Posted on Leave a comment

WordPress Form and Comment Spam

As with security in general, escaping the scourge of WordPress form and content spam requires a layered approach. Here is what works.

Databases and Behavioral Anti-Spam

The first step is the one that nowadays works the least well. In the beginning we had Akismet, and things got better, but this is an arms race, and Akismet has not been getting better. In WordPress, this battlefront has basically been ceded (with some exceptions, below). For things like Google's Gmail, this still works fairly well (along with manual rules), a vast majority of the time.

Manual Rules and Keyword Blocking

Manual rules and keyword lists help block a particular subset of spam, namely that manually created by humans, with the purpose of pestering someone to hire a so-called SEO Expert, Web Designer, or Marketing services. By placing these highlighted keywords in the WordPress Admin > Settings > Discussion > Comment Blacklist field, they are not only used as a filter by the WordPress commenting function, but also used by Contact Form 7.

Javascript and/or Session Detection

For the average bot, which is fairly simplistic and won't accept session cookies or have javascript enabled, testing for one or both of these conditions will generally allow those to be ignored. For Comment Spam (on sites that must have comments enabled), the WordPress plugin WP-SpamShield is a fairly effective option. In the future, it might be better to ensure no plugins do PHP Sessions, for performance reasons, but on a moderately busy site this shouldn't be much of a problem.

Honeypot Form Fields

Another way to detect bots is to provide form fields that they see but that humans do not (via CSS). Bots will attempt to fill out these fields, and thereby have their submissions identified and silently rejected. For Contact Form 7, a good choice is the aptly named Contact Form 7 Honeypot. For WordPress account creation/registration, there is the Registration Honeypot.

Captchas and NoCaptchas

Captchas are another older technology that there are several instances of. Google famously acquired ReCaptcha in 2009 for hundreds of millions of dollars. They introduced a new version in 2014, called NoCaptcha ReCaptcha. And in early 2017, the Invisible ReCaptcha was unveiled, so to speak. ReCaptcha has gone from a human vision solution to a fully automated approach (hence full circle back to the first item above, databases and behavioral). Personally, I've had so much nonsense from the Google ReCaptchas that either end up making me solve a half-dozen puzzles or more, or that insist on presenting in a human language I cannot read. Google is very bad at both of these issues (producing puzzles for humans, and providing better language support. In both cases the problem could very easily be made much, much less horrible, if simple human factors were taken into account, such as the size of text and providing a consistent language menu item that is labeled to be identified by non-readers of the currently selected language. Both huge failures for a company that should have worked this out a decade ago. There is one captcha system that actually works well, both for humans (to provide access to them), and for bots (to deny access to them), and that is the Really Simple Captcha. Orginally designed to work with Contact Form 7 -- which it still does -- it also can work well with other forms, and has a basic library that can be used by WordPress developers.

Summary of Anti-Spam Solutions

For contact forms, use: - Contact Form 7 - Contact Form 7 Honeypot - Really Simple Captcha - Add keywords to the > Settings > Discussion > Blacklist section For comments in general - WP-Spamshield - Add keywords to the > Settings > Discussion > Blacklist section For bot registration denial - Registration Honeypot

Posted on Leave a comment

Telegram + Trello, Github, WP

Telegram is my favorite go-to chat. Unfortunately people are invested in their use of Facebook messenger, Line, Hangouts, etc., and you have to be where they are to chat with them. I have one guy who is only chatting on the apps I don't use: Facebook and WeChat. Sure, I might see a Facebook chat when I log in, but I don't use the apps and so it just doesn't work out well. I'm forced to use LINE but the same thing holds, I'm not logged in so semi-real-time just doesn't happen. I'll get a text message and also a Facetime message, and a Telegram message, and that is where I leave it. Even Twitter I use when I use it, not real-time, even for direct messages. I've also abandoned Gitter, possibly because of their support channel and its tone, but also because it is limited and can't really do what a full-blown chat/IM client is meant to.

Advantages of Telegram

Telegram is free and encrypted, and also has the nice distinction of a free sticker ecosystem, Telegram Native Apps, Telegram Bots, and chats can now be edited, after being sent. There are two more pretty great integrations: Trello and Github, and WordPress

Integram = Telegram + Trello + Github

Integram is a tool that can be added to groups and then has a unique link that can then grant access to Trello boards and Github repositories. Telegram Integram

Telegram + WordPress

There are many Telegram WordPress Plugins (about 20 currently). I've not yet (as of 28 May 2016) evaluated which look useful, but several potential features immediately stand out as interesting: - Notify a Telegram Channel (or SuperGroup) of a new post on the site - Integrate with CF7 to send a message via Telegram instead, or in addition to Email - To emulate comments on a page but that would be overhead The WordPress Plugin for Telegram (see also this discussion for installation) uses the Telegram Bot system, as well as Notificaster, an already existing Telegram bot, for discussion in terms of a group, as well as a channel for public notifications (e.g., new post). This is great for announcements/posts and things like a general chat channel for a particular website. However, what about initiating private chats? That is easy in terms of 1-to-1 chatting, just add a address. While a supergroup (or regular group) might be used, it is probably best to keep a broadcast channel, small group, and individual telegram accounts. It really depends on the use cases what to configure. There could be a channel per site, or perhaps on the main category pages. Telegram Botfather

Signal, an Alternative/Competitor

Signal is a free and open source software designed primarily for mobile chat and voice calls. There is a Signal Chrome app that allows for computer-based use via associating with a mobile device account (the encryption keys are shared). Chat is basic, but includes images and other attachments, and of course voice is a great option. What Signal doesn't have (yet), are stickers and bots. What Telegram doesn't have (yet) is voice calls.

Posted on Leave a comment

Widespread Hacking

> This is as true today than it was more than five years ago when first posted. Due to the ongoing hacking of accounts and passwords on popular web services, it is a good time to consider the following suggested security practices. If you feel you do not have the time to deal with this, think again...

Suggested Security Practices

- Have one unique password per site/account - Have a special account not normally used, which is for administration of accounts (again, per site/account) - Generate and manage passwords with an encrypted password management tool, e.g., KeePass and others of its ilk. - Keep backup of the encrypted password management tool in the cloud (some kind of cloud-based backup). There are many options for cloud storage, and we ourselves are on our third cloud provider, with likely a fourth on the horizon. First it was Dropbox, then Google Drive, and now the highly functional Yandex Disk, with an eventual migration to Amazon WorkMail and WorkDocs, once there is functional parity, later in 2017 or 2018. - Encrypt files/drives which contain confidential information, so that in the event of intrusion, the files/drives will not be accessible, using strong encryption, e.g., VeraCrypt - Get in the habit of deleting email that has confidential information, such as passwords. - Force the use of SLL for all website browsing, when possible, especially for email and other sites with sensitive information.