All about website and hosting security

The Many Ways to DDOS and Why

DDoSing (Distributed Denial Of Service): is the process of sending packets at a large rate forcing a network to crash. Many people use this technique to crash websites or home connections. Network packets: Data that is split into chunks (packets) sent between your computer and a router containing all the data you receive and send out. Booting: slang for the process of DDoSing, often used when talking about “knocking” someone offline.

The Many Ways to DDoS

To preform a DDoS attack you can choose from a wide range of methods, using a downloadable program such as HOIC (High Orbit Ion Cannon) to knock out someone’s connection is not the most effective way to carry out a DDoS attack as it usually ends up crashing your own network or severely lagging your network. Another problem with using your own network to DDoS is the fact that if you don’t use a Proxy or VPN, your IP Address is exposed to whoever you attacked.

DDoS Attack Protection

A solution to this problem is using a proxy list (www.hidemyass.com) or a  free VPN (HotSpotShield). Another method used by many hackers is an online booter or “stresser”, codename for a DDoSer, like www.microstresser.com (This website used for testing your home connections strength, not to be used in malicious ways). Almost all stressers will be paid, but are much more effective due to their strength and 99% anonymityas it will trace back to the website. Also, I would like to remind you that DDoSing is a malicious and highly illegal act in the United States.

A Little Bit of History of DDoSing

A group given the credit of making DDoSing a popular and easy way to knock a connection/server out is the widely known hacker group Anonymous. Through chatrooms, skype, emails etc. many booters are spread out to members. The HOIC (High Orbit Ion Cannon) is the newer model of the previous LOIC (Low Orbit Ion Cannon), alone these booters aren’t too much of a threat, but with thousands of people using these at a time websites like PayPal or even major North Korean government websites can be shut down with the flood of packets sent by these groups.

DDoS attacks

Overall, DDoSing is an effective way to knock out your enemies internet, but is a highly illegal technique.

How Can I protect mySelf?

On your home network the cheapest and best way to protect yourself from DDoSing is use a VPN service the provided a tunneled network. Of course using VPN has other positive attributes and only cost around $6 a month good thing you not an internet company.

Server / Website

For Servers and websites DDoS protection doesn’t come cheap but is widely available. I recommend a service called cloud flare it’s fairly cheap with price ranging from $20 to $3000 per month.

Why would a Hacker DDoS?

Most of time the attack aimed at shutdown a website or server but high number of skid’s lately have been DDoS players into online games to cause them to time out and lose. Also hackers will DDoS a server to slow it down but not crash it so they crack the SSL key before it resets. It might be important to mention that hackers sometimes get paid to DDoS companies that are creating competition.

Protecting WordPress With Htaccess

WordPress has become the topmost CMS in the virtual world, pushing its competitors Drupal and Joomla somewhere far behind. However, with great popularity there comes great risk! There are so many spammers, hackers and bad people in and around the internet sphere trying to attack WordPress site in the best possible way.  This is the reason why you should take some efficient steps to keep your WordPress site always protected from potential threats. One of the best ways and probably the simplest way is to strengthen the security of your WordPress website is altering the .htaccess file.

wordpress security

What is .htaccess?

Hypertext Access, shortly called as .htaccess, is a configuration file in your WordPress site directory. By making right additions or alteration to the .htaccess files, you can keep your WordPress site safe and protected from various threats. Now let us see some ways of protecting WordPress with the use of .htaccess.

Authorize

One of the best ways to protect your WordPress is by restricting the use of .htaccess only to authorized personnel. This can protect the file and make sure that no one is misusing the same.

Rewrite URLs

Another good way of protecting your WordPress site from getting into a Page Not Found page is to keep rewriting the URLs. Due to some reason or the other, we intend to change the name of our website or blog. There should not be any confusion when an old visitor is trying to revisit the page. The old URL should be linked to the new one so that you do not lose potential customers. The best possible way to redirect an address to another is by using the .htaccess file. Constantly changing the URL is also one way of protecting the WordPress site from potential dangers.

Directories

The directories of your WordPress site are very important to keep the whole site intact. Hence, you may not want your visitors to keep checking into the directories. With the .htaccess configuration file, one can control the directory views and this can ensure that not all the visitors can look into the directories.

