Category: WordPress

How to protect your WordPress site against spam and spam bots

There are many plugins to protect against spam, almost all of them have some disadvantages. In our view it is optimal to use the cloud service CleanTalk.

Since this is a cloud service, by obtaining and analyzing data from over 100,000 web sites, CleanTalk very effectively protects against spam. The algorithms analyze the behavior of spam bots increase service efficiency up to 99.998%. This is one of the fastest anti spam plugins and does not load the server and database.

To start use CleanTalk on your WordPress site, follow these steps:

Go to WordPress Dashboard->Plugins->Add New and in the search bar, type CleanTalk and click Install.

Activate the plugin and go to settings CleanTalk.

To connect the plugin to the service, you’ll need your Access key. To get the key click on the button “Get access key”.

You will be taken to the website CleanTalk. You can change your email to register for the service.

Push the button and get your access key.

Return to the plugin settings, insert the access key and click “Save Changes”. The installation and configuration of the plugin completed, changes in Advanced Settings needed in rare cases.

To test the plugin, log out of the account administrator and go to your website. Write a test review or make a test registration with e-mail *@cl*******.org, these messages will be blocked.

Next, you should get a message about blocking

Great, your website protected from spam bots!

Similarly you can check any form in your website.

Additional features CleanTalk. Dashboard, view logs.

To view service logs, go to CleanTalk Dashboard. Or log in to your WordPress Dashboard->Settings-CleanTalk and click “Click here to get anti-spam statistics”

If you have any questions you can always contact us. We will be happy to help you.

For more info

Help

Features

November 12, 2015
Spam FireWall – how to reduce CPU usage on website and to block DDoS attacks

The CleanTalk SpamFirewall manages and filtres all inbound HTTP traffic to protect web sites from spam bots and to reduce the load on the web servers.

CleanTalk has got an advanced option “Spam FireWall” for WordPress and Joomla!, this option allows blocking the most active spam bots before they get access to web site. It prevents loading of pages of the web site by spam bots, so your web server doesn’t need perform all scripts on these pages. Also it prevents scanning of pages of the web site spam bots.

Therefore Spam FireWall significantly can reduce the load on your web server.

Spam FireWall also makes Cleantalk the two-step protection from spam bots. Spam FireWall is the first step and it blocks the most active spam bots, CleanTalk Anti-Spam is the second step and it checks all other requests on the web site in the moment before submit comments/registers and etc.

How Spam FireWall works

• The visitor enters to your web site.
• HTTP request data is checked of the nearly 5,8 million of certain IP spam bots
• If it is an active spam bot, it gets a blank page, if it is a visitor then it gets a site page. This is completely transparent to the visitors.

All the CleanTalk Spam FireWall activity is being logged in the process of filtering. The logs will be available for viewing in CleanTalk Dashboard since 10/15/2015.

Spam FireWall DDos Protection
Spam FireWall can mitigate the HTTP/HTTPS DDoS attacks. When an intruder makes use of GET/POST requests to attacks on your website. Spam FireWall blocks all requests from the bad IP addresses. Your website will issue give for infringer a special page instead of the website pages. Therefore Spam FireWall can help to reduce of CPU usage on your server.

Get SpamFireWall

October 14, 2015
Spam Is Still a Big Problem, 99.6% comments/register are spam bots!

CleanTalk is dynamically developing cloud service of web-sites protection from spam. It is the powerful tool that becomes a serious competitor for leaders like Akismet and Mollom.

Spam is a big problem for Web sites or blogs. Even just launched WordPress Blog is likely to receive traffic from spam bots.

In 2013, the share of bot traffic was 61.5%. In comparison with 2012 the growth of bot traffic was 21% and this growth continues. This non-human traffic is search bots, scrapers, hacking tools, and other human impersonators, little pieces of code skittering across the web. (Source Incapsula)

Without effective automated counter measures, dealing with spam is time consuming, annoying and painfully slow.

CleanTalk seeks to provide reliable protection, thus contributing to strengthen information security in the world. Every day CleanTalk processes about 2.5 million requests. In general only 0.4% are comments, registration, etc. from real visitors and the remaining 99.6% are spam bots!

CleanTalk detects and stops spam witout CAPTCHAs or other math-based, human/bot testing techniques. Analyzing behavioral factors, the parameters of filling out forms and structure of the text, CleanTalk has a very high efficiency. According to the founder of the project Denis Shagimuratov “At 2.5 million queries the service makes a mistake in 40-45 cases, i.e. CleanTalk detects spam with 99.9982% accuracy. We constantly monitor these errors and make adjustments to our algorithms”, so the team is aiming to improve those figures over time.

