CloudFlare + Bad Behavior + Akismet = WP SPAM triple wammy

If you read any of my past blog posts, you know I favor a layered defense for self hosted, WordPress blogs. I’m very fond of the CloudFlare (CloudFlare), Bad Behavior and Akismet combination. Recently, I found a user who users this very combination. He shares this in a blog post at Bad Behavior, CloudFlare and Google Bot.

Here’s some excerpts he says about the strategy:

  • “My first line of defense from ne’er-do-wells and miscreants is CloudFlare.

    Cloudflare (Photo credit: Daniele Nicolucci)

    They stop most of the bad guys before they even reach my site. Still, for some sorts of attacks, when there’s doubt it’s better to let the bad guy through. It may turn out to be a good guy.”

  • “A program called Bad Behavior is my next line of defense. It sits on my server and quickly spots liars and weasels. For dangerous-looking attacks, that’s the limit. But, when there’s doubt and the site itself is not at risk, Bad Behavior will let the attack through.”
  • “Most of the comment spam has been stopped as well, but some has been given the benefit of the doubt. That’s where Akismet comes in. This layer spots the rest of the comment spam, and it can be much more aggressive since it doesn’t actually cut the spam, it puts it into a bin for future review.”
$1,000 Prize for the Best CloudFlare App

$1,000 Prize for the Best CloudFlare App (Photo credit: kawanet)

The problem this user runs into is with the order of CloudFlare and Bad Behavior working together. But I should add this should no longer be an issue. Since the redesign of Bad Behavior, it now works well with CloudFlare. It should no longer get false positives from bods like Google and Microsoft since the new architecture 2.2+ was introduced.

There’s also a point the author makes about using the CloudFlare plugin. The best solution is to run both the CloudFlare WordPress plugin, along with the CloudFlare Apache module. Unfortunately, not all hosting companies run the Apache module. This will change in time.

I found CloudFlare quite easy to use. It also does some excellent caching and you can refer to Google Analytics in CloudFlare.

Some good WordPress plugins are described in the article entitled 10 Powerful and Free WordPress Plugins at 10 Powerful and Free WordPress Plugins. I also like the plugins WP Super Cache, All-in-One SEO Pack and Secure WordPress.

It should be noted that CloudFlare mentions they work well with spam plugins like Akismet, caching plugins like WP Super Cache, and Google Analytics plugins like Google Analytics for WordPress.

Image representing Defensio as depicted in Cru...

Image via CrunchBase

I should mention I played devil’s advocate in the past. I pretended I was a hacker for a client site and tried getting past both CloudFlare and Bad Behavior. They have a very good set of defenses. This is all approved behavior – mind you. I wanted to make sure these packages lived up to their reputation.

Akismet is also very good and is light years ahead of Defensio (i.e. a close competitor). Sometimes it gives false positives but it is probably over ninety percent right. Please enjoy the SPAM tools recommended here.



Internet Radio Show – Time to Change Vendors?

You want to reach your target audience. One way is to host an Internet radio show.

It’s the prospect from the perspective of target audience. So would Al Bundy listen to Internet radio? Is he your ideal prospect? Copywriter, marketer and author Dan Kennedy makes Al his hypothetical prospect.

Depends? Is your show on Internet marketing, getting rich without much work, opening up a nude bar without much money, etc?

A few months back, I launched a client golf show on Blog Talk Radio. Everything was going well. But they made a policy change.

Free accounts were no longer free. Shows were limited to one half hour in duration. You couldn’t do a prime time show from 7 – 11 PM, Monday – Thursday. The only solution is to upgrade to a premium account.

Or is it?

The first internet radio. Photographed in 2002...

Image via Wikipedia

The golf show was on the radio for several months. The alternative? Look for another Internet Radio vendor.

The answer was Talk Shoe. They had no limitation on free accounts. You could broadcast during prime time hours. And they had support available for free accounts – tons of it.

So if you get constricted by a service (i.e. they change the rules) – just remember – there are usually alternatives available.

We can do more than what we think

It reminds me that we can do more than we think we can.

Perhaps we been rejected by 12 publishers and decide to continue to ask for The Fountainhead to publishers (I.e.Ayn Rand).

Maybe we are 65 before we success in our fried chicken chain (i.e Colonel Sanders).