Protecting wp-config.php

wp-config.php file is one of the important files found within your WordPress installation. It contains and stores crucial information of your site such as database information and security keys. This information is very critical and you should hide it from spammers to avoid damage to your WordPress site. You can do this by editing in your .htaccess files and prevent access to your wp-config.php file.

Blocking Threatening IP Address

If you have found a particular IP address attempting to log into your admin page to attack your WordPress site, then you can block that IP address or person by using your .htaccess file.

Blocking Entry to wp-content

The WordPress content folder, within WordPress install, is an important folder that contains themes, images and other sensitive details. So, it is good to block this folder from access by other people. To do this, you must add a .htaccess file to the wp-content folder. It permits the users to view CSS, images, etc,but blocks the crucial PHP files.

By editing .htaccess files, you can boost the security of your WordPress site. Making editing is very simple; however, you should do it with proper attention to avoid big errors that if not noticed, can even break your entire site.

Securing WordPress Pages with SSL

Security is one of the most important things when it comes to the online world. You are faced with threat of hackers whenever you’re online. Those people do their best to access your confidential information.  In WordPress terms, this confidential information is your administrator username and password. Once hackers get your log in details, they will be able to control your website and do whatever they want – take your site down, steal the info of your site members, and other worse case scenarios.

ssl certificateThere are plenty of ways you can secure WordPress, and another way you can make your site more secure is to enable WordPress SSL encryption for your log in session. This is extremely important since SSL encryption ensures that all of your data is encrypted before it is transmitted over the internet. This encrypted data is very difficult and next to impossible to be read by other users, especially hackers.

To get SSL security on your WordPress site, an SSL certificate is a must. If you don’t have one, you will need to get in touch with your web host to get one. If your hosting company doesn’t provide SSL certificate, you can buy SSL certificate from godaddy for $12.99/year.  Godaddy is the cheapest and most reliable option when it comes to SSL certification. Once you make the purchase, forward the details to your web host, and they can setup a SSL certificate on the server for you. Then, you can follow the steps below to get WordPress SSL security for your WordPress log in sessions.

  • The first thing you should do is to open your site directory through cPanel File Manager or the FTP.
  • Once you are at the files directory of your WordPress site, you should edit wp-config.phpfile.
  • Once you open this file, append the code below and then save the file. Actually, you can paste this code anywhere; there’s no specific place in the code where you need to insert it.

/* Enable SSL Encryption */

define(‘FORCE_SSL_LOGIN’, true);

define(‘FORCE_SSL_ADMIN’, true);

  • Once you’ve copied, pasted, and saved the code, your WordPress site admin area will load with SSL encryption. For instance, if your website domain is http://www.mysite.com, it will load the admin area as https://www.mysite.com/wp-admin.

Using WordPress SSL encryption for your site is really to your advantage. Doing the steps above will allow WordPress to use SSL encryption for the admin area. You can also setup SSL encryption for the other pages in your blog.

Setup SSL on your WordPress blog

If you sell goods or service, or have donation button, you definetely need to use SSL certificate in order not to get into trouble. Implementing SSL certificate on WordPress is very easy thanks to WordPress HTTPS plugin. Once your hosting provider sets up SSL certificate for your domain, you can use the following instructions to enable SSL on your wordpress blog:

  • Install and activate WordPress HTTPS plugin.
  • Go to HTTPS menu from WordPress admin console.
  • Enter your domain name as SSL Host
  • Check the box for “Force SSL Excusively”. If you want to enable SSL for the whole website, you don’t need to check this box. However, there is no need to enable SSL for whole website. It is better to keep few pages served via https and check the box.

https plugin settings

  • Edit the page or post your want to enable encryption. You will see HTTPS box appear on the right pane. Click on Secure Post so that this page or post will be accessible via https from now on.

Top 6 Steps to Securing your WordPress Installation

WordPress is probably the most well known piece of open source software available right now, and one of the great benefits of open source is that everyone can have it for free. Everyone. Yes, that includes hackers and people with less-than-honorable intentions. Which is why  I’m going to show you 5 things you can (and should) do to help secure your WordPress installation.

