CloudFlare + Bad Behavior + Akismet = WP SPAM triple wammy

If you read any of my past blog posts, you know I favor a layered defense for self hosted, WordPress blogs. I’m very fond of the CloudFlare (CloudFlare), Bad Behavior and Akismet combination. Recently, I found a user who users this very combination. He shares this in a blog post at Bad Behavior, CloudFlare and Google Bot.

Here’s some excerpts he says about the strategy:

  • “My first line of defense from ne’er-do-wells and miscreants is CloudFlare.

    Cloudflare (Photo credit: Daniele Nicolucci)

    They stop most of the bad guys before they even reach my site. Still, for some sorts of attacks, when there’s doubt it’s better to let the bad guy through. It may turn out to be a good guy.”

  • “A program called Bad Behavior is my next line of defense. It sits on my server and quickly spots liars and weasels. For dangerous-looking attacks, that’s the limit. But, when there’s doubt and the site itself is not at risk, Bad Behavior will let the attack through.”
  • “Most of the comment spam has been stopped as well, but some has been given the benefit of the doubt. That’s where Akismet comes in. This layer spots the rest of the comment spam, and it can be much more aggressive since it doesn’t actually cut the spam, it puts it into a bin for future review.”
$1,000 Prize for the Best CloudFlare App

$1,000 Prize for the Best CloudFlare App (Photo credit: kawanet)

The problem this user runs into is with the order of CloudFlare and Bad Behavior working together. But I should add this should no longer be an issue. Since the redesign of Bad Behavior, it now works well with CloudFlare. It should no longer get false positives from bods like Google and Microsoft since the new architecture 2.2+ was introduced.

There’s also a point the author makes about using the CloudFlare plugin. The best solution is to run both the CloudFlare WordPress plugin, along with the CloudFlare Apache module. Unfortunately, not all hosting companies run the Apache module. This will change in time.

I found CloudFlare quite easy to use. It also does some excellent caching and you can refer to Google Analytics in CloudFlare.

Some good WordPress plugins are described in the article entitled 10 Powerful and Free WordPress Plugins at 10 Powerful and Free WordPress Plugins. I also like the plugins WP Super Cache, All-in-One SEO Pack and Secure WordPress.

It should be noted that CloudFlare mentions they work well with spam plugins like Akismet, caching plugins like WP Super Cache, and Google Analytics plugins like Google Analytics for WordPress.

Image representing Defensio as depicted in Cru...

Image via CrunchBase

I should mention I played devil’s advocate in the past. I pretended I was a hacker for a client site and tried getting past both CloudFlare and Bad Behavior. They have a very good set of defenses. This is all approved behavior – mind you. I wanted to make sure these packages lived up to their reputation.

Akismet is also very good and is light years ahead of Defensio (i.e. a close competitor). Sometimes it gives false positives but it is probably over ninety percent right. Please enjoy the SPAM tools recommended here.



Fix WordPress plug-in Breaks + Spam Again + Tim Ferris Stats

How to Fix a broken WordPress plug-in

Cala Pregonda

Image by Abardia =) via Flickr

I decided to try the plugin Ask Apache for a client site. First I did a Cpanel backup to Adrive (a backup storage site company) via FTP.

Well, guess what? The plug-in warned me! I might not be able to get into the admin area.

And you know what? I couldn’t.

What to do? I was getting a 404 page not found error for WP-Admin. I edited out the plug-in stuff in the root directory .htaccess file – no effect.

So you need to Google and see what others say on forums. Perhaps you Google “Ask Apache WordPress wp-admin 404”. It turns out you need to edit the stuff from a second .htaccess file.

It worked. This might be a good plug-in for some environments, but it doesn’t work for all.


WordPress – the fight against spam: Summing up – WordPress – the fight against spam: Summing up

You know what I like about this post? It has taken the following WordPress SPAM methods and tested them:

  • Akismet
  • Google Recaptcha
  • Conditional Captcha for WordPress
  • WP-SpamFree
  • NoSpamNx
  • AntiSpam Bee

There’s a couple interesting observations here:

  • The plug-in WP-SpamFree took more load time. I could never get the plug-in to work properly, even though I know someone who installed it for a mutual client.
  • The author couldn’t getNoSpamNx to work properly – neither could I.

Software is not only good for the inexperienced person – it often makes life easier for the experienced person too. And sometimes it takes a couple of pieces of software, working in harmony. As an example, take spam in WordPress blogs. Yet a combination of:

  • CloudFlare as a first line of defense (covered in my earlier blog posts).  CloudFlare does its job so well, that second and third defensive lines are to pick off stragglers – if needed.
  • Bad Behavior for a second line of defense.  Or you might try combining Antispam Bee and Si Captcha.
  • WordPress Akismet and  captcha (i.e. SI CAPTCHA Anti-Spam and Fast Secure Contact Form plug-ins), as a third line of defense (should you ever need it).
  • Or you can use Defensio (with the previous mentioned plug-ins, if you make more than $500 per month – but don’t want to pay the Akismet fees) – see 5 Tips for Protecting Your WordPress Site
    Screenshot of image recognition CAPTCHA from C...

    Image via Wikipedia


An interesting article is  3 Ways To Make Spammers Cry (On WordPress And Blogger)

This article is interesting for one observation: “Many hire citizens in third world countries or (thanks to the recession) even in “prosperous” western nations which can bypass both CAPTCHA’s and automated spam filters.”

What’s the world coming to?

Let me share a final note on Defensio.  Akismet has 4 servers and processes blog comments instantaneously.  Defensio takes a few minutes to process.  They also create a MySQL table within your WordPress database.