Or Andrew Carnegie suggests to us to learn about successful men and write a book about the experiences (i.e Napoleon Hill with Think and Grow Rich).

Or we are at an audition, singing gospel tunes with a band. The reviewer thinks the songs stink. You ask for advice. He says imagine you are dying and you had one tune that told the world about your life – what would it be? Then you sing that song. (i.e. Folsom Prison Blues by Johnny Cash).

Or you had over a dozen dead-end careers or jobs before trying advertising (i.e David Ogilvy).

Could one of the above people have been you? What if Ayn Rand didn’t try for publisher #13…Colonel Sanders retired and collected social security…Andrew Carnegie decided to be a farmer…David Ogilvy went into acting…of Johnny sung another gospel song?

Kind of reminds me of the advice a blogger posted this week. He was doing an acting audition. The audition wasn’t going well. But an elderly gentleman gave him some friendly advice:

“You know, those casting directors really wanted you to be the one they were looking for. They weren’t against you, they were waiting for you to nail it, so they could pack up and get back to their martinis.”

An alternative to Akismet

There’s another alternative to Akismet – it’s TypePad AntiSpam. It follows the same API structure as Akismet. Here’s a great article on TypePad and Defensio at WordPress Plugin Review: Defensio Anti-Spam and TypePad Anti-Spam

Image representing TypePad AntiSpam as depicte...

Image via CrunchBase


Fix WordPress plug-in Breaks + Spam Again + Tim Ferris Stats

How to Fix a broken WordPress plug-in

Cala Pregonda

Image by Abardia =) via Flickr

I decided to try the plugin Ask Apache for a client site. First I did a Cpanel backup to Adrive (a backup storage site company) via FTP.

Well, guess what? The plug-in warned me! I might not be able to get into the admin area.

And you know what? I couldn’t.

What to do? I was getting a 404 page not found error for WP-Admin. I edited out the plug-in stuff in the root directory .htaccess file – no effect.

So you need to Google and see what others say on forums. Perhaps you Google “Ask Apache WordPress wp-admin 404”. It turns out you need to edit the stuff from a second .htaccess file.

It worked. This might be a good plug-in for some environments, but it doesn’t work for all.


WordPress – the fight against spam: Summing up – WordPress – the fight against spam: Summing up

You know what I like about this post? It has taken the following WordPress SPAM methods and tested them:

  • Akismet
  • Google Recaptcha
  • Conditional Captcha for WordPress
  • WP-SpamFree
  • NoSpamNx
  • AntiSpam Bee

There’s a couple interesting observations here:

  • The plug-in WP-SpamFree took more load time. I could never get the plug-in to work properly, even though I know someone who installed it for a mutual client.
  • The author couldn’t getNoSpamNx to work properly – neither could I.

Software is not only good for the inexperienced person – it often makes life easier for the experienced person too. And sometimes it takes a couple of pieces of software, working in harmony. As an example, take spam in WordPress blogs. Yet a combination of:

  • CloudFlare as a first line of defense (covered in my earlier blog posts).  CloudFlare does its job so well, that second and third defensive lines are to pick off stragglers – if needed.
  • Bad Behavior for a second line of defense.  Or you might try combining Antispam Bee and Si Captcha.
  • WordPress Akismet and  captcha (i.e. SI CAPTCHA Anti-Spam and Fast Secure Contact Form plug-ins), as a third line of defense (should you ever need it).
  • Or you can use Defensio (with the previous mentioned plug-ins, if you make more than $500 per month – but don’t want to pay the Akismet fees) – see 5 Tips for Protecting Your WordPress Site
    Screenshot of image recognition CAPTCHA from C...

    Image via Wikipedia


An interesting article is  3 Ways To Make Spammers Cry (On WordPress And Blogger)

This article is interesting for one observation: “Many hire citizens in third world countries or (thanks to the recession) even in “prosperous” western nations which can bypass both CAPTCHA’s and automated spam filters.”

What’s the world coming to?

Let me share a final note on Defensio.  Akismet has 4 servers and processes blog comments instantaneously.  Defensio takes a few minutes to process.  They also create a MySQL table within your WordPress database.

Akismet is the better option.  It’s worth the $5 per month, if you make over $500 a month.  However, if you have many money making blogs, then Defensio might be a better option (i.e. since it’s free to small businesses).