1. Delete the default admin user

Anyone who has ever used WordPress knows that the default login is admin and that it comes with all the privileges. Changing this user ID to something else will help prevent hackers from walking in the backdoor of your website and making themselves at home.

2. Choose a strong password

secure wordpressWhile deleting the admin username will deter most garden variety hackers and ne’er do wells, there are some who will simply not stop there. Choosing a strong password will make it that much harder for hackers to gain access to your site, So, what makes up a strong password? Not using your dog’s name, for one. Nor thinking your birthdate in numerals is a secure password. Instead, try using an obscure combination of  letters and numbers for your password– the more obscure the better. Just remember to write it down somewhere or store it somewhere safe that you’ll remember.

3. Always update WordPress

WordPress has an amazing team of developers and coders behind it. In addition to the new features that are included with each new release, the team also addresses a number of vulnerabilities with each release. Updating your WordPress site as soon as you can after a new version is released, helps keep your site secure as well as up to date feature-wise.

4. Hide WordPress version

If, for some reason, you don’t have your WordPress site up to date, hiding your version number from hackers will at least not provide them with a menu of what they can do to your site. Being able to see what old version you’re running lets hackers know what vulnerabilities they can exploit to do their dirty work.

All you need to do to hide your version number from them is open your functions.php file in Appearance >> Editor (if you don’t have a functions.php file you can easily create one), and add this bit of code at the bottom of the page

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

Don’t forget to save the page after you do this!!

5. Don’t use wp_ as the database table’s prefix

When you are setting up your WordPress site initially, the default setting for the database table prefix is wp_.  This is one of the first things those people with bad intentions will look for because it is one of the most overlooked things people do when setting up their sites. Simply adding a couple of characters to the beginning of this (changing it to something like bgwp_ ) is enough to make hackers move along to the next thing.

6. Backup & Antivirus

It hopefully goes without saying, but installing a backup plugin and doing regular backups can make all the difference in the world if something does go wrong. The last thing you want to do is lose all your content and work if your site is taken down by a hacker. By doing regular, full backups and storing them off your site (Dropbox, Amazon cloud service, even your local computer) you make it much easier to bring your site back to where it was, quickly and easily. Another thing you should not forget is to install a website antivirus.

How to identify reliable websites from shady ones?

Prior to opting, to input personal information to any kind of Web form or perhaps Web-based application, you must positively make up your mind regarding whether you can trust the website’s owner with all the personal information.You should not suppose that your private information will probably be employed exactly the way you want, as your own requirements of personal privacy might possibly vary from the ones from the site owner.

secure sitePerhaps the most secure Web services can certainly undergo accidents which can reveal private data.You ought to be aware that the internet site can be relied on to secure your personal information the way in which you wish prior to when you disclose that details. So what does it actually mean to trust a Web site ?

People today try to make decisions concerning trust based on instinct when confronted with proof. Let’s have a look at some proof of trust on the Web site.

A reliable e-commerce Web site, for instance, needs to have the following:

  • Supply noticeable assurances to customers that their personal information is secured
  • Voluntarily follow ethical principles for running business on the internet
  • A Visible business partner with organizations in which the people maintains a high standard of trust, just like the Better Business Bureau
  • Make itself to regular external reviews of security and privacy conditions
  • Visibly make use of and offer the current information security technology available

Another thing you should do is try to find the signs of corporations which signify that this site has undertaken activity to provide itself as trustworthy, like the TrustE or BBBOnLine seals

You certainly will find these seals exposed on the Web site –  TrustE (www.truste.com), an organization which ensures Web sites work in accordance with a definite privacy standard, or the Better Business Bureau (www.bbbonline.org). These organizations demand Web sites to follow specific ethical standards with regard to conducting business online, for instance displaying privacy policies, prior to when the web sites may possibly display the trust seals. These types of organizations take measures to assure that it’s next to impossible for Web sites to feature these seals until they fulfill the organizations’ requirements. If you notice these seals, you can be assured the site will not be malicious as well as sticks with a sensible set of privacy standards.

