Spam Protection For WordPress


Fine Tuning Your WordPress Install

We offer WordPress as a one-click install, and there is a reason for that. Right out of the box, WordPress is a highly efficient, easy-to-use blogging platform. However, just like any other piece of web software, things happen and it can run wild on a server. To help prevent issues, we have a few plugins we suggest that customers try out. We have listed these below along and have included a few other hints to boot.

Keep in mind that following these suggestions is great if you're running into issues — but actually implementing some of these suggestions is the best way to prevent problems to begin with.

Upgrades

Staying on top of both plugins and core WordPress upgrades is the single best thing you can do. Not only will it keep your site less prone to hack attempts, but almost every new version of the software has tweaks that offer speed increases. Granted, some of these performance tweaks may be tiny and barely noticeable to most folks — but they are there.

If you use our one-click installer, you can request upgrade notifications by clicking on "Email me when upgrade available" next to at least one of your WordPress installs under the advanced upgrade section. That way, whenever we update the packages in the installer, you're among the first to know.

In WordPress 3.0, they've been nice enough to include a section in the admin Dashboard called "Updates". From there, you can update your core WordPress install, plugins and themes. Check it regularly and stay on top of the updates and you should keep your install nice and happy.
Spam

The first thing to do while checking out an overloaded blog is to see if it's being spammed. It is one of the top reason why blogs go crazy on CPU usage. Check the "Comments" link on your WordPress install. If you're seeing the same sort of comments as the mail you see in your mail account's Inbox from spammers, you'll need to install a plugin to help deal with the incoming flow of spam.

Anti-Spam Plugins

There are a lot of anti-spam plugins that are available for WordPress, but we're just going to list a few of the ones that work the best on the servers here:

Akismet
Pros: Spam checking happens off server, low impact on server overhead, works with most feedback forms.
Cons: Needs an API Key in order to run.
Cookies for Comments
Pros: Easy to install via WordPress, blocks users who don't have 'cookies' (which should only be bots), works with Akismet
Cons: Requires editing your .htaccess
Defensio
Pros: Checking of comments is run on a remote server, so the server impact is quite low. It's basically a solid Akismet alternative.
Cons: Usage is allegedly not as widespread as Akismet. Plugins like this benefit from a larger user base.
WP-Hashcash Extended
Pros: Blocks all comments/trackback/pingback spam, compatible with Akismet.
Cons: In order to validate a comment, the browser needs to be able to have Javascript enabled
reCAPTCHA
Pros: CAPTCHAs keep bots from submitting comments.
Cons: Spam isn't always done by bots, meaning manual spam will still get through. Not always readable/accessible.
SpamKarma
Pros: Solid plugin, works with Akismet via an extra plugin.
Cons: Checks spam comments on the server. Large comment storms can still cause decent overhead. Discontinued and open sourced by its developer.

You can choose only one of these plugins to help curb spammers, but using a combination of them (i.e. Akismet + WP-Hashcash or Defensio + reCAPTCHA) works best. Also keep in mind that CAPTCHA's are not always user friendly.
Notes

While forcing a user to log in can cut down on spam, it is best to not use the OpenID plugin on a shared server.
As described in a blog post, this plugin can be misused and you may become a target of an interesting breed of spam. Your server will be instructed to initiate numerous (and continuous) PHP instances to adult/3rd-party websites, in order to extract the fake OpenID user's name & email information, which will unnecessarily consume CPU minutes and slow your site down considerably.

Caching

If spam isn't your problem, then the server is probably hitting your MySQL database more than it should. Since WordPress depends a lot on the database, it can make quite a few requests while trying to get the information needed to render your pages. This can be really inefficient and cause astronomical loads when sites like Digg, Slashdot and BoingBoing link to you.

Web Caching Plugins

There are several caching plugins available which promise to improve your loading times and decrease server load, allowing your site to handle large spikes in traffic like the Digg effect. Note that most of them will make it so that changes to your site aren't seen by anonymous users for a period of time, maybe five minutes to an hour.

There are plenty of plugins that cache MySQL requests by building static content to load instead of hitting the database for every request. These are just the ones that work the best on our servers:

WP Super Cache

Picking up where WP-Cache left off, this plugin has included advanced features as well as a plugin and hooks system. It should be included with all new one-click installs of WordPress.

Hyper Cache
This is probably one of the most user-friendly caching plugins out there. If you take one look at WP Super Cache and can't make heads or tails of it, HyperCache is an outstanding alternative for most end users.

W3 Total Cache
This plugin is also excellent, and gaining a lot of traction in the community, in part due to its inclusion of CDN features.

