Running a blog, even a low-volume out-of-the-way blog like mine, attracts spammers. It’s a simple fact of life. If you have comments turned on, you will get spam. There’s lots of ways to deal with that, but no way to stop it coming. Lately, it’s been hammering the server hosting my blog, so I decided to change how I was dealing with spam by essentially outsourcing most of the problem to Disqus.
I knew that I was getting more spam lately, because my Akismet stats were getting pretty silly. Since December 2013, through to the start of March, the volume of spam jumped dramatically. Luckily, I had Akismet to deal with most of it for me, requiring just a cursory scan of the spam folder once or twice a day in case a real comment slipped through (none ever did). But just look at these numbers! Over 125,000 in January.
But I wasn’t really bothered about it until my hosting company told me that I had so many processes running one day that it brought the server down. OK, so I’m using cheap shared hosting, I’m cheap! I also have WordPress set up pretty well with page caching, long expiry times on static assets, and no heavyweight plugins on my busy sites. But the constant thrum of spambots posting spam was bringing the server to its knees, so I had to do something.
There’s been a bit of talk lately about whether to even have comments turned on. Just the other day, Tom Ewer asked, “Are Blog Comments Worth the Effort?” Since I don’t really get many genuine commenters on my blog, and comments can serve to help both the commenter and me from time to time, I decided to keep comments turned on. After all, I don’t really do social media so I might as well keep this channel open :)
Since my specific problem was that spambots were hitting the comment post script, I figured the easy way out was to outsource all of that. I had actually been thinking just that since I read about some alternatives in the article “Using Alternate Comment Systems With WordPress” on Elegant Themes’ blog. That article gives a nice wrap up of the popular alternatives. It sounded like either Disqus or LiveFyre were the pick of the bunch. I picked Disqus for the simple reason that I already knew about it, as I had been using it on other people’s blogs and it seemed to work.
Moving my comments system into Disqus was pretty easy. I just needed to follow the prompts as Disqus guided me through the process, then export my blog posts and load the file into the Disqus importer to get all my old comments into Disqus. For the most part, it’s been great — although I have noticed a couple of times that their script server (go.disqus.com) sometimes goes MIA, it’s generally pretty solid.
Since installing Disqus, I have had no further hits to the comments post script on my blog. That’s not quite the end of the story though; looking at my server logs, I saw that one post was being hit over and over by the spambots. But worse: it was hitting the post without the trailing slash, which meant that it slipped past my caching plugin and onto WordPress, which then sent a 301 redirect to the correct URL with a trailing slash. It then posted a comment using the comment form on the page. Moving to Disqus removed that comment form, but that post was still being hammered.
So I had to add a rule to my .htaccess file specifically for that post, for when it was called without a trailing slash. The purpose here is to stop WordPress getting called, since that’s a heavy process with a database connection and multiple database queries which can all be avoided if Apache does the redirect. So here’s the magic line in my .htaccess file.
RewriteRule (snippets/safely-encode-dynamically-built-html-and-javascript)$ /$0/ [R=301,L]
And now, onto the next challenge…