Tim Hardy

When I hit my “Press it” shortcut, I’m often frustrated by how long it takes for the Wordpress Admin section to load. Okay, I’m impatient. It’s only around 4.6 seconds on average but seeing as I often post from home and the installation is on my home server, there should be zero latency. Where’s the delay?

Looking closer at the problem, I realised that the culprit was the section of Dashboard that loads in headlines (and the most recent post?) from the blogs of Wordpress developers.

The file to edit is wordpress/wp-admin/index.php and the section that controls this is the part that begins <div id="planetnews"> (line 129 on a default installation of Wordpress 1.5.2) up to and including the closing </div> (line 141).

One quick edit later deleting the entire section and Dashboard loads in 0.48 seconds. Much better. Now for every 1000 posts I make, I’ll save myself an hour… I’ll be the first to admit, it’s not a productivity hack but it does makes Wordpress feel more responsive and more pleasant to use.

IO ERROR explains how you can punish a particular form of bad behaviour.

“The sophisticated link spammer technique in common use now is to use some sort of script to harvest comment forms from a group of sites, then to fill in the fields appropriately, and a few hours or days later, to use a network of open proxy servers to relay the spam comments to thousands — or hundreds of thousands — of sites which use the same type of software. Repeatedly.”

His Bad Behavior plugin is a great first line of defence against automated comment spam. I recommend it.

Subscribers may have noticed a slight difference in the RSS feed for this site. You are now redirected to a version managed by FeedBurner. The main change is that my del.icio.us bookmarks will be spliced into the feed on a regular basis along with thumbnails of any new photos I get around to posting on flickr.

I was very impressed the other day by the announcement that FeedBurner were going to make it easy for people to leave if they weren’t happy with the service. I repect any company that is confident enough in their product not to need to lock in users.

Before this announcement, it was of course always possible to use mod_rewrite to forward requests for your feed to FeedBurner, giving you the option to opt out in future by removing the redirect from htaccess. Geeks always find a way.

To make this process easy to manage, I’ve used Steve Smith’s WordPress FeedBurner plugin which makes the transition painless.

If anyone experiences any trouble with the new feed and/or has any thoughts on it, please let me know.

There’s a new update for Bad Behavior the anti-spambot plugin, bringing it up to version 1.1.2. This fixes a problem with msnbot sometimes being blocked by accident and changes the ways logs are handled: get it while it’s still hot!

I’ve finally got around to upgrading Wordpress to 1.5.1.2 - I’d already patched the security holes and fixed the rss feed generation bug but had held off doing a full update until I knew I would have time to fix things if they went badly wrong.

As it was, the upgrade went without a hitch thanks to the excellent instructions in the Codex.

One of the reasons I wanted to upgrade was so that I could install Arne Brachhold’s Google sitemap generator. Google is already pretty good at indexing my site but I figure it can’t hurt to give them a hand. The plugin is easy to install and fairly straightforward to configure (the hardest thing is working out how often it is that you update).

Google will index items with the highest priority first. By default the plugin prioritises posts with the most comments. I’ve disabled this. The majority of my traffic comes from people looking for information found in old posts without comments.

Why these visitors do not leave comments is another question. Perhaps they are not satisfied with what they find, perhaps they don’t want to comment on what seems like an old post for fear that the moment has passed. Either way, assuming that what your current regular readers respond to the most is the most important thing on your site is to limit your exposure to potential future readers.

I’ve been inspired and encouraged by Dougal and Michael to tie together their respective spamblocking scripts. I’m testing the hybrid now.

Assuming all works as planned, if a spambot is detected and blocked by Bad Behavior, SpamValve will also take its IP address and log the abuse. Five offences from the same IP and the address will be blocked at the firewall for a couple of days. Any bots missed by Bad Behaviour that trigger the heuristics built into Wordpress will also have their IP passed to SpamValve.

My changes are crude and can definitely be improved. Consider this a proof of concept. If anyone wants a copy please contact me via =timhardy or leave a comment below.

NB a new update is available for Bad Behavior (which I notice I’ve been misspelling “Behaviour” in the English fashion until now) bringing it up to version 1.1.1.

Just my luck. In the week I’ve been testing spamvalve I’ve had no comment spam… until 5am this morning.

The spammed post was viewed by one IP address then, moments later, a comment was left on that post from a second IP address which then (re)loaded the entry. My traffic is low enough to make it highly probable that the first IP address and the second belong to the same person: neither IP address resolves to a known host so I assume they’re both spoofed.

The post was clearly spam: a vague meaningless statement along the lines of “great info guys thanks” linked to a portal site. It didn’t trigger Wordpress’s built-in spam defences nor the spamvalve plug-in.