All of this makes CleanTalk powerful tool against spam and it is easy for users at the same time.

Novadays CleanTalk is generally recognized by users who say CleanTalk is one of the best anti-spam services.

September 30, 2015
A new kind of WordPress anti-spam plugin settings page
We have simplified the plugin settings page and added new elements.
1. Add visual display protected forms and the user can immediately see that the protection is active.
2. We’ve removed in a drop-down advanced settings, these settings for 99.99% of the users are optimal and do not require changes.
3. In the status bar we’ve added plugin statistics of processed events in the past 24 hours. You’ll always know how many comments was added and how many spam attacks was stopped. Statistics has a link to the CleanTalk Control Panel to view detail and service management, as well as a quick link to the plugin’s settings.
We will be grateful to you if you say your opinion. Thank you!
April 23, 2015
For WordPress users, checking existing comments for spam

CleanTalk offers more protection from spam bots to sites by WordPress. The new version provides a unique opportunity to test existing spam comments.

CleanTalk adds new features in CleanTalk Anti-Spam, our solutions are reliable, easy and efficient. Work of the module is absolutely invisible for visitors and allows to renounce forever the ways of protection complicating communication on the website (CAPTCHA, question and answer, etc.). CleanTalk allows you to automate protection from spam and registering of spam bots.

Cloud anti-spam service CleanTalk released a new version of the anti-spam plugin for WordPress, the new version has a unique function of automatic check for spam of the existing comments on the site.

This allows administrators of the Web sites automatically check and identify spam bots comments, which were not detected by conventional anti-spam tools.

This function is present only for WordPress, it will gradually be introduced for other CMS.

CleanTalk identifies spam bots, using its own algorithms to estimate the parameters visitor, on the basis of these tests is formed its own database of spam bots. Checking existing comments is made on the basis of the nearly 2 million of certain spam bots. Detailed statistic allows CleanTalk customers to control the whole process.

“The team CleanTalk has been developing a cloud spam protection system for four years and has created a truly reliable anti-spam service designed for you to guarantee your safety”.

Download the new version anti spam by CleanTalk for WordPress

April 7, 2015
84% of the WordPress site can be hacked: What’s Next?
```
CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
```
If you often read IT-news, you probably already tired of the horror stories about another vulnerability that was found in the popular OS / database / CMS / coffee maker. Therefore, this post is not about the vulnerability and about monitoring how people react to it.

But first – a few words about “the villain of the peace”. Critical vulnerabilities in popular WordPress blogging engine was found in September by the Finnish specialists from companies with funny name Klikki Oy. Using this hole, the hacker can lead as a comment to the blog a special code that will be executed in the browser of the site administrator when reading comments. Attack allows you to secretly take over the site and do unpleasant things under the admin access.

Here’s how easy it looks like in practice. Go to the blog by WordPress and enter a bad comment:

Next we see a specially crafted comment allows to bypass checks and conduct XSS-attack:

After capturing admin permissions an attacker can run their code on the server that is hosting the attacked blog, that is, can develop an attack on a broad front. Now is the time to remember that just recently 800,000 credit cards were stolen by a bank trojan which was distributed across WordPress sites.

This vulnerability applies to all versions of WordPress 3.0 and higher. Problem can be solved upgrade engine to version 4, where no such problem.

And now about the actual reaction. Finnish security experts discovered a vulnerability reported it to the vendor on September 26. At the time of this writing, that is, two months later after finding renewed no more than 16% of users of WordPress (see diagram on the title picture post). What Finnish experts concluded that all the other 84%, that is tens of millions of users of this engine in the world, stay potential victims.

In fact, the victims will certainly be less because there is a small additional condition for the operation – need the opportunity to comment on posts or pages (default is available without authorization). However, we are interested in here is the lifetime of vulnerability, and in this case it is possible to observe in real time – to monitor the statistics update WordPress here. Although you probably already understand the meaning of these figures: don’t lock the barn door after the horse is stolen.

We also follow the intruders attempt to exploit this vulnerability “in the wild”. To do this, use a network attack detection based applications PT Application Firewall. The mechanism of intrusion detection based on the analysis of anomalies in this case worked well, and we did not have to add the signature. In other words, PT AF elicited this “0 day” from the very beginning:

At the moment, the vulnerability exploitation attempts is already found. They can not be called mass – but if you have an older WordPress, should still be updated.