Tim Ferris Stats

Recently, both Copyblogger and Zen Habits (another heavy hitter, with about 200,000 readers and a Time magazine endorsement) interviewed Tim Ferris – all in the same week. Copyblogger did an audio interview and Zen Habits did a video interview.

Tim has a new book entitled The 4-Hour Body: An Uncommon Guide to Rapid Fat-Loss, Incredible Sex, and Becoming Superhuman . It has a good rating on Amazon, with 934 reviews, and an average rating of 4.5 out of 5 stars.

Yet the Zen Habits interviewer asked a key question on his test data – what was his sample size (i.e. for example). In order to have reliable data, it’s well know in statistics to have at least 31 samples. Yet many of the conclusions in Tim’s new book, are based upon limited test subjects (i.e. 1 or 2).

But many people will read this book and believe Tim’s conclusions. Smart US people can get a free copy from their local library or the inter-library loan program.



Star Trek Spam Control = Akismet + Defensio???

Recently I initiated CloudFlare  (CloudFlare) on a client website. The success is overwhelming in stopping bad bods (robots) and other malicious entities.

We also have the plug-in AntiSpam Bee installed, if a bod should evade CloudFlare’s defenses. This plug-in tricks the bod into using a non-existent comment field, as well as doing some other checks.

Image representing Defensio as depicted in Cru...

Image via CrunchBase

What it doesn’t protect against is human spammers. For this, we have used WordPress Akismet with great success. However, there are concerns expressed by some bloggers, about Akismet engaging in a pricing model.

As an alternative, I’m recently added Defensio. Defensio is free for small businesses. It also is owned and operated by Websense, an international company. They also have the 2.0 version available and a usable WordPress plug-in.

I’ve started used Defensio on my FaceBook account and it has impressed me. Now there are two different views of using Defensio with other Spam plug-ins.

  • Defensio says, “Deactivate Akismet and/or any other anti-spam plugin…”
  • Akismet in there FAQ says, “But if you are investigating alternatives, we recommend checking out Mollom and Defensio, both which integrate with Akismet nicely.”

Well, this is interesting. Unless we look at things like Akismet mentioning it classifies 90% of SPAM comments successfully – which translates as 10% false positives.

Computers at the Guantanamo Bay Naval Base are...

Image via Wikipedia So let's add Defensio to Akismet and run some tests.

  • First I hide behind different proxy servers, so neither server bans me via IP address for testing.
  • I set all comments to have an approval process.
  • It’s time to try a good comment. It takes about 3 – 4 minutes to process through the Akismet and Defensio servers. But the comment gets on the pending approval queue.
  • Next I set a spam comment with name viagra-test-123. It first goes through Akismet and gets flagged as SPAM. Then it goes through Defensio and ends up in their SPAM queue.
  • When I went to the comment in the Defensio Spam queue and clicked the history tab, it say: “Akismet caught this comment as spam.”   If I click the details tab, it says “Spaminess: 99%”.  Defensio rated it at 99% for Spaminess.

What about false positives? Now think of the movie critics analogy. If two critics think a movie is bad – guess what – it probably is. Similar logic occurs if they both think a movie is good. When they have a divided opinion, it’s up to a movie goer to make a judgment call.

But a strange thing happened:

I decided to add an entry with swear words.  Akismet approved the comment and Defensio accepted its recommendation.  What?  Defensio has a profanity filter and Akismet should know better.

Next I decided to test each service separately, using the same swear word entries.

  • Akismet classified the comment as SPAM
  • Defensio did the same thing and gave a SPAM rating of 100%

So let’s go back to what both Akismet and Defensio say about working together:

  • Defensio says, “Deactivate Akismet and/or any other anti-spam plugin…”
  • Akismet in there FAQ says, “But if you are investigating alternatives, we recommend checking out Mollom and Defensio, both which integrate with Akismet nicely.”

CloudFlare, Bad Behavior and AntiSpam Bee focus on the automated invaders. Defensio and Akismet can deal with the human element – but not together.  I have to trust Defensio’s judgment on using both your systems. My testing so far has defended this assumption.

The Anti-Spam Barnstar is awarded to users who...