In case a Web site doesn’t clearly show these seals, it doesn’t indicate the web page is malicious or untrustworthy.Your website owners could be in the operation of meeting the needs of such trust organizations, or they may experience their standards are high enough that taking part in these programs isn’t necessary.You’ll want to believe in instincts when you are conducting business with such Web sites. Remember, you always have a choice of using the services of another Web site or placing an old-fashioned order by telephone or mail.

If you get the sense something isn’t quite right at a Site, it probably isn’t. Follow your instincts and stay suspicious of it. Get more information regarding the site before you pass any private information with it. Look up the web page at the Better Business Bureau’s online search tool. If a Internet site doesn’t surpass its very own privacy policy, you must you can report it towards the Bbb.

SSL Security

Another sign of trust you’ll be able to seek out is whether the Web site employs Secure Sockets Layer (SSL) as well as other visible security measures to protect crucial computer data. Basically, SSL is really a mechanism for doing a couple of things: confirming the Web server is authentic and encrypting private data as it traverses involving the browser and also the Web server. SSL ought to always be used when private, sensitive information (for example in the financial transaction) has to be provided for an internet server, yet it’s typically not used when you’re simply browsing or sending nonsensitive information. Use of such measures demonstrates a site’s dedication to protecting crucial computer data while using the latest security technologies. Generally, though, the most reliable tool for evaluating risk while engaging with an internet site may be the site’s privacy.

Managing Risk on the Web with SSL Certificates

When you finally make a decision to trust a Web site, you will still be required to decrease direct exposure to situations through which personalized information is generally intercepted while in transit by controlling the risk you’ve approved.

ssl securityManaging risk on the Web implies doing the needed steps to guarantee your personal information is actually secured when you interact with Web servers. To achieve this, you’ll need to comprehend employing SSL for risk-free transactions, making use of SSL certificates, managing passwords, payment options, and the ability to surf anonymously.

Protecting Yourself With SSL Certificates – your internet browser helps to determine server authenticity using a protocol called Secure Sockets Layer (SSL) to get secured transactions. Any time your web browser hooks up with a Web server using SSL, it validates the identification of the Web server in your part. It requests a certificate authority (CA) to validate the Web server, which is certainly known to the CA because the Web server manager has purchased the SSL certificate from the CA.

The CA examines the Secured Web site’s certification to information there is on file and also certifies that the two are the same. Until the authority confirm the server, a secure SSL connection will then be established in between your web browser and the Web server. You’ll fully understand when you’re connected using SSL simply because the web browser informs you. It features a small, closed ‘lock’ icon for an indication. In Internet Explorer, check for the small yellow closed padlock in the lower-right area of the windowpane. Netscape 6 exhibits a closed padlock in the same area for pages that are protected with SSL and an open padlock for pages that are not. Opera features a closed padlock on the left side of the address bar. Always make sure of these signs to ensure you now have a secure connection prior to when entering a credit card number

Social Security Number, and other personal data into a Web form. If the icon isn’t present or is within the unlocked position, SSL isn’t getting used and you ought not enter private information during this Site. In rare instances, a Web site could prompt you for private information without using SSL although not represent any real danger. As an illustration, your website might have a recently expired certificate that’s accidentally allowed to lapse by your website maintenance staff. It’s careless administration, nonetheless it sometimes happens. In the event the site is large and generally perfectly trusted and you’ve done business with it many times before, you are probably safe in trusting your instincts to proceed.

You should also see the site’s SSL certificate to make sure all the information about the Internet site will be as it must be, with the exception of the expiration date.Your browser software provides capability to try this. Internet Explorer displays the server certificate should you click the Certificates button from your browser’s help instructions should let you know the way to do that if you aren’t using IE6.

Issued to: line confirms the user is associated with Amazon.com, that’s comforting unless the person thinks she actually is connected to a different site.

ssl certificate

Personal SSL Certificates

A personal SSL certificate is a piece of identification, being a driver’s license or Social Security card. The primary differences are that you carry an SSL certificate on your PC, not in your pocketbook, plus it typically posseses an expiration date. Also, unlike a driver’s license or Social Security card, there exists multiple organization to ask for SSL certificate. A private SSL certificate demonstrates your identity to Web servers. If you obtain the certificate, you should first prove your identity to the issuer, termed as a CA, by presenting other identification such as a driver’s license or Social Security card.