This text is a translation of article “84% сайтов на WordPress могут быть взломаны: что дальше?” by ptsecurity published on habrahabr.ru.

Forums and blogs without spam

CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
December 10, 2014

Little-known functions in WordPress

CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.

Has it ever happened that during parsing code-party plugin or theme you found quite useful standard function, which did not know before? At such moments, any developer feels a sense of worthlessness, remembering he reinvented the wheel in previous projects.

In order to reduce the amount of frustration, I decided to describe a few little-known but very useful features:

make_clickable
Find in the text links and make them clickable.
Example:

$string = "This is a long text that contains some links like https://www.wordpress.org and https://www.wordpress.com .";
echo make_clickable( $string );

popuplinks
Adds target='_ blank' rel='external' to all the links in the text.
Example:

$string = "This is a long text that contains some links like <a href='https://www.wordpress.org'>https://www.wordpress.org</a> and <a href='https://www.wordpress.com'>https://www.wordpress.com</a> .";
echo popuplinks( $string );

wp_list_pluck
Takes out certain fields from the collection.
Example:

$posts = get_posts();
$ids = wp_list_pluck( $posts, 'ID' ); // [1, 2, 3, ...]

antispambot
Converts email addresses to symbols HTML for protection from spambots.
Example:

$email = 'ex*****@em***.com';
echo '<a href="mailto:' . antispambot( $email ) . '">' . antispambot( $email ) . '</a>';

checked / selected
Adds an attribute checked (selected) if the first argument is equal to the second.
Example:

<input type="checkbox" name="remember" value="1" <?php checked( $remember ) ?> />
<select name="options">
    <option value="1" <?php selected( $options, 1 ); ?>>1</option>
    <option value="2" <?php selected( $options, 2 ); ?>>2</option>
    <option value="3" <?php selected( $options, 3 ); ?>>3</option>
</select>

human_time_diff
Represents the difference in time in human-readable form.
Example:

$published = get_the_time( 'U' );
echo human_time_diff( $published ); // 2 days

wp_send_json_success / wp_send_json_error
Displays data in a JSON format for Ajax requests.
Example:

if( $success ) {
    $result = array(
        'message'	=> 'Saved',
        'ID'		=> 1
    );
    wp_send_json_success( $result ); // { "success": true, "data": { "message": "Saved", "ID": 1 } }
}
else {
    wp_send_json_error(); // { "success": false }
}

wp_remote_get / wp_remote_post
Receives data from a third-party web resource.
Example:

$response = wp_remote_get( "https://api.twitter.com/1.1/search/tweets.json?q=%23WordPress", array( 'timeout' => 10 ) );
$tweets = wp_remote_retrieve_body( $response );

wp_is_mobile
Specifies the user’s device.
Example:

if ( wp_is_mobile() ) {
    get_footer( 'mobile' );
}
else {
    get_footer();
}

wp_oembed_get
Converts a link to a media resource in the code of the player.
Example:

$youtube_url = 'https://www.youtube.com/watch?v=Lcvh0DgytH8';
$embed_code = wp_oembed_get( $youtube_url, array( 'width' => 800 ) );

wp_tempnam
Creates a temporary file with a unique name.
Example:

wp_tempnam( 'cache.log', get_temp_dir() );

zeroise
Complements the number with zeros to the specified length.
Example:

$tickets_count = 8;
echo zeroise( $tickets_count, 3 ); // 008

capital_P_dangit
Corrects common errors in brand name WordPress.
Example:

$string = "I Love WordPress";
echo capital_P_dangit( $string ); // I Love WordPress

get_num_queries
Shows the total number of SQL-queries to the database page.
Example:

<!-- Number of queries: <?php echo get_num_queries(); ?> -->

wp_text_diff
Finds the differences in the text and displays them in a convenient form for comparison.
Example:

$left_string = 'This is the original string';
$right_string = 'This is the revised string';
echo wp_text_diff( $left_string, $right_string );

submit_button
Generates code for the button.
Example:

<?php submit_button( __( 'Save Changes' ) ); ?>

enjoy 🙂

This text is a translation of article “Малоизвестные функции в WordPress” by Pingbull published on habrahabr.ru.

Forums and blogs without spam

CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.

November 23, 2014

Accelerate WordPress
```
CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
```
WordPress in the standard setting is quite slow. By default, the engine does not use some features of modern web for significant acceleration. There are a whole bunch of plugins to optimize WordPress. Let’s put things in order and undergo a major optimization to accelerate WordPress.