Image via Wikipedia

There’s an interesting article at Fighting comment spam in Rails with Akismet and Defensio. It says:

“In order to test the two services head to head, I’ve put Akismet on the Plexus site and Defensio on another new site we recently rolled out. I’m going to compare the amount of spam each site receives through its comments and see which does a better job of recognizing spam. So far in my tests I have found both to be quite correct.”

Now let’s look at his testing updates:

“UPDATE (5/25/2010):In the month or so since I installed Akismet on this site, I found it had about a 95% success rate. Not bad, but not perfect. Some spam did still slip though. Today I switched to Defensio, and I will report back how that turns out.”

“UPDATE (8/13/2010):I had high hopes for Defensio, but it ended up letting a bit of spam through. I was pretty disappointed at its success rate in the end. Having used both for a while, I would say that Akismet is the more consistently effective solution, although as I noted above it is not perfect. Some spam is still going to get through, but Akismet seems to catch a lot more of it than Defensio.”

There’s also an interesting article weighing the pros and cons of Akismet, Defensio, Bad Behavior and captchas at Captchas, Anti-spam services, and Bad Behavior. The author gets great success using both Bad Behavior and Defensio.

  • I highly endorse reading the article and seeing the author’s pros and cons for Akismet, Defensio, Bad Behavior, Mollom and recaptcha. 

I like to see how the new 2.1.x version of Bad Behavior looks, when it goes live. It will be mostly object orientated code.

Am I the only one testing both these services (i.e. Akismet and Defensio) together?


WalMart NetTalk Walmart…Layered Spam Filtering…Marketing too

NetTalk Now at WalMart

Wal-Mart location in Moncton

Image via Wikipedia

Remember when I covered NetTalk (NetTalk) in earlier blog posts? Remember how I said you can use it via a router? Remember how I said it was far better than MagicJack?

Guess what? WalMart is now selling NetTalk.

Layered Filtering for Spam

Let’s return to a topic segment we covered partially.

Remember last week’s post on CloudFlare and my favorite WordPress plug-ins?

Remember where I touched upon layered filtering?

Let’s try working with this setup on Spam control:

There’s a blog post covering some of these solutions at 11 Anti Spam Plugins for WordPress. Of the plug-ins mentioned in this blog post, I would only give serious consideration to the following:

Now let’s give an example of layered filtering

An anti-spam lolcat.

Image via Wikipedia

To be honest, you won’t need other options with CloudFlare. But I would recommend having a strong, secondary measure in place.

  • AntiSpam Bee is simple and doesn’t take up any database resources. Please select mark as spam option, to work with the other mentioned systems.
  • Akismet coupled with Google Recaptcha, via the Conditional Captcha for WordPress, is a great, complimentary approach.

But here is my personal preference:

Bad Behavior has been in development for over 5 years.  It is still being developed.  The author is friends with CloudFlare and the software is designed to work well with WordPress Akismet.  So why not just let CloudFlare, Bad Behavior and Akismet catch spam – in that order?  If you also use the Conditional Captcha for WordPress with the Google Recaptcha option, it will eliminate any false positives with the Akismet spam classification.

If a spammer has gotten past both the CloudFlare and Bad Behavior defenses – rest assured – it’s not a spam bot.   It’s a human spammer.  Akismet will hand human spammers well.

Marketing advice to a client – Money and Time

In marketing, there are only 2 variables you work with – time and money. You either put in the time or put in the money – there’s no magic here.

But you want to make “wise” decisions about both. I never interfere in a person’s decisions. I also let them live with the consequences.

Take XXX, for instance. He promised you many things and I knew he couldn’t deliver on some. Take email marketing, for instance. XXX is smart – but he’s not a professional writer. Neither is he a professional marketing writer. If he was, I would have seen it in his own website, communications, etc. Yet one of the items he promised you is email marketing.

Let’s look at YYY. Sure. He doesn’t know anything about ZZZ. And his communications might be laughed at by pros.

But of the 136 blog comments we got, most came from his posts. And many were by folks who know something about ZZZ.

Or take the keywords he uses and the fact that folks from about the world find our site.

Is he a wise investment at $AAA a year? Only you can answer that.

But is spending $BBB on a ZZZ video nobody sees a wise investment? It could be, if down the road – it takes off.

And YYY could be a wise investment, if the readership grows.

Time and money, CCC. How do you best use them?

