I run a simple little blog here.  I don’t make any money off of my site even, although I’m not adverse to doing so as long as it isn’t obtrusive.  I don’t sell anything, nor do accept submissions other than comments.  The posts here are my own: they aren’t scraped, syndicated from, or re-posted from anywhere else.  Mostly, this site is a vanity site, like a billion others on the Internet.

Despite the complete lack of commercial value to my site, it gets spammed.  Comment spam was a problem a few years ago, and I’ve managed that via Akismet and Bad Behavior plugins for WordPress.  There are still about about 100 spam comments a day hitting my site, but only one or two make it through my watchdogs.  Lately, however, there has been a new irritant: spam users.

Starting about two months ago, my site has been getting about 50 new user registrations per day.  These registrations have obviously fake user names like “AAdaeFAe”, and email addresses mostly originating in Russia or China.  I made an initial stab at stemming the tide a couple of weeks ago by adding a plugin that was supposed to require the registrant to correctly enter a reCAPTCHA code before they could submit- unfortunately, it didn’t work properly.  But I don’t give up easily, especially when my inbox is filling with “New User” messages.

I now have a working reCAPTCHA plugin, as well as an automatic inactive user pruner.  If a user manages to successfully create a user ID, and doesn’t post at least one comment within a certain time frame, their ID will be removed.  This should clear up my user database fairly quickly: it already deleted nearly 900 IDs on the first pass.

The thing I don’t understand about this latest round of spam is: why?  What possible benefit does a registered user have on a normal WordPress site?  I guess it would be useful if, for example, I had my site set up to permit registered users to post unmoderated comments- but I don’t.  A user has to submit a comment that I approve before they can submit future comments: thus far, no automated bots have made their way through the simple process of me looking for signs of intelligence in their posts.  And you don’t need to register at all to go through this process on my site: an unregistered user can attempt to post a comment as well, and it goes through exactly the same moderation process.

I suppose the best explanation I can come up with is this.  In modern society, rattling the door knob on a house to see if you can get in is kind of pointless: 99.999% of the time it will be locked.  It is therefore by definition a stupid way to try to gain entry.  But because of the wonders of automation, hackers and spammers can rattle billions of door knobs a day: en masse, it becomes a less stupid strategy.  Unfortunately, it becomes vastly more irritating…