Yay, I Have a New Comment. Ugh! It’s SPAM.
Spammers are a complete nuisance, and one of many threats you will encounter as a WordPress website host. If the email address attached to a WordPress contact form on your website is receiving a huge number of (or even one) spam emails, you’ve come to the right place, my friend. I will walk you through what I did to eliminate spam on this exact WordPress website.
Imagine my surprise when, as I was going about a regular day sipping on some coffee and nibbling on a classic glazed doughnut, my phone went berserk with notifications. I had received seven back to back emails, all generated through a contact form on this very website. At first, I was elated! Many messages means a lot of traffic, right? Imagine the shock when I opened each mail to find this:
From: jkkrwbtmrz email@example.com Subject: jkkrwbtmrz Message Body: jkkrwbtmrz http://www.g90qxky4fu25o3e54430488r25kzolyqs.org/ [url=http://www.g90qxky4fu25o3e54430488r25kzolyqs.org/]ujkkrwbtmrz[/url] <a href="http://www.g90qxky4fu25o3e54430488r25kzolyqs.org/">ajkkrwbtmrz</a>
And thus began my battle with spam.
Tinned meat I’d gladly accept. Sadly, it was unsolicited messages that I was receiving. Spam, in simplest terms, is one, or a bombardment of many, unnecessary email, with the intent to advertise, ‘phish’ for personal data, or just maliciously bring down a website. There is another, more innocent form of spam that spawns from search engines, I’ll get to that in a bit.
Human Spammers seek out email addresses and send out unsolicited E-mails for three purposes:
- Advertise: They have a product and plan on marketing it by blasting out emails, hoping whoever cares to read them will buy their product.
- Phishing: Spammers blast out emails that seem innocent but contain malicious links or attachments that contain a virus, or worse, phishing mechanisms. Think “Hey I want to send you a million dollars, please give me your bank account details”.
- Server Crash: Spammers sometimes write scripts that constantly bombard a website’s contact form with gibberish messages (like the one I received). The server eventually is unable to handle the constant, and extremely rapid, data passage and collapses, bringing down the entire website. This is also known as a ‘Bot Spammer’ since the process is automated.
Another group of annoying pests are Bot Spammers:
- One form is a script written to automatically spam a contact form (like the one mentioned in Server Crash). These bots, or automated scripts, are also used to harvest email addresses, phish for passwords through a brute force attack and scrape sites for content. It is definitely wise to block out bots from your website.
- Another form of bot spamming occurs when search engine ‘spiders’ who are crawling your website access the contact form and unknowingly send out spam E-mail. Now we all love Google, and I accept this is sweet innocence, but it can get brutally annoying.
Luckily, all you need are 2 techniques to eliminate Spam E-mail
I bet you didn’t know CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart“. You did? How smart. Anyway, CAPTCHA is a wonderful method to distinguish bots from humans and eliminate spam through bots. CAPTCHA simply requires visitors to click an ‘I’m not a robot’ checkbox or fill in text from a distorted image, two tasks that bots are unable to perform (yet).
reCAPTCHA is Google’s CAPTCHA solution and is extremely simple, to implement and for visitors to use. This makes it a great tool to eliminate bot spam. reCAPTCHA works with most modern contact forms and being owned by Google, easily integrates with platforms. Let me show you real quick:
Enabling reCAPTCHA for a WordPress website with a Contact Form 7 plugin
This is just a scenario and should be applicable regardless of the platform or contact form plugin you use. All you need to do is register on Google and receive a site key and secret key
- Navigate to Google’s reCAPTCHA admin page.
- Enter a simple name for future identification.
- Choose the type of reCAPTCHA:
- reCAPTCHA V2 – displays a checkbox with text “I’m not a robot” that visitors have to click before sending data through a contact form.
- Invisible reCAPTCHA – If you want to avoid the extra step if asking visitors to click a checkbox, you can use the invisible reCAPTCHA option. This works in the background and sifts the bots from us humans.
- reCAPTCHA Android – reCAPTCHA solution for Android.
- More info: Developer’s Guide
- Enter the domain name where you intend to enable reCAPTCHA.
- Accept Google’s terms of service.
- Register.Once registered, you will receive a Site key and a Secret key. DO NOT SHARE THIS WITH ANYONE.
The site key is placed in the <head> of the code which the site serves to users. The secret key facilitates communication between your site and Google, once users respond.
For a site coded and hosted by you, you will have to manually enter a piece of code that Google provides after the registration page, in the head and the form’s code. More info here: Developer’s Guide
Enabling reCAPTCHA on WordPress
Right, for a WordPress (some shameless promotion: How to Start a Blog on WordPress) user with a contact form plugin (Contact Form 7 used in this tutorial), follow these steps:
- login to your WordPress admin page and navigate to Contact->Integration.
- Enter the Site Key and the Secret Key in the respective fields mentioned. Done!
- Now head over to the settings of the contact form being used on the live WordPress website, hit edit and insert the reCAPTCHA field. You can set a CSS ID to gain more control over the position and aesthetics of the checkbox.
- Save, and you’re good to go. The reCAPTCHA checkbox will immediately appear on your live website.
With reCAPTCHA on your WordPress website, bots won’t stand a chance! Now heading over to the more sinister of the two evils: Human Spammers!
Humans are unpredictable, and thus harder to keep out. One WordPress plugin, however, has proved most helpful and is a must install on every WordPress site: Akismet. Akismet is so useful that it, in fact, comes pre-installed with WordPress.
Filtering Spam Through Akismet
Akismet is a plugin that you need to install (in case you have uninstalled it) and activate. You, unfortunately, cannot use it for free, so head over to their website https://akismet.com/account/ to generate a unique API key.
- Login with your Google account, or an existing WordPress.com account. You can pick a personal plan for as less as $12 (they actually let you decide what they are worth, with $12 being the minimum). Take the API key over to your WordPress site. Navigate to the Akismet plugin page and connect the two accounts.
- Fill in the basic details:
akismet:author Add this option to the field that accepts the name of the sender. Example: [text* your-name akismet:author] akismet:author_email Add this option to the field that accepts the email address of the sender. Example: [email* your-email akismet:author_email] akismet:author_url Add this option to the field that accepts the URL of the sender. Example: [text your-url akismet:author_url]
Akismet cross checks EVERY message sent through your WordPress contact form AND comments section, AND any other entry point, against their database. If any message shows a hint of being spam, it rejects the message and displays a “failed” message on your WordPress website.
There you have it, two simple ways to keep both, bots and humans from spamming your E-mail ever again. There are, of course, many wonderful, free plugins available on WordPress to protect your website from spam. Feel free to mention your favourites in the comments section.
-The Underground Army