Akismet is the better option.  It’s worth the $5 per month, if you make over $500 a month.  However, if you have many money making blogs, then Defensio might be a better option (i.e. since it’s free to small businesses).

Tim Ferris Stats

Recently, both Copyblogger and Zen Habits (another heavy hitter, with about 200,000 readers and a Time magazine endorsement) interviewed Tim Ferris – all in the same week. Copyblogger did an audio interview and Zen Habits did a video interview.

Tim has a new book entitled The 4-Hour Body: An Uncommon Guide to Rapid Fat-Loss, Incredible Sex, and Becoming Superhuman . It has a good rating on Amazon, with 934 reviews, and an average rating of 4.5 out of 5 stars.

Yet the Zen Habits interviewer asked a key question on his test data – what was his sample size (i.e. for example). In order to have reliable data, it’s well know in statistics to have at least 31 samples. Yet many of the conclusions in Tim’s new book, are based upon limited test subjects (i.e. 1 or 2).

But many people will read this book and believe Tim’s conclusions. Smart US people can get a free copy from their local library or the inter-library loan program.



Star Trek Spam Control = Akismet + Defensio???

Recently I initiated CloudFlare  (CloudFlare) on a client website. The success is overwhelming in stopping bad bods (robots) and other malicious entities.

We also have the plug-in AntiSpam Bee installed, if a bod should evade CloudFlare’s defenses. This plug-in tricks the bod into using a non-existent comment field, as well as doing some other checks.

Image representing Defensio as depicted in Cru...

Image via CrunchBase

What it doesn’t protect against is human spammers. For this, we have used WordPress Akismet with great success. However, there are concerns expressed by some bloggers, about Akismet engaging in a pricing model.

As an alternative, I’m recently added Defensio. Defensio is free for small businesses. It also is owned and operated by Websense, an international company. They also have the 2.0 version available and a usable WordPress plug-in.

I’ve started used Defensio on my FaceBook account and it has impressed me. Now there are two different views of using Defensio with other Spam plug-ins.

  • Defensio says, “Deactivate Akismet and/or any other anti-spam plugin…”
  • Akismet in there FAQ says, “But if you are investigating alternatives, we recommend checking out Mollom and Defensio, both which integrate with Akismet nicely.”

Well, this is interesting. Unless we look at things like Akismet mentioning it classifies 90% of SPAM comments successfully – which translates as 10% false positives.

Computers at the Guantanamo Bay Naval Base are...

Image via Wikipedia So let's add Defensio to Akismet and run some tests.

  • First I hide behind different proxy servers, so neither server bans me via IP address for testing.
  • I set all comments to have an approval process.
  • It’s time to try a good comment. It takes about 3 – 4 minutes to process through the Akismet and Defensio servers. But the comment gets on the pending approval queue.
  • Next I set a spam comment with name viagra-test-123. It first goes through Akismet and gets flagged as SPAM. Then it goes through Defensio and ends up in their SPAM queue.
  • When I went to the comment in the Defensio Spam queue and clicked the history tab, it say: “Akismet caught this comment as spam.”   If I click the details tab, it says “Spaminess: 99%”.  Defensio rated it at 99% for Spaminess.

What about false positives? Now think of the movie critics analogy. If two critics think a movie is bad – guess what – it probably is. Similar logic occurs if they both think a movie is good. When they have a divided opinion, it’s up to a movie goer to make a judgment call.

But a strange thing happened:

I decided to add an entry with swear words.  Akismet approved the comment and Defensio accepted its recommendation.  What?  Defensio has a profanity filter and Akismet should know better.

Next I decided to test each service separately, using the same swear word entries.

  • Akismet classified the comment as SPAM
  • Defensio did the same thing and gave a SPAM rating of 100%

So let’s go back to what both Akismet and Defensio say about working together:

  • Defensio says, “Deactivate Akismet and/or any other anti-spam plugin…”
  • Akismet in there FAQ says, “But if you are investigating alternatives, we recommend checking out Mollom and Defensio, both which integrate with Akismet nicely.”

CloudFlare, Bad Behavior and AntiSpam Bee focus on the automated invaders. Defensio and Akismet can deal with the human element – but not together.  I have to trust Defensio’s judgment on using both your systems. My testing so far has defended this assumption.

The Anti-Spam Barnstar is awarded to users who...

Image via Wikipedia

There’s an interesting article at Fighting comment spam in Rails with Akismet and Defensio. It says:

“In order to test the two services head to head, I’ve put Akismet on the Plexus site and Defensio on another new site we recently rolled out. I’m going to compare the amount of spam each site receives through its comments and see which does a better job of recognizing spam. So far in my tests I have found both to be quite correct.”

Now let’s look at his testing updates:

“UPDATE (5/25/2010):In the month or so since I installed Akismet on this site, I found it had about a 95% success rate. Not bad, but not perfect. Some spam did still slip though. Today I switched to Defensio, and I will report back how that turns out.”

“UPDATE (8/13/2010):I had high hopes for Defensio, but it ended up letting a bit of spam through. I was pretty disappointed at its success rate in the end. Having used both for a while, I would say that Akismet is the more consistently effective solution, although as I noted above it is not perfect. Some spam is still going to get through, but Akismet seems to catch a lot more of it than Defensio.”

There’s also an interesting article weighing the pros and cons of Akismet, Defensio, Bad Behavior and captchas at Captchas, Anti-spam services, and Bad Behavior. The author gets great success using both Bad Behavior and Defensio.

  • I highly endorse reading the article and seeing the author’s pros and cons for Akismet, Defensio, Bad Behavior, Mollom and recaptcha. 

I like to see how the new 2.1.x version of Bad Behavior looks, when it goes live. It will be mostly object orientated code.

Am I the only one testing both these services (i.e. Akismet and Defensio) together?