The CA then offers you a unique digital file, or certificate, that you simply import into your Web browser, while using the browser’s menu functions ship to this purpose. Afterward, as you surf the Web, your browser asserts your identity to Web-based applications while using certificate. When a Web server asks for use on your certificate, it queries the CA that issued it, which sends a validation message time for the Web server vouching that you’re who you boast of being.

Personal digital certificates are often needed in order to employ a Web-based e-mail service supporting S/MIME directly from your personal machine. If you are using a Web-based e-mail service that supports digital signatures, you’ll probably desire a certificate for your mail server to make your digital signature. During the period of time, many other forms of Web services including internet banking or stock trading will increasingly need you to have a very personal certificate so as to access their services. This can be healthy. It may help deter others from accessing your internet accounts, simply because won’t possess your certificate. Other computers can’t be familiar with make changes back, because your pc is the only one that has got the certificate. This provides you best physically command over your personal information online.

Personal SSL certificates doubles to confirm your identification when you’re digitally signing or encrypting e-mail employing software that is not Online or signing onto certain types of software. The majority of certificate authorities offer you personal certificates for free so that you can learn cooking techniques. If you’d want to find out about obtaining a personal certificate, an excellent place to begin is actually traversing to a CA Internet site and reading concerning the services they offer.

My Joomla Site was Hacked!

If you are here because you suspect your site has been hacked, and you just want a professional to fix it ASAP, you have also come to right the place. Take a look at our Malware Removal page, and if this sounds like the service you need just submit a request and we will have your site back up and running in less than 24 hours.

secure joomlaI know how terrifying a hacked website can be. Many years ago, I woke up one morning and realized that my Joomla site was hacked as well. That incident is actually one of the reasons I have spent the last few years studying how these hacks occur and learning the techniques required to identify the vulnerability and fixed the hacked Joomla site. In this article I will go over some of the basic steps one should take the minute they realized their Joomla site was hacked.

If you suspect your Joomla site was hacked, and you want to try working through it yourself, here are steps that will get you started in the right direction:

1. Take the website offline and password protect the entire site

Depending on your hosting company, you should be able to log in to your Hosting cPanel and choose an option for password protecting certain directories. I would recommend protecting the entire directory your website is located in. Click here for detailed instructions.

2. Change all your passwords

If your Joomla site was hacked, you can consider all your passwords to be compromised, and it’s a good idea to change them right away. This includes FTP, database, hosting, and Joomla admin passwords.

3. Check your server logs

Hopefully you had your server logs active; otherwise it is going to be much more difficult to identify how your Joomla site was hacked. Download the logs through your cPanel and check for words like “insert”, “replace” or “update”. Look for calls to anything other than your index.php that might indicate suspicious activity.

4. Run your cPanel virus scanner

Most major hosting companies will have this option available, and it will help you determine if malicious code had been inserted into one of your files.

5. Make sure you have a backup system in place

I recommend the Akeeba extension. You can set the extension to make a backup daily. You can also use their Akeeba SiteDiff tool to compare backups day to day and spot changes that were not initiated by you. While this won’t help you after the fact, if another attack occurs this method will help you determine if backdoors were added into your system after your Joomla site was hacked.

Conclusion- “Un-hacking” a Joomla site is not an easy task, and while these steps will help you on the way to recovery, there are so many different types of hacks that no walk-through is going to solve every problem. The best course of action is to prevent the attack from being successful in the first place. It’s important to use strong user names and passwords, keep your Joomla core and extensions up to date, and limit who you allow to access your website’s back-end.

If your Joomla site is severely infected or if you don’t have the time & expertise to implement these steps, you will probably need to hire a professional to scan all the files/logs and manually extract the malicious code piece by piece. We can provide this service, and encourage you to submit a request as soon as possible so we can get your site back up and running.

We also offer a Website Protection service in which we will review your website for potential security flaws and implement updates to prevent an attack from occurring in the first place. It’s always easier to prevent a successful hack than to repair a website after it has been compromised.

