How to Fight off Spambots for Good with the Free Anti-Splog Plugin

How to Fight off Spambots for Good with the Free Anti-Splog Plugin

Spammers are one of the most irritating aspects of the web and nowhere more so than when you’re managing a BuddyPress or Multisite setup.

The relentless tide of bots signing up fake accounts and blogs – or “splogs”  – can quickly become a massive headache for site owners.

What if there was a way to reduce the amount of spam blogs you get overall and tackle anything that gets through more quickly? Look no further than our Anti-Splog plugin.

We originally developed Anti-Splog for our sister site EduBlogs – the second largest WordPress website online with around 4.5 million hosted blogs – and the plugin has been battle-tested at massive scale.

In this post, I’m going to show you how you can set up and configure Anti-Splog to protect your BuddyPress or Multisite installations from spammers that will inevitably target your sites as they start to grow.

What Are Splogs and Why Should You Care?

Once upon a time, long before I knew about the virtues of Anti-Splog, I set up a BuddyPress-powered Multisite installation of WordPress. Within days, my installation’s list of sites spanned tens of pages in the admin end and looked a bit like this on the front end:

With a rate of Splog signups like that, it's no wonder that they started advertising stress relief to me.
With a rate of Splog signups like that, it’s no wonder that they started advertising stress relief to me.

That site is gone now because there really wasn’t time for me to be checking sites and clearing out the list of obvious splogs.

If you’ve ever had a BuddyPress or Multisite installation, you have probably felt the same pain as I did. The number of spammers you can end up with is astonishing.

And, because every new Multisite site adds a whole new installation’s worth of tables to the database, you can find it creating a huge database very quickly if you don’t keep on top of things.

Whether you’ve already got an installation where you’re dedicating hours a month to clearing out spam, or you’re looking to start a new installation, you can save a lot of time with Anti-Splog.

By limiting splog signups, it frees up more of your day for developing and supporting your community. If you use the full version, it can also detect suspicious sites and mark them as spam right away.

Introducing Anti-Splog

Anti-Splog on WordPress.com
Anti-Splog is available free on WordPress.org. What, free? Yeah baby!

Anti-Splog is designed to add several layers of protection to sign-ups on Multisite and BuddyPress. The free version provides signup protection and advanced features for marking blogs and users as spam.

If you upgrade to the premium version, you’ll have access to a unique API where your blogs and posts will be automatically scanned and checked, then thrown straight into the pile of removed splogs if they shouldn’t exist.

This is a huge help if you have humans creating blogs to bypass the signup tests (designed to fool robots). They’ll be flagged and caught as soon as they post anything untoward.

With our introductions out of the way, let’s dive into making this thing work.

Installation and First Steps with Anti-Splog

Anti-Splog WordPress.org download.

Begin by navigating to your Multisite Network Admin Plugins page (note that this isn’t the Plugins page on any site on the network) and click Add New.

Search for “Anti-Splog” and click Install Now. Once the plugin has downloaded, go ahead and hit the Network Activate link to turn the plugin on across all of the network. For many plugins, this might simply activate it on every site so administrators can configure it. However, for Anti-Splog it will activate and be controlled from the Network Admin section of WordPress.

You should see three messages when you activate the plugin successfully. In addition to the “Plugin activated” notification, there will be two further Anti-Splog messages as shown below:

Post-install message
Your post-install messages.

The first message about the API key is nothing to worry about. As we’ll see later, you can get an API key to access content-checking features from our servers at any time. For now you can dismiss this message.

The second message does require your action. You’ll need to move a particular file – blog-suspended.php – into your /wp-content directory. This is the file that will be shown to users whose blogs are suspended by Anti-Splog.

Navigate into the WordPress directory of your site, then go to wp-content > plugins > anti-splog. There, you’ll find a helpfully named put-in-wp-content directory. Jump into it and you’ll find a file called blog-suspended.php.

Move blog-suspended.php
Move blog-suspended.php.

You don’t have to make a copy unless you really want to – in fact, it’s okay to delete the put-in-wp-content directory once you’ve moved the file out of it.

Anti-Splog Menu

With that done, refresh the page and the notices will disappear.

You’ll see that a new menu has appeared in your Network Admin dashboard. Now it’s time to head to Anti-Splog > Settings where you can start configuring the way the plugin works.

That’s where we’ll turn our attention to next.

Getting to Grips with Configuration

In our examples below we’re concentrating on the free version of the plugin so you can ignore the API settings. The API uses data and algorithms from years of experience (including data relating to Edublogs), which you can pay to access at any time.

Signup controls in the free version of the plugin is where we’ll be focusing for the remainder of this article, though. You’ll find them under General Settings in the Anti-Splog settings menu. This is where you’re configuring options to stop splogs sneaking onto your site in the first place.

Let’s run through the main options at your disposal.

Limit Blog Signups Per Day

Limit blog signups options.
Limit blog signups options.

First up, is the Limit Blog Signups Per Day option. It means that the same IP address (whether human or a sneaky bot) won’t be able to sign up more than a certain number of blogs in a 24 hour period. This can be good for limiting the number of splogs that get created if a bot finds its way through the safeguards and stops a human from sitting down to create them all day.

However, if one organization (like a school or one workplace) has many users sharing an IP address, this may prevent genuine users from setting up accounts if the number is set too low. You can set it for any value from one to 250 or simply turn it off entirely by setting it to “Unlimited.”

Blacklist Splogger IPs

Blacklist Splogger IPs settings
Blacklist Splogger IPs settings.

