Getting tough on spam users…

I run a simple little blog here.  I don’t make any money off of my site even, although I’m not adverse to doing so as long as it isn’t obtrusive.  I don’t sell anything, nor do accept submissions other than comments.  The posts here are my own: they aren’t scraped, syndicated from, or re-posted from anywhere else.  Mostly, this site is a vanity site, like a billion others on the Internet.

Despite the complete lack of commercial value to my site, it gets spammed.  Comment spam was a problem a few years ago, and I’ve managed that via Akismet and Bad Behavior plugins for WordPress.  There are still about about 100 spam comments a day hitting my site, but only one or two make it through my watchdogs.  Lately, however, there has been a new irritant: spam users.


Starting about two months ago, my site has been getting about 50 new user registrations per day.  These registrations have obviously fake user names like “AAdaeFAe”, and email addresses mostly originating in Russia or China.  I made an initial stab at stemming the tide a couple of weeks ago by adding a plugin that was supposed to require the registrant to correctly enter a reCAPTCHA code before they could submit- unfortunately, it didn’t work properly.  But I don’t give up easily, especially when my inbox is filling with “New User” messages.

I now have a working reCAPTCHA plugin, as well as an automatic inactive user pruner.  If a user manages to successfully create a user ID, and doesn’t post at least one comment within a certain time frame, their ID will be removed.  This should clear up my user database fairly quickly: it already deleted nearly 900 IDs on the first pass.

The thing I don’t understand about this latest round of spam is: why?  What possible benefit does a registered user have on a normal WordPress site?  I guess it would be useful if, for example, I had my site set up to permit registered users to post unmoderated comments- but I don’t.  A user has to submit a comment that I approve before they can submit future comments: thus far, no automated bots have made their way through the simple process of me looking for signs of intelligence in their posts.  And you don’t need to register at all to go through this process on my site: an unregistered user can attempt to post a comment as well, and it goes through exactly the same moderation process.

Hurr... confused looking dog

I suppose the best explanation I can come up with is this.  In modern society, rattling the door knob on a house to see if you can get in is kind of pointless: 99.999% of the time it will be locked.  It is therefore by definition a stupid way to try to gain entry.  But because of the wonders of automation, hackers and spammers can rattle billions of door knobs a day: en masse, it becomes a less stupid strategy.  Unfortunately, it becomes vastly more irritating…


One thought on “Getting tough on spam users…”

  1. Hey, to be honest you should take a look at methods of halting spam by being significantly less of a target, rather than dealing with the spam programs when they are tapping at your web-site

    The trouble with open source engines just like Joomla,Wordpress etc is bot runners scanning for susceptible web sites for spamming comments or security risks to insert malware he or she can do that since all of these opensources by default leave an electronic digital foot print on top search engines for example Bing and google, I’ve written and published a post in regards to this on my small internet site you should check it out, its certainly ideal for halting spam and malicious software, prevent being a targetable target for them

    steven haytor

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.