By default any comments on this site have to be approved by me before they show up, unless you’ve been whitelisted following a previously approved comment. Clearly this little spambot is designed to move on and spam elsewhere if its comments are held in a moderation queue. A well behaved spambot, who would’ve thought it?

So, I’ve just had one spam to delete manually but the reminder that there’s nothing to stop a spammer from spoofing a different IP for every request thus preventing blocking by address from working. Spamvalve will prevent a less well behaved spambot that makes multiple spam posts from one IP from bringing down your site with unwanted traffic but it’s not a magic bullet.

(To be fair, Dougal never claimed otherwise:

The plan I’m proposing won’t do anything to stop a large number of hosts who only send a couple of spams each. Those will have to be caught by the other anti-spam measures such as content filtering. What I’m primarily aiming for is to keep the worst of the repeat-offenders from tying up my resources for no good reason.

Comment #16 on Spammers should all DIE DIE DIE)

I’m just fortunate that I’m not yet on the spammers radar: obscurity has its advantages. But it’s annoying not to have the chance to properly test out my defences. I’ll regret those words when the storm hits.

There’s a new update for Michael Hampton’s Bad Behaviour anti-spam plug-in out today for anyone using it. I’m going to update and re-enable it from today and keep it running in parallel with spamvalve. I think it’s safest to have several different anti-spam tools in your arsenal.

Of course, the only sure way of blocking comment spam is to blacklist based on the sites the comments link to but that seems an unrealistic goal. Or is it?

Dougal Campbell has created a potent weapon in the fight against comment spammers with a tool that blocks them at the firewall level. If you have root access on your server, then you should consider trying SpamValve. It’s designed to work with ipfw on FreeBSD but with his help I’ve crudely hacked it to work with iptables on linux. I’m going to try it out for the next week and see how well it works. If anyone wants to have a look at my changes, please drop me a line via =timhardy. I had the Llama book open and was teaching myself Perl as I made them so they’re pretty clumsy but I think they’ll work.

Michael Hampton, producer of the Bad Behaviour anti-spam plug-in for Wordpress has posted a convincing attack on the rel=”no follow” code proposed by google and implemented by MovableType, WordPress, Blogger, Flickr, and Slashdot.

This code gets added to any links left in comments on a site and is an instruction to search engines to ignore the link.

The supposed benefit? It stops link spammers from gaining google ranking from your site. The major side-effect? It breaks the structure of comments and links back-and-forth with which weblogs maintain their position in search rankings.

The post effectively dismantles any claims about the effects of rel=”no follow” on link spammers, showing how in fact it is likely to lead to an increase in spamming attempts. Its only effect will be to make blogs drop lower in search results.

If I’m looking for information I’d rather read a post written by an interested individual who has taken time to research it for themselves than a press release reprinted verbatim by a lazy hack or marketing copy that deceives to sell. People who complain about “blognoise” in search results are misguided. If you keep find irrelevent blog posts about someone’s new diet when you’re looking for something else, then learn how to use a search engine. Taking blogs out of google won’t make poorly constructed attempts to search the internet any more precise.

There’s a nonofollow plugin for Wordpress that removes rel=”no follow” from comments after a configurable number of days, allowing you to reward your true readers with a splash of googlejuice but giving you time to dump freeloading Texas Hold-em and his Viagra-toting buddies.

There are better ways to stop spammers. Michael is working on a real-time DNS-based blacklist to monitor the open proxies used to hammer websites with link spam so you can block any comments, pings or trackbacks sent via these anonymising machines. A Wordpress plug-in is now available.

Since I upgraded to Wordpress 1.51 my RSS feed has not been updating in bloglines and other aggregators.

It turns out that there’s a bug that means the feed gives a “HTTP Error 304: Not Modified” warning by default. This warning vanishes if I make a post - until midnight of that day when it resets to error status. Bloglines has clearly been skipping my site updates because of this.

Digging around in the forums lead me to the solution here.

However, while investigating this I find myself drawn to using feedburner instead because I like the idea of splicing in feeds from my del.icio.us bookmarks. I had noticed that Stephen O’Grady did this in his feed and have been meaning to investigate how he did it for a while.

There are good instructions on using feedburner with wordpress here and here. Using a .htaccess to redirect readers to the feedburner supplied feed should make the transition invisible to any current subscribers (both of you!) and make it easy to restore the old service if feedburner proves unreliable, goes bankcrupt or acts “evil” in future.

Here’s a link to the feedburner feed for the moment. I’m not sure if I’ll stick with including images from flickr but we’ll see.

UPDATE: Wordpress 1.5.1.1 has been released, patching the feed problem and a couple of others. I’m going to hold back before changing anything else.