The Blacklist Splogger IPs setting allows you to disable blog creation for IPs that have been used to create blogs that have subsequently been marked as spam.

Here we face the same dilemma as before in that organizations such as schools or companies who share IPs may inadvertently be flagged. You’ll need to make your own assessment in the context of your target users before selecting a value here and be prepared to change it over time. You also always have the option of setting to “Never block”.

It’s a powerful tool that can cut off potentially huge amounts of spam from bots, but you need to proceed a little cautiously here depending on your users.

Rename wp-signup.php

Rename wp-signup.php
Rename wp-signup.php

Rename wp-signup.php is only for users of Multisite (not BuddyPress, where the sign up form is different). It works on pretty much the same security principle as not using the “admin” username to prevent brute force attacks: if a bot doesn’t know where to look, they can’t attack you.

Activating this feature will change the address of your wp-signup.php form to /signup-xxx/. To stop it becoming obvious over time, this URL will change each day.

Don’t fear if you have links to your sign up page in your theme or pages, though – you can use shortcodes or PHP functions to echo the URLs instead. Just replace wp-signup.php with [ust_wpsignup_url] or <?php ust_wpsignup_url(); ?> as applicable. This will update automatically as the link does, ensuring continuous access to sign up.

Renaming wp-signup.php should confound plenty of bots with minimal effort on your part and no discernable difference for your users. It won’t stop humans, of course, but it will stymie an awful lot of automated attempts.

Spam/Unspam Blog Users

Spam/unspam users
Spam/unspam users

When activated, the Spam/Unspam Blog Users option gives you the option of marking all users of a particular blog as spam. If you have mostly single-user blogs, this is great. However, if you have multiple users on big blogs, one rogue user (or just one false positive) could result in several users being unfairly marked as troublesome so you’ll need to exercise your judgement here.

By default, Anti-Splog will display an addition drop-down admin bar menu. This allows you to mark a blog as spam, block its IP or mark the blog as an Archive when visiting it.

This serves as an excellent alternative to having to go into the site’s dashboard – and then choosing Edit Site to attribute these flags – or having to go into Network Admin and identify it on the sites list. It reduces the process to a single click and saves you time.

If, for whatever reason, you’d rather not have this feature enabled, you can check the Hide Admin Bar Button in the Anti-Splog > Settings menu as in the screenshot above. This will remove the option from your network’s sites.

A Quick Word on Queue Display Preferences

Queue display preference options
Queue display preference options.

When moderating blogs, you’ll see a queue available for your review. By default, this will show fifteen blogs but it can show up to 100 depending on your Queue Display Preferences configuration. If you’re showing this many, you may wish to turn images off to speed up loading.

You can also select how many blog posts you can see from your queue. The number you choose for this depends on how many splog posts you’re typically experiencing. Of course, you’ve always got the option of visiting a blog’s individual dashboard to review all posts.

Additional Signup Protection

Additional signup protection options
Additional signup protection options.

It’s also possible to set up Additional Signup Protection to add a further layer of deterrence to signups. Again, these won’t necessarily be effective against humans who sit and create splogs, but they should prevent bots from being able to do so in most cases.

The Settings page describes each option in greater detail, but briefly:

  • Admin Defined Questions: Set some questions that everyone (human) should know the answer to. If you’re based in one country, maybe ask about your head of state or similar. You can define these settings in Defined Questions Options.
  • ASIRRA: Presents the user with a series of images from which they must pick the cats. This won’t work on all servers so make sure you test it rather than assuming it works and potentially antagonizing users.
  • reCAPTCHA: The traditional spam stopper, but more advanced to stop computers being able to do it. reCAPTCHA asks humans to identify scanned words from books – you’ve probably used it before. It’s recommended to use this feature at the very least for stopping multiple submissions through the blog suspension appeals form (included on every blog suspended page).
  • PlayThru: another free CAPTCHA designed to be something that only humans can complete.

Pattern Matching

Pattern matching options
Pattern matching options.

The other main page to look at when setting up your Anti-Splog plugin is the Anti-Splog > Pattern Matching section.

The Pattern Matching Feature comes pre-loaded with some of the most common phrases to target. It can check domain names, titles, usernames and emails and will automatically spam those that have been identified as falling in line with common splogger patterns.

You can also add your own suggestions to the default ones provided. Bear in mind here that the broader the patterns you use, the more likely it is that genuine users could be marked as a false positive.

Start slow and build up your library of terms based on their effectiveness rather than trying to catch everything straight out of the gate. The Statistics menu will give you a running tally of what proportion of your signups have been marked as spam compared to genuine blogs.

For all the excellent work the various standard and sign up protection settings do, you may well find yourself considering upgrading to using the API key down the line as your site grows. Having automated monitoring of live content is a huge timesaver when you’re operating a site at scale.

The features available in the free version, however, are more than enough to get you up and running and you’ve always got the option of upgrading in the future.

Wrapping Up

When you’re trying to run a Multisite network or BuddyPress installation, there are plenty of better things you can be doing than trying to stop your database size ballooning with fake blogs. Anti-Splog will save you a whole lot of hassle and I know I’d have found it immensely useful if I’d known about it years ago.

You stand to save more time by utilizing the premium API option but the free version will still take care of a lot of heavy lifting for you and is highly recommended. Basic setup, as we’ve hopefully illustrated above, is straightforward.

Before you head off to download Anti-Splog and massively improve your life as a site owner, what spam issues have you run into in the past? Share your war stories in the comments below.