How to Change Your WordPress Admin Username and Login URL

As part of our desire to assist clients in their security needs, I have begun to produce tutorial videos on some of the common practices that can help secure your WordPress and Joomla websites. The first two videos in the series demonstrate how to change the default “admin” username for WordPress– both manually and via a popular plugin.

Both of these procedures will help to further improve the security of your website and prevent brute force attacks from successfully compromising your WordPress site.

Brute Force Attacks Against Joomla Websites

It’s an old school method of attack, but it’s back with a vengeance and with the help of a huge and evolving tool, the botnet. Let me explain what a brute force attack is, what botnets are, how they are working together, and what you can do to prevent brute force attacks against your Joomla website.

What is a brute force attack?

Brute force attacks are pretty much the most generic type of attack you can think of. If you have a Joomla website, your administrator login URL is pretty much evident. Yourdomain.com/administrator… From that screen, a brute force attack will basically use an automated script to plug in random usernames and passwords until it guesses your combination and has access to the backend of your website.

brute force attack

What is a botnet?

A botnet is a network of computers that have been infected with the same type of malware or virus. Once infected, these computers can be controlled by a central command which can use the individual computers to communicate with the internet and attempt to log in to you website.

In the past, we would see all the login attempts originating from the same computer, which would have a single IP address. That means a simple measure such as restricting the number of failed login attempts from the same IP address would essentially stop the brute force attack. The attacker would enter the wrong combination 5 times in a row, and the system would block that computer from attempting to log in again for a set period of time.

How do they work together?

When these attacks are being waged by a botnet, which could be comprised of 100,000 individual computers with 100,000 unique IP addresses, that old system of prevention is no longer enough to stop the attack. The attacker could literally switch to a new IP address every second for an entire day, or until one of the computers guessed the correct combination.

What to do?

So what can you do to stop brute force attacks against Joomla websites? At the moment, you can’t do much to stop the attack from occurring, but you can take steps to prevent the attack from being successful. If you are using a login username such as “Admin”, “Administrator”, or even your first name, you should change it immediately. Also, use a password with a combination of letters, numbers, cases, and symbols.

If you hire someone to do work on your website, create a login specifically for them and only with the access level they need to do their job. When they finish, delete the user. If they don’t absolutely need your FTP login, don’t give it to them. And you definitely want to be using the latest stable version of Joomla and have your extensions up to date! Just doing those few things will put you way ahead of the game.

As always, if you need professional help securing or removing malware from your website, we are here to help. Just send us a request, and we will get back to you ASAP. In the meantime, happy surfing!

How to prevent Joomla Brute Force Attack

How to Recognize and Reduce Spam On Your Website

Spam. Anyone with a blog or a forum has had unwanted intimate relations with spam and many different spammers. Spammers are the single most persistently annoying, and sometimes confounding, issue a blog or forum owner must deal with. Whenever I start working with a client that has already set up their WordPress site and is now coming to me for some administrative help, one of the first problems that must be dealt with is the spam that has made it through to their posts.

These clients often think that because they have Akismet, and perhaps Bad Behavior or another spam plugin installed, that their site is safe from spammers. It is not and there is a bit to learn if you are to keep your site clean. Some obvious spam, like totally unrelated comments laced with links to filthy sites and pharmaceutical sales pitches, are easily stopped by the WordPress plugins. If you have installed a couple of these, at least 75% of the spam targeting your site will be blocked. But with hundreds of spams coming in every day, blocking 75% is not enough.

stop spam

Even the newest, most lonely sites will attract spammers. I recently had a client whose site had been up for many months and included over 50 posts. The site had well over 100 comments, but 95% at least were from spammers. Many of these spammers were so good that the client had even responded to the spam comment as if replying to a real person. At the end of this post, I will recommend a few specific WordPress plugins that will help keep out spammers. But first I will give some specific examples and suggestions that anyone, even if not using WordPress, can use to keep spam at bay.

Though there are several types of spam, they all have one thing in common, a desire to get links posted on your site that point back to their spammy websites. They often don’t even care if their links are ever clicked; they just want the links in an attempt to increase the validity of their sites and hopefully return their sites in the results of search engines.

Automated, Trashy, Spam: The biggest spam type is completely automated spam with many red flags that enable spam filters to fairly easily block it out. This spam often includes multiple links to many different sites. Most web blogging platforms like WordPress, etc. do a good job keeping this type out.

