Last week our agency launched a shiny new custom site for an academic think tank. I showed my mom the new site. “It’s so nice Miriam!” said my ever-objective Mom. She dutifully scrolled up and down the home page and clicked through to some articles. And started reading.

“How can they say that?” said my ever-opinionated Mom about one of the articles.

“You should leave a comment!” said I.

“How do I do that?” asked my ever-mystified-by-the-web Mom.

So we scrolled to the bottom of the article of contention, and I showed Mom where to type her opinion (start with something nice, then tell them about how you disagree), which fields to fill in (you don’t need to fill in the website), and when it was all reviewed for potentially embarrassing  autocorrects (this all took place on Mom’s iPad), she pressed Submit.

The page refreshed, but nothing else happened. The message that her comment was awaiting moderation didn’t appear, and even stranger, the URL of the page didn’t update to show that a comment had been submitted by adding /#comment-123 to the end of the URL. I looked in the admin of the site, and her comment was nowhere to be seen.

“Thank you Mom!” I exclaimed. “I believe you just spotted a bug in the new site! You’re great at QA.”

Mom didn’t quite get how finding a bug is a good thing and why I was so happy about it, or what exactly QA is, but she smiled graciously and said she was happy to help.

I tried to recreate the bug on my laptop, and was able to on the same post that my mom had been on, but not on others. Hmmm. Was the bug maybe only on posts that had Related Posts under them (we set up the site so the client could manually select related posts to appear, if at all)? Nope, it worked on posts with and without related posts.

The team, who had already tested the comments before launch, wasn’t able to recreate the bug, so I was stumped.

I decided to take a break to try to read some of the articles open in my millions of Chrome tabs, and one of them was this one: Why I Will Never Comment On Your Blog (A.K.A. Die, Akismet, Die). The writer describes how Akismet has been shutting her out of commenting on blogs, but what was most interesting is her description of what happens on the front end of a site when Akismet has identified a submitted comment as spam: the page reloads, no message that the comment is being moderated, and the URL doesn’t change!

I logged in to the admin of the site, and lo and behold, my Mom’s comment and my test comment were both sitting in spam!

It might be time to move on from Akismet

We already know that Akismet can falsely identify good comments as spam, and with our spam box filling up daily with tens of spam comments, there’s no way we’ll ever find them in there, which is kind of a shame. But I always figured it’s worth losing a handful of good comments if we can avoid dealing with hundreds of spammy ones.

However, we’ve been having trouble with Akismet for a while now. For example, spam comments on this site were not being identified as such. We were just leaving hundreds of spam comments in moderation, which was annoying for so many reasons.

Plus, Akismet is now a premium plugin, so you need to pay for it on non-personal sites. That’s fine, I’m all for paying for great plugins, but there are good free alternatives, and it hasn’t been working so well for us anyways.

And if Akismet is identifying my Mom’s well thought-out comment on an academic site as spam, I think that’s a sign of some kind of issue on Akismet’s end for the following reasons:

  1. My Mom ain’t no spammer. She uses her iPad for sharing recipes, emailing with her family, and listening to music; she had never left a comment on a site before in her life so her email couldn’t possibly be connected with spam activity; and the nastiest thing she ever did on the web was get upset at a radio station for playing bad oldies.
  2. Her comment did not have spammy words in it, was intelligent and not aggressive.
  3. The site was fresh out of the box, so no comments had yet been submitted, and therefore the site owners hadn’t yet “told” Akismet what they consider spam by marking comments as spam.

Akismet has been amazingly awesome all these years in predicting the comment spam issue which was to reach epidemic proportions, and helping rid the world of what could have been thousands of comments about cheap Uggs and generic Canadian Viagra. We are indebted to you for that, Akismet and Automattic.

Having said that, for those of you who are also looking for alternatives, here are two very good ones: Growmap Anti Spambot Plugin (GASP), and Block Spam by Math Reloaded

Growmap Anti Spambot Plugin (GASP) – so simple, yet so effective

We’ve tried a bunch of honeypot types of plugins, like Antispam Bee, but it didn’t stop the spam on WPGarage. The post above that originally made me realize that Akismet was blocking my mom’s comment introduced me to a plugin I never heard of: Growmap Anti Spambot Plugin, also known as GASP, created by Andy Bailey. Its premise is so simple, yet genius:

This plugin will add a client side generated checkbox to your comment form asking users to confirm that they are not a spammer. It is a lot less trouble to click a box than it is to enter a captcha and because the box is generated via client side javascript that bots cannot see, it should stop 99% of all automated spam bots.

A check is made that the checkbox has been checked before the comment is submitted so there’s no chance that a comment will be lost if it’s being submitted by legitimate human user.

How brilliant is that? The plugin also does something else smart: it adds a fake hidden field labeled “email” to throw spambots off. If it’s filled in, it’s a red light.

Hidden email field

However, the plugin does have some weaknesses:

  • The browser accessing the comments has to be running javascript. What if comment spammers turn off javascript in their browsers? The plugin does address this by displaying a message to javascript-disabled browser users, but that only helps good humans, not evil spammers:
    Javascript not enabled
  • It doesn’t work with Disqus or other third-party comment systems. Which doesn’t bother me because I dislike them anyways.
  • It either stops all trackback spam, or none at all. You can set the plugin to stop all trackback spam, while using another plugin they recommend to validate trackbacks: Simple Trackback Validation. However, it hasn’t been updated in over two years, so it doesn’t sound like a good idea to use it
    Allow trackbacks?
  • The comment spam scripts can learn the checkbox name and automatically tick it. There’s a workaround though: Change the checkbox name value in the settings page to something new (like change the number) so the automated systems don’t know what the checkbox is called any more.
    Checkbox label name

Block Spam by Math Reloaded

For now we are sticking with the math question plugin I mentioned above: Block Spam by Math Reloaded. I am so sick of spam, I don’t want to risk any of the weaknesses mentioned above for GASP. As I said, since we implemented it, it’s cut down automated spam completely. Human submitted spam comments can still get through, but they are so few that it is easy to manage. What’s really good about this plugin is that it also adds a math question to the WordPress login form. The reason this is useful is that it can actually be another step in preventing brute force attempts to log in. If a bot is hammering your login form with username/password combinations, but has to stop to enter a math question for every round, I can imagine that might stop it cold in its tracks.

We’ve been trying to find a good alternative to Akismet for a long time, and I am happy to say that between GASP and Block Spam by Math, there are some good, simple, and effective solutions out there. Die, comment spam, die!

 

Mom at WordCamp
Mom came to WordCamp Jerusalem to help (wo)man the registration tables and watch my baby. She’s been wearing a WordPress pin on her jacket ever since 🙂

 

Baby at WordCamp
Said baby

Pics by Deena Levenstein