Maybe DDD – the EEE professional – suggests some ideas. Maybe they cost some money.

Again, it’s another decision involving time and money variables.

Remember this, CCC. I don’t interfere in any decisions – only tell. But you will be the sole person living with the consequences of bad decisions.



CloudFlare + Favorite self-hosted WordPress software and plug-ins

The logo of the blogging software WordPress.

Image via Wikipedia

Today I’ll be talking about my favorite WordPress software and plug-ins.

For clients, I recommend to embrace:


Here’s a new free service worth trying out – CloudFlare. The basic service is free and it protects you from bad bods and spammers. It also caches pages for you, in servers around the world.

Here’s some articles testing it:

XXX is one of the few hosting companies working with this and the basic CloudFlare service costs us nothing. CloudFlare has servers around the world, which helps better serve out international audience. I’ll been testing it for a client and it works great. XXX also has mod_security installed, so this acts as the second line of defense.

There’s also an Apache module (i.e. mod_cloudflare) and a WordPress plug-in available.

Caching of WordPress Pages

I initially installed W3 Total Cache and tried testing it. After reviewing the article at W3 Total Cache versus WP Super Cache , I went back to WP Super Cache and disabled W3 Total cache.

To get W3 Total Cache to work, you need Memcatched or APC. Unfortunately, you need an account with Unix root access to install them.

Actually, the combination of WP Super Cache and DB Cache Reloaded works just as good as W3 Total Cache. W3 Total Cache – according to the article – requires supporting software not available on most hosting accounts. All you really need to do is cache the pages and database queries.

SPAM Control

Akismet is a solution that WordPress offers.

  • Somewhere they mentioned that it is succeeds 90% of the time. That means that it has a 10% error ratio of returning false positions.
  • Mollon is another service, but it has a build in recaptcha challenge, in case it detects spam. It claims only 2% of legitimate users will be issued a recaptcha challenge.
    Google Appliance as shown at RSA Expo 2008 in ...

    Image via Wikipedia

See How Mollom Works How Mollom works

Fortunately, there’s a plug-in to add recaptcha to Akismet. It’s called Conditional Captcha. There’s an option to insert a Google Recaptcha, which I highly endorse.

  • Akismet is probably better than Mollon – at least, it gets more stars in the WordPress plug-in community.
  • If you need a captcha challenge, then Google is your best choice

I have a philosophy I called layered filtering.  My client’s software security and spam hierarchy operates in the following order:

I would look at the plug-in Secure WordPress (Secure WordPress). Recently, this has passed from the developer to a company.

So if a comment is flagged as SPAM by Akismet (i.e. 5th level down), via a plug-in, the spam bot has 10 minutes to solve the Google recaptcha and prove they are human.

What spammers write about

For one client, I looked at the track back and the golfing article is in an article repository on nuclear secrets and nuclear submarines. Maybe it has something to do with golf, but I can’t see the connection – so I accepted the Akismet spam recommendation.


Most SEO is built into theme templates, like Genesis and Thesis. But a good SEO plug-in I like is WordPress SEO (WordPress SEO).

Mobile and Backup

I recommend Mobile Detector (Mobile Detector) for WordPress mobile and ADrive (ADrive) for remote FTP backup.


There’s analytics aplenty here, with the setup I describe. 

  • CloudFlare offers statistics.
  • There’s mobile statistics with Mobile Detector and Google Analytics.  
  • XXX offers log analyzer stats via AWStats (my preference) and Webalizer.
  • For WordPress, there is stats and Google Analytics. I would also look at the Woopra system (Woopra) and its corresponding WordPress plug-in.

There are two items to remember with web analytics:

  1. The free commercial packages limit your log size.
  2. Packages hosted on your web server eat up system resources.


Discount Tires with a Great PR Move + Fighting WordPress SPAM

A little while back, I mentioned Discount Tires. They had this free 3 minute air check service. It’s a great touch. But here’s my personal story about another good PR move.

A couple of years ago, I helped my mom buy some tires. We opted to buy them from Merlin. Don’t know why they are called Merlin. Could it be related to the King Arthur magician?

Quote from novelist Ayn Rand.

Image via Wikipedia

To make a long story short, Merlin offered a set of tires – lifetime guarantee. Merlin specializing in brakes and tuneups. They fall short of a full service shop.