Automated, Targeted, Spam: This type of spam, although generated automatically by non-human methods, still tries to slip through by appearing to be related to your post content. These comments often have very generic content, that if you think about it, can be posted on almost any blog article and not always jump out as spam. Here are a few examples:

“It’s strange that we agree so much on this issue yet hail from completely different parts of the globe”
“Thanks for the great article, I enjoyed reading it”
“Good job! What a great post!”
“You got a really useful blog I have been here reading for about half an hour. I am a newbie and your post is valuable for me.”
“I’m extremely impressed with your writing skills as well as with the layout on your blog. Is this a paid theme or did you customize it yourself? Anyway keep up the nice quality writing, it is rare to see a nice blog like this one nowadays.”
“Thanks for this! I will be reading more of your posts and will come back often.”

These types of comments can fool new bloggers into not only leaving them on their sites, but replying to them in a comment of their own. The best way to deal with these is to look with skepticism at all comments that come in. Think about the content and decide whether it adds anything specific to the conversation on the post. Also click on any link the commenter leaves, including the link to their name. You can quickly tell a spammer by the content of their links.

Spammers have programs that automatically scan the web for posts that mention words like “author”, “book” etc. then post a comment that tries to sneak in by saying something, like “I have read his book once from a friend and it is very encouraging and really worth the read.” They also look for words like “vitamins”, “organic food”, “whole wheat bread” etc. etc. and then generate a comment that looks real. Hard to believe at first, I know, but these sleazy spammers are really that good!

The final kind of spam is a kind that really annoys and falls into two types, both generated by a real person. The first type is a comment posted by a person who uses a genuine sounding name like Susan or David, then tries to make a comment that also seems genuine. Often the comment will be lame because they are hurrying around to many sites leaving similar comments. They key is to look at the link they leave and decide what their motivations for the comment are. The second type of spammer leaves a comment like the first, but instead of making up a “real” sounding name, just uses a keyword as their name. Examples are “SEO Expert”, Houston Real Estate”, or “Lose Belly Fat”.

I require that people use a name, not a keyword to comment on my sites. I also check links and if a link is spammy, I delete it. I may not always delete the comment, but will delete the link. If someone is making a comment just to get a link to their site selling something, I believe they either need to make one heck of an astounding comment or they should be buying an advertisement. This approach requires some flexibility. I have a few regular commentators that leave really good comments that do add to the conversation, but the link to their site is pretty commercial in nature. I let these go. I figure if someone is regularly making well thought out comments then they are contributing in a way that prompts me to allow their link to a sales page of their website.

In short, spam is hard to monitor and spammers are tricky. The best approach is to examine every comment and the link that is left. If you are uncomfortable with anything, you have the control to delete the link, or even the comment. It’s your site so you make the commenting rules. And speaking of rules, it pays to have a few to fall back on. Believe it or not, I have had spammers on my personal site email me asking why I deleted their links. I just point them to my comment policy.

Finally for WordPress users, here are a few spam plugin recommendations.  Number one for most people will be to activate Akismet.  This plugin comes with WordPress and is used by almost all WordPress sites.  Some people do not like or use Akisment, but I have had no trouble with it in all the years I have been writing.  I recommend it but do not check the “auto delete” setting for posts over one month old.  I have also used Simple Trackback Validation for several years to stop trackback spam.  Although not updated in a long time.

For several years and until recently I have also used AntiSpam Plugin by Siteguarding.  This plugin worked great for me and others until the last couple of WordPress updates when it started catching some legitimate comments, many by people who had successfully commented on willtaft.com up to one hundred times or more.  Unable to get the issue figured out or resolved, I reluctantly have stopped using it.  I then experimented with various “Captcha” plugins that worked well.  Ultimately I decided that I did not want to require captcha on my sites because I feel it is a hurdle between many potential commentators and conversations on my sites. In a compromise I started using the Growmap Anti Spambot Plugin by Andy Bailey.  This plugin creates a simple check box that must be ticked when a comment is submitted.  It is not my ideal solution as it still requires input from a commentator, but it is simple and so far have not had any complaints from readers.