 and 09:44:35 (read that closely: it’s a space of three minutes and twenty seconds) that IP address made 163 attempts to log into my site as the admin user.

Woah, mama. What the hell to do about that?!

I did some googling and found out how to block all access to my wp-admin files, unless the originating IP is my own personal IP. The article for how to do that is here (scroll down to ‘Limit Access to wp-admin by IP’). Or, you can just add the following to the .htaccess file you’ve already created, changing  YOURWEBSITE.COM to, well, your website.

NOTE: Even though I’ve used the <code> command to paste this text, WordPress has still stripped out some coding. Please ensure that you replace the bright orange [ with an opening caret < and the bright yellow ] with a closing caret >

# BAN access to wp-login
[IfModule mod_rewrite.c]
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.YOURWEBSITE.COM [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
[/IfModule]

Following on from that, I made some further .htaccess changes to deny access to wp-config.php. Again, substitute the [ and ] as before, with opening and closing carets.

[files wp-config.php]
order allow,deny
deny from all

Lastly, I installed the Wordfence plugin, as a final (and pretty damn awesome) security tool. This offers scanning of all files on your server, comparison of all themes and plugins and WordPress files against their up-to-date repository, to inform you if anything has been hacked or changed. It even has a live traffic tool. *waves* to the Baidu crawler which has accessed the site four times in the last 2 minutes*

So what’s happened after that? Well, after a heart-stopping moment when my entire site went pouf on me (after I forgot to change FTP directories and uploaded a rather important file in a place where it didn’t belong – oops?) overall, it’s suddenly started running like shit off a shovel for me. About ten times faster than it was before. Wordfence, plus the .htaccess edits, seem to be stopping all access to the hackers, as Bad Behaviour’s logs are no longer full of repeated attempts to login. I’ll keep monitoring over the weekend, and update this post with my findings.

UPDATE #2

Just 15 minutes of watching the live traffic tool told me that the Yandex bot (Russian search engine) was crawling my site every minute or so, and trying to access images as pages. This is another thing that is probably slowing the site, so I’ve blocked the Yandex bot via my .htaccess file, too. As before, replace the coloured square brackets with opening and closing carets.

SetEnvIfNoCase User-Agent "^Yandex*" bad_bot
[Limit GET POST]
Order Allow,Deny
Allow from all
Deny from env=bad_bot
[/Limit]

UPDATE #3

Well, it’s now Feb 2nd, and I’ve gone from Askimet catching up to 30 spam comment attempts per day, to… just three in three days. All thanks to my .htaccess edits, and those two WordPress plugins. It’s actually quite unnerving to see the attempts to hack your login page, in real time. One thing you MUST make sure you do is ensure that you don’t have an administrator account on WordPress called ‘admin’. If you log in as ‘admin’ then you’re asking to get hacked, as that’s what the hackers go for.

Once February is done (and if I remember) I’ll post a screenshot of my Askimet stats again, so you can see the dramatic drop in spam that’s getting through to be caught by the filter.

Further reading

WordPress Codex: Hardening WordPress
WordPress Codex: Brute Force Attacks
WordPress Codex: Combating Comment Spam/Denying Access