Before we begin, let’s see what shows raw installing WordPress on Pagespeed:

Result 76 out of 100 is pretty low. Let’s see how you can increase this figure.

Server part

Ngnix

If you’re not already using Nginx, it’s time to move on it. Simple and powerful solution. Configuration for supporting permalinks and static caching:
```
server {
        server_name wp.com;
        root /var/www/wp; # way to WP
        index index.php;

        location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                access_log off;
                log_not_found off;
                expires max; # statistics caching 
        }

        location / {
                try_files $uri $uri/ /index.php?$args; # permalinks
        }

        location ~ \.php$ {
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}
```
PHP cach

If you do not have any special reasons why you can not install APC, turn it necessarily. Checks for APC (in response to obtain a list of settings APC):
```
php -i | grep apc
```
In PHP versions after 5.5 has a built-in module opCache, so it will not have to put the APC.

Tuning Mysql

WordPress uses InnoDB, which means we can significantly increase productivity of MySQL, adjust the number of parameters (file my.cnf) under our hardware:

The size of the buffer InnoDB is better to put in half the available RAM:
```
innodb_buffer_pool_size = 256M
```
Do not forget to include the caching of MySQL:
```
query_cache_size = 32M
query_cache_limit = 1M
```
Caching

This is the most important point. Caching can give a significant acceleration of the site and save server resources. For clarity, we will use ab from Apache. Verify the standard install WordPress without caching. The request is sent through a local network, so the delay is nothing but itself does not create a WordPress:
```
ab -c 10 -n 500 https://wordpress/
```
Obtain the average time of about 50ms on request:
```
Total transferred:      4183000 bytes
HTML transferred:       4074500 bytes
Requests per second:    17.62 [#/sec] (mean)
Time per request:       567.421 [ms] (mean)
Time per request:       56.742 [ms] (mean, across all concurrent requests)
Transfer rate:          143.98 [Kbytes/sec] received
```
Chrome shows the average wait for the response at 150 ms (the server is in the Netherlands):

WP Super Cache

This plugin allows you to enable caching literally in one action. Besides the default settings, it contains a large number of settings for tuning the cache. Download plugin, activate it in the control panel and turn on the cache

With the included WP Super Cache obtain a reduction of the average time per query 25 times (!):
```
Total transferred:      4293500 bytes
HTML transferred:       4146500 bytes
Requests per second:    499.01 [#/sec] (mean)
Time per request:       20.040 [ms] (mean)
Time per request:       2.004 [ms] (mean, across all concurrent requests)
Transfer rate:          4184.61 [Kbytes/sec] received
```
Average absorption waiting for reply in Chrome decreased by 3 times:

As an alternative to server-WP Super Cache can use Varnish. It reduces the time to process a request for nearly an order of magnitude, but the solution is less flexible (well suited for blogs without elements of dynamics).

Styles, scripts and images

Minification and Compression

Minification CSS / JS can save 10 … 15% of their size. To enable a module minification statics WP Minify. Download it, activate, and the module starts. Gzip will reduce the size of the text files into several times. In Nginx activated as follows:
```
server {
...
gzip on;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
...
}
```
Optimizing images

Pictures can be very large part of the overall page size. Lossless compression of images can save 30 … 40% of their size. This module is able to do EWWW Image Optimizer. For it to work you will need to install imagemagick and library gd:
```
apt-get install imagemagick php5-gd
```
Good practice and experience
- It is best to choose a VPS hosting for WordPress. Shared hosting on many of the above can be done. In addition, VPS now cheap enough
- Check the topics using Pagespeed before use
- Clean trash
- Delete old revisions of posts
- Remove spam comments
- Unplug trackbacks to moments when everything becomes very slow
- Share RSS via feedburner
As a result

We’ve got a raw install WordPress to disperse about 100 times on the page generation time (we included Varnish) and increase the rate at Pagespeed from 76 to 93:

This text is a translation of article “Ускоряем WordPress” by golotyuk published on habrahabr.ru

Forums and blogs without spam

CleanTalk is a SaaS spam protection service for Web-sites. CleanTalk uses protection methods which are invisible for site visitors. Connecting to the service eliminates needs for CAPTCHA, questions and answers and other methods of protection, complicating the exchange of information on the site.
November 11, 2014

Category: WordPress

Additional features CleanTalk. Dashboard, view logs.