This would have been a happy story…almost like the magician Merlin from King Arthur…But the magic didn’t work for a certain tire…it kept going flat. It must have been in the shop – perhaps 6 to 12 times?

Merlin doesn’t take appointments. So you need to compete with folks getting tuneups and brake jobs. The customer must spend 1 to 2 hours wait time. The service repair man must spend 1 to 2 hours repair time – at his inflated salary.

Do the math!

Merlin won’t replace a tire, if they can repair it. Let’s do some math, shall we? Suppose each repair took 1.5 hours. Suppose that our total Merlin repair visits – for the same tire – totaled 12. This means a repair man spent 18 hours repairing the same tire. Let’s suppose that his hourly rate is $60. I know that full-time mechanics go for $100 or more labor costs. If we multiply $60 times 18, we get $1080.

Wouldn’t it make more business sense just to replace the tire? I can get tires at Just Tires or Discount Tires at $100 – $125 on average.

Well, I’m as mad as hell, and I just can’t take it any more. This is actually a line from a famous movie…it eludes me.

I call Discount Tires to find out their tire check and repair costs. The answer surprised me – they’re free. I made an appointment and they said appointments are done within an hour or less.

What do other places charge for repairs? A local Just Tires store quoted $25 and Suburban Tires quoted $29.95 (but they are also a full service shop).

To be fair, Discount Tires has a large number of service bays, with an equally large number of high school kids servicing tires. Why not? It doesn’t take much to train a tire expert and pay them.

I was out of there within an hour – as promised. Goodbye Merlin. Hello Discount Tires.  But wait! Just Tires does have 2 things Discount Tires doesn’t offer.

  • Tire alignment – they have a machine that does this. So even if I buy tires from Discount Tires, I’ll return to Just Tires for the alignment work.
  • Oil Changes – they are reasonably priced and I’m not waiting at a full service auto repair place.

So free tire repairs…even when I haven’t bought the tires from them…is a good PR move by Discount tires.

Fighting Spam on self-hosted WordPress sites

If you run Crawl Protect (Crawl Protect) in the .htaccess file, along with WordPress Akismet (WordPress Akismet), Bad Behavior(Bad Behavior), and Google Recaptcha Google Recaptcha via plug-ins, your success in reducing spam on self-hosted WordPress sites is assured.

Think of this as a medieval castle analogy.  Would you attack a castle that had:

  • A wide and deep moat surrounding the castle?
  • Archers on top firing flaming arrows?
  • The moat was full of hungry crocodiles or alligators?
  • Catapults were sending flaming missiles from the castle top?

Most likely, only the most skilled commanders would attempt such an attack.  Similarly, most ordinary hackers would stay away from a combined defense system. You can read more about the plug-ins mentioned at Best WordPress plug-ins to fight spam. I would also suggest finding a web hosting company running Apache with Mod Security

As an alternative to Google Recaptcha, there is Microsoft Asirra (Microsoft Asirra).  Microsoft probably has the better solution.  But the Google solution and corresponding WordPress plug-in is more mature.

Response to a blog post on censorship

I like how you started out covering book censorship. As far as science fiction writers go, Ray Bradbury is in the top spot. I read Fahrenheit 451 and saw the movie. I loved it.

James Joyce is an excellent writer. But when he explored “stream of consciousness” writing with Ulysses – followed by Finnegan’s Wake – he dabbled in the Freudian taboo land of his time-period.

You know what? He could have stopped with Dubliners and Portrait of an Artist as a Young Man. He didn’t…he wanted to go beyond his boundaries…like you encouraged us to do. Now we have Ulysses and Finnegan’s Wake.

Fahrenheit 451

Image via Wikipedia

Ayn Rand could have been content to study history and philosophy at a Russian college… She could have told the philosophy professor specializing in Plato, that she loved him…

But she preferred Aristotle… She told the professor that her ideas were not yet part of philosophical history – but they will be. Now the world is still reading works like The Fountainhead and Atlas Shrugged – over 30 years later.

We should try to go beyond ourselves, even if for our own benefit. Franz Kafka never published anything. It was a friend who published his works, without his consent.

What could you do? It’s up to your imagination. If we wanted to get inspired, read books like Think and Grow Rich by Napoleon Hill or How to Win Friends and Influence People by Dale Carnegie.