Server admins: beware the WordPress comment ‘spam loop’ trap
As a 100% WordPress agency, we administer a LOT of WordPress websites (over 200) across 3 separate servers. Last week, we suddenly had an issue with email deliverability for the contact forms on a cluster of websites which all sit on one server. At first it didn’t make sense: we were using an external SMTP solution, so how could the emails not be getting through. A bit of research showed that the server was on the verge of being blacklisted for spam, and that the ISP had therefore suspended the SMTP account.
HTF did that happen!!??
We’re really careful with client WordPress sites, and have a dedicated systems admin to keep all of our London servers locked down. We deliberately don’t run email on the servers to avoid any security issues which might result in spam being sent so at first it was a bit perplexing. So I contacted the ISP to get some examples of the ‘spam’, and here’s what I found.
The good news:
The servers were not compromised.
The bad news:
Comments had been left open on several client’s WordPress websites / individual blog posts, and this created (let’s call it) a ‘spam loop’. A what?! Here’s the scenario: spammers target the open comments on a blog post, and over time, the spam posts reach epic proportions (we found one site had over 120,000 spam comments pending approval). “Not a problem”, you might think, “so long as those comments aren’t being automatically approved, they’re not showing on the website”. Here’s the issue: every time a spam comment is submitted, the admin gets a notification email with the spam comment included in the body text of the email, and ISPs therefore think that the server is being used to send spam emails. .
Well the solution is a bit tricky… stopping spam emails completely is a tricky task, but there’s several steps you can take depending on how important customer comments are to you. On the majority of customer sites, comments simply aren’t needed, so we just turned them off completely using the excellent Disable Comments plugin. There’s also a good article here showing how to stop spam registrations.
The upshot is, don’t think that just because you’re not approving spam comments that they’re not harming your WordPress website, and worse, the broader hosting environment: they can be.