Introduction
In previous posts, we’ve talked about how important it is to protect your blog’s domain name and to protect yourself (and your readers) from malicious attacks against your site. Now it’s time to talk about protecting your readers from your readers! Well, to be more clear, you’re protecting your readers from evil folk (malicious actors) masquerading as your readers. Those evil folk want to infect your real readers with malware (viruses, worms, trojans, etc.).
It makes sense, right? We should do what we can to protect against any reasonable attack, and we’ve all heard stories about comments containing dangerous URLs.
Did you notice that I said “reasonable?” That’s because there’s a secret about security I should probably let you know.
If someone wants your site badly enough, they can get it.
I’m not trying to be negative. I’m just being realistic. If for some reason your site attracted the attention of someone with piles of cash (say, a nation state), then they could fund an attack that would likely be successful. That means the idea of being perfectly safe is an illusion. Protecting against a nation state would take the resources of a nation state. And to be honest (and I don’t think this will be shocking to any of you), my anime blog doesn’t pull in the equivalent of the gross domestic product of any smaller nation, much less a state actor on the scale of the United States, Europe, Russia, or the like.
Unless you have the finances to deploy your own Fleet of Fog — including a mental model like Takao — then there are security threats you can’t afford to protect yourself from. Capture from the Crunchyroll stream.
Instead, our goal is to be reasonably safe. Following the advice in the first two posts in this series, plus the advice I’m about to give, will give you a fighting chance against casual and automated attacks. And unless you have the defense budget of a major world power, that’s the best you can do!
Oh, and remember: Constant vigilance!
WordPress Out of the Box Protections
If you host your own WordPress (I don’t know about sites hosted on WordPress.com), it’s likely that the default installation only has rudimentary protections against malicious comments — that is to say, comments that either include URLs/links to malware. In less likely scenarios, the comments themselves could contain malicious code.
Even if they’re rudimentary, you should take advantage of some of these settings. For WordPress 4.9.8, it you log into the admin page (/wp-admin) and click on Settings -> Discussion, you’ll see some of the options. They include:
- Comment author must fill out name and email: It’s not particularly effective (it’s easy to setup a fake or misleading e-mail address), but it’s better than nothing.
- Anyone posts a comment: If you have a bigger site, you might not want to enable this to keep your inbox from being buried. But if you have a smallish or mid-sized site, knowing when comments are posted can help you identify odd-looking comments immediately so you can delete them.
- Comment author must have a previously approved comment: I almost always check this. Again, it’s not perfect, but it forces a malicious actor to post at least one good comment before I’ll automatically accept their new comments.
- Hold a comment in the queue if it contains: I usually set this to 2. If one of my fellow bloggers wants to include a single link back to one of their posts, that’s cool! But a trait common among many spam comments is that they include multiple links. I don’t want any part of that.
If a malicious actor wants to post on my site, I want to make them work at least as hard as Shizuka Sendou did! Capture from the Crunchyroll stream.
You might be tempted to play with more of the “Content Moderation” or “Content Blacklist” sections, but honestly, blacklisting is a never-ending battle that you’ll lose. There is a better option.
What better option, you might ask? It’s to install a plugin that’s not only designed to prevent spam comments, but has a proven track record! I’m taking about Akismet.
Protecting Readers from “Readers”
Akismet is an expert in blocking spam. The Akismet plugin for WordPress is fairly easy to install. You can install it by itself or as part of a larger package (see below), but in the spirit of not installing more than you need, you should probably consider installing the simple Akismet plugin first.
Installing it is easy:
- Log into your admin page (/wp-admin)
- Click on Plugins
- Click on “Add New”
- Search for “Akismet”
- Find and install “Akismet Anti-Spam”
To configure it, you’ll need an Application Programming Interface (API) key. You can get it by logging into this site with your WordPress.com ID:
To use the Akismet plugin, you’ll need an API key. Not a physical key like Chitoge Kirisaki tried to use! Capture from the Crunchyroll stream.
There’s a free pricing tier, which you can use for personal blogs (you can contribute some money if you like). If you have a professional blog or a fleet of professional blogs, Akismet offers other pricing tiers:
Once you setup your account, you can generate your API key. You then copy and paste it into the Akismet plugin setup page (in the field appropriately named “API Key”!).
It’s worth the investment even if you pick a paid tier (or contribute some cash for the personal tier): In the past 6 months, Akismet has blocked 60 spam comments to my site. In the last 3 1/2 years, it’s blocked over 490 comments — and any one of them could have caused heart-ache for my readers.
Causing problems for my readers is very not cool! Especially when you can use something like Akismet for either free or a relatively small amount of money — and provide some of the best protection available.
What’s This about a “Larger Package?”
This series is about keeping your website safe, so I’m staying focused on plugins to improve your security. That being said, I want to mention that Akismet not only comes as a standalone plugin, but it also comes with a plugin called Jetpack by WordPress.com. Jetpack has a number of useful features in its free tier, like:
- Themes
- Enhanced performance for images
- Site statistics
- Post sharing tools
- Basic Search Engine Optimization (like sitemaps that Google can use to guide searches)
- Basic security protections, like automatic plugins updates
No, not that kind of jetpack! My Jetpack by WordPress.com is nearly as useful! Capture from the Crunchyroll stream.
Jetpacks paid tiers can add automatic backup and restore and malware scanning. If you’re interested, you can see a comparison of its different tiers here:
If you think you want to use one or more of these additional features, it might be better to install “Jetpack by WordPress.com,” which automatically installs Akismet along with the Jetpack features.
Keeping Readers Safe Checklist
- Enable the basic, out of the box protections
- Install the Akismet Anti-Spam plugin
- Select a plan (including a free tier) to obtain your Akismet API key
- Optionally: If you think you’ll need site statistics, tools to help share your posts, or other features from Jetpack by WordPress.com, install it instead of Akismet alone; then follow steps 2 and 3
Summary
You carefully craft your site to be appealing to your target audience. You put a lot of work into your posts. You’re delighted when users share their thoughtful and insightful comments! It’d be a shame to let spam comments ruin the experience for your readers — and for you! Fortunately, for free (or for very low cost), you can get professional-grade anti-spam protection for your comments. Combined with a protected domain name and up to date site/plugins, you should be in a good position to give your readers a safe and enjoyable experience.
Jetpack, including anti-spam, is included for blogs hosted by WordPress. It looks like it’s a custom set up though, not matching any of the tiers in your link.
Interesting — thanks for the info! That seems to confirm that the tiers describe what’s available for non-Wordpress.com sites, doesn’t it?