Thanks to everyone who came out to the Asheville Area WordPress Group meetup last night, and thanks for the great discussion! I learned a lot from you all, and I hope you came away with something you could use to make your own website more secure.
As promised, here are the slides from the presentation:
In the lead-up to the 3.5 release of WordPress, we kept hearing that the outdated “blogroll” was going to go away. No longer would you see the Links menu in your WordPress admin area because it was no longer really needed with the advent of custom menus last year.
So after I updated many sites to 3.5, I noticed the Links menu was still there.
Turns out it only goes away on new installations. Bleh. In case you were wondering, that is why you still see it.
Are captchas annoying to you? They are to me. I probably fail at solving them about 15% of the time, which is far too often for my liking. They get annoying, and as spammers find ways to automate solving them, the captchas continue to get more difficult to read.
Someone who knows a lot about combating spam, and has done a pretty darned good job at it, Matt Mullenweg, suggests in a recent Guardian article that “…Captchas are useless for spam because they’re designed to tell you if someone is ‘human’ or not, but not whether something is spam or not.” I would have to agree.
There are many efforts to improve upon Catpchas, such as the 3-D Captcha. In my opinion, this is just making things more complicated than necessary, and would be difficult to implement easily on a typical blog or contact form.
I run about 6 to 8 blogs (depending on my mood from week to week), and have been reluctant to use Captchas on any of them, partly out of usability concerns, but also because they are so easy to fail. Instead, for my blog comments, I rely upon Mullenweg’s own Kismet spam system. This feature is built into WordPress blogs, which makes it a breeze to set up, and I am constantly amazed at the loads of spam comments that it stops.
As Mullenweg suggests, focusing on the content rather than the submitter, is the way to go in the long term, and Kismet is great at doing that.
However, I also rely on a simpler test to determine if someone is a human or not mainly because it’s not as annoying as a Captcha, and it prevents a lot of spam comments from making it through in the first place. It’s easy to add a basic question to a form which must be answered correctly in order for the form to be submitted succesfully. Questions could be as simple as:
What color is an orange?
What is 3 plus 3?
How many wheels does a car have?
There is a great WordPress plugin which provides this capability and is relatively easy to set up called the Secure and Accessible PHP Contact Form. If you run any WordPress blogs, I recommend you try it out.
By having a list of simple questions that are randomly selected to appear on your forms, you can stop automated scripts from filling out your forms quite easily. This, combined with Kismet, a content-based filter of what gets submitted, will pretty much stop spammers in their tracks without creating a hassle for your visitors.
Out of all the awesome, free applications (and the crappy ones too) I’ve been trying out in the new Apps Store with my iPod Touch, the best by far is the Worspress app. I’m using it now to write this post.
It supports tags, categories, editing previous posts, post status, images, AND multiple blogs. I was floored when I read all that, and am more floored now that I’m using it.