I tried a few plugins, with varying levels of success. There’s an interesting one that attempts to limit registrations to a specific country, but it falsely reported some valid users as not being in Canada. Captchas work, but also block some valid users (and the signup captcha plugin I’d been using is possibly abandoned).

So, I did some quick googling, and came across the page on the WordPress Codex about using .htaccess files to stop comment spam. I made some modifications to the technique, and am now running it on UCalgaryBlogs.ca with apparent success. The apache logs show the bot attacks are still in full force, but not a single one has gotten through in order to register. And valid users have been able to get through. That’s pretty promising.

Here’s the technique – just drop a modified version of this into your .htaccess file for your WPMU server:

# BEGIN ANTISPAMBLOG REGISTRATION
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-signup\.php*
RewriteCond %{HTTP_REFERER} !.*ucalgaryblogs.ca.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://die-spammers.com/ [R=301,L]
# END ANTISPAMBLOG REGISTRATION

I put that block above the WPSuperCache block in my .htaccess file.

Modify the part that says “ucalgaryblogs.ca” to be whatever your WPMU server is (you may need to do more if you run multiple domains…), and modify the die-spammers.com part to point to wherever you want to send suspected evil spammers. I send them here.

What it does is detect any POST requests (submitting a form) for wp-signup.php, that haven’t been sent from a web page on the WPMU site or have an empty user agent string (identifying the software making the request), and sends them to a page that apologizes for any false positives (and provides a contact to get around it for valid users that somehow got sent there) and scolds evil spammers for being evil spammers.

The beauty of it is that it doesn’t require anything from WordPress. No plugins. No mu-plugins. No hacking core files. Nothing. Apache steps in and kicks spammers out before they get in at all.

Now, WP-SpamFree seems to offer an intelligent antispam system without relying on external servers or blacklists. I’m giving it a shot. So far, it’s been pretty successful.

Let’s see how well it does. Bring it.

But, I’ve found the combination of Akismet and TanTan’s Simple Spam Filter plugin to be extremely effective. Here’s my Akismet spam history graph. See if you can tell when I activated Simple Spam Filter…

November 13, 2008.

The graph doesn’t show spam that got published, only spam that Akismet had to nuke. The number of spamments that were successful is quite minimal.

With the two working together, the amount of spam that actually gets through to be (temporarily) published on my blog is almost zero. Maybe one or two per day (sometimes slightly higher, sometimes none at all).

The current version of the Akismet plugin for WordPress installs just fine in the mu-plugins directory, meaning each blog automatically gets protected, without any configuration or setup. The Akismet key can be hardcoded into the plugin file, and when that is done, all configuration interface magically disappears from the wp-admin interface. Easy peasy.

All that was required by Akismet was that I provide a link from each blog to Akismet.com to give credit for the spam protection. I wrote up a VERY simple mu-plugin to automatically insert the text and link in the footer of each blog on UCalgaryBlogs.ca.

I’m curious to see how well Akismet functions on some of the topics of conversation – some post colonial courses commonly use language that trips up word filters pretty readily…

I can’t wait to be invited to attend the Nigerian Dead Relatives Blog Directory Awards…

The problem showed up when a student tried to write a comment on a blog post, and used the word “rape” in the text of the comment. Simple Spam Filter threw a flag on the play, and the comment evaporated. Not cool. The student is now suspicious of the blog service, and is wondering if we’re censoring or filtering their conversations. Totally the WRONG feeling for a productive and engaging blog community. I’ve deleted the plugin, and hopefully assured the student that there was no intention of censoring their conversation.

Fun with antispam. Thanks again, Google, for making this such a wonderful problem to have to keep dealing with. It’s so thoroughly rewarding, having to battle spammers and work to make sure valid content gets around the filters that have to be constructed to prevent spammers from gaming Googlejuice.