WordPress User Registration Spam
I’ve had quite a few search enquiries and hits for komatoz.net on my sites recently so there are obviously a lot of people suffering out there with spamming and registration problems that I’ve “currently” 😉 got under control. (We all know that this is a continuous battle against spammers as their approaches and techniques change though!).
This post is really a revisit and clarification of an earlier one here and shows some of the things I do to keep the spammy bastards at bay as there is no “one fix for everything” solution.
You could call them my Top Three!
Use of SABRE
What I’ve found, when using the excellent Sabre WordPress plugin, is that there are a heap of “usual suspects” that circle round and round a few IP addresses. Usually I’ll get supposedly real e-mail addresses from places like:komatoz.net gawab.com yandex.ru mail.ru inbox.ru
…and previously I had them locked out by name – but that doesn’t work as they’re spoofed.
Sabre is useful as it allows you to spot repeat hits from certain IP addresses after they’ve been blocked by the use of an .htaccess file.
Use of the .htaccess File
I’ve also made use of the .htaccess file in the website roots to block these names and a wodge of IP addresses. It’s become obvious that the differences between the SABRE logs of each website were due to differences between the .htaccess settings (I’d missed off a couple of IP’s between files) so now the blocked list is as follows:
deny from 22.214.171.124
deny from 126.96.36.199
deny from 188.8.131.52
deny from 184.108.40.206
deny from 220.127.116.11
deny from 18.104.22.168
deny from 22.214.171.124
deny from 126.96.36.199
deny from 188.8.131.52
deny from 184.108.40.206
deny from 220.127.116.11
deny from 18.104.22.168
deny from 22.214.171.124
deny from 126.96.36.199
deny from 188.8.131.52
deny from 184.108.40.206
deny from 220.127.116.11
deny from 18.104.22.168
deny from 22.214.171.124
deny from 126.96.36.199
deny from 188.8.131.52
deny from 184.108.40.206
deny from 220.127.116.11
deny from 18.104.22.168
deny from 22.214.171.124
deny from 126.96.36.199
deny from 188.8.131.52
deny from 184.108.40.206
deny from 220.127.116.11
deny from 18.104.22.168
deny from 22.214.171.124
deny from 126.96.36.199
deny from 188.8.131.52
deny from 184.108.40.206
deny from 220.127.116.11
allow from all
This has been applied to all my sites so there should be some consistency between the residual IP addresses getting past the file.
If you don’t know how to do this, ask me or look it up on the net like I did. I’ve also left some links at the bottom. If you are using WordPress, they advise you to set one up to manage the permalink structure. All you need to do is open .htaccess and paste the list after the WordPress additions. The # hash is a line comment (remming it out).
The .htaccess file is an immensely powerful tool. It’s a huge Apache thing. What I’m doing above is to block the need for an “index” file which stops unwanted folder trawling if a folder doesn’t have an index file; and then I block any enquiries from the list of IP addresses. This is empirically derived so if you know people with Russian email addresses you’ll have to modify the list, which is set up for my blockings only!
The Apache server always does three swipes through the file hence the specific terms:
First it allows all sites and second it denies any IP’s on the list. The third sweep does nothing in this file.
The use of .htaccess in this way takes the load away from WordPress so that it never even gets to do any filtering!
I also use .htaccess to allow only pictures (say) into an images folder and block active script files explicitly. So it’s a file type filter as well… As I said, it’s very powerful.
Make sure that you block write access to the file afterwards! Same goes for your robots.txt file and various folders….
Use of Akismet
As well as this lot, I also use Akismet, which most folk use anyway as it’s part of the default WordPress install. Anything that consistely gets through can be added to the .htaccess file along with the odd spurious SABRE detections.
I do a few more things as well, mostly for normal comments and trackbacks, but in truth, the three-pronged approach I’ve detailed here traps most bad guys.
I started all this when I was hacked (or more correctly cracked – I hate the way the usage has been hi-jacked on this..) by some Turkish activists. I learnt the hard way! 🙁 See my earlier post here.
.htaccess usage links
Hope this helps someone! Let me know if it has.
Akismet Apache battle BLOCK CHANGE Cracker creative Email EVERYTHING Excel EXPLICITLY fault filter Hack HOPE htaccess HTTP IP address Mad name NET NORMAL NOTHING ORDER Permalink Permalink Structure Plugin POST RE REAL registration Robot roots Russia Russian sabre Spam Technique Top Three truth Turkey USA war WordPress yandex