Other Caching Plugins

These plugins work well hand-in-hand with the ones above, to make your site faster.

DB Cache Reloaded
For WordPress 2.8-3.0.9
Instead of saving your final HTML output, DB Cache Reloaded caches your database queries. This means that it can help with bots and crawlers as well as normal users. A combination of DB Cache Reloaded and one of the plugins above can be used together to great effect.

DB Cache Reloaded Fix
For WordPress 2.8-3.1.1

http://wordpress.org/extend/plugins/db-cache-reloaded-fix/

At least until the above plugin is updated, this will do the same, but also works with newer versions of WordPress.

WP Widget Cache
Works together with Web Caching plugins above to further speed up your site -- in particular if you're using many widgets.


Beware: Some sites with lots of spam/bot/spider traffic could see huge increases in memory saturation when switching to FastCGI. If memory spikes are a problem, try switching to CGI and using a good caching plugin (see above).

Plugins

Firstly, it's extremely important to make sure your plugins are compatible with the version of WordPress you're using.

This is something you can verify at WordPress' Plugin Directory.

If you are experiencing slowness, and you want to see if it's resource usage related (and not something on HostingInIndia`s end), simply disable all your plugins, and switch to the default theme.

If your WordPress installation is suddenly much much faster, then it can help to go through your plugins and enable them one-by-one, to see if one of them uses more resources than the rest.

For a more scientific approach, you can see how many queries and CPU time a page took. Enter the following into your footer.php:

<?php echo get_num_queries(); ?>
queries in <?php timer_stop(1); ?> seconds

By reloading this page each time you activate one plugin, you can check which of them increases your queries and CPU time considerably. You will need to have any caching plugins disabled for this to work.

The Jetpack plugin is a bit special. You might try disabling individual modules in the plugin to improve performance. For each module, click "Learn More" and then "Deactivate".

Media

The size of your images can also contribute to a slow loading site. The larger your images, the longer it will take for it to download on the user's end. So you will want to make sure that your images are as small as possible. Please read over these instructions on how to optimize your images
Widgets

Be suspicious of all widgets (or sidebar content) that will force the user to poll other DNS servers. del.icio.us for example will link to various sites, which might delay the loading until information is passed to the user.

Also, check if your theme is using custom widgets do draw recent comments of posts. If this is not handled correctly, it will poll the database every time, considerably increasing your load.

If you're using a lot of Widgets, a good idea would be to use the WP Widget Cache plugin (in addition to standard caching) to reduce the processing time for their output
Database

You should take care to optimize your MySQL databse to avoid a "fragmentation" effect. The easiest way to do this is to use the WP-DBManager which includes a function to optimize your database as well as the capability to schedule this optimization to run at an appropriate timeframe (recommended once per month at least)

If you want to do this separate from WordPress, you can also do it manually (or through a cronjob) per these instructions:

Database Performance

Sleeping MySQL connections can also cause delayed page loads. While WordPress officially isn't supposed to keep persistent MySQL connections open and sleeping, it appears to happen to some people anyway.

Adding the following code to the .htaccess file can help alleviate this issue:

<IfModule mod_php4.c>
php_flag mysql.allow_persistent off
</IfModule>
<IfModule mod_php5.c>
php_flag mysql.allow_persistent off
</IfModule>

Revisions

WordPress 2.6 introduced a new feature that has proven rather handy for some folks: post revisions. While these are totally sweet to have, some databases can balloon a bit if you're prone to making a lot of changes or spending a lot of time cooking up a post. To help keep your database size down — which keeps your install speedy — you might want to fine tune the amount of revisions your site saves.
Revision Plugins

So far, we've only been able to find one plugin that's flexible enough and worth mentioning:

Revision Control

MySQL Query

If you don't want to add another plug in to your WordPress installation then you can run a simple SQL query to remove revisions.

First of it all, login to your phpMyAdmin and select your WordPress database. Once done, click on the SQL button to open the SQL command window.

Paste the following SQL command in the SQL window:

DELETE FROM wp_posts WHERE post_type = "revision";

This will remove all revisions currently stored in the database.
Disabling Revisions

To prevent revisions from being created and stored in the first place, add this line to your wp-config.php file after the database info:

define('WP_POST_REVISIONS', false);

If you still want to save some revisions, you can use the following code in place of the one above:

define('AUTOSAVE_INTERVAL', 120 ); // Default value is 60 seconds.
define('WP_POST_REVISIONS', 3); // Number of revisions to save.

That will limit the number of revisions that WordPress holds onto to 3 and changes the auto-save value to every 2 minutes. You can change those values to something a bit higher (or lower), but be aware that this article (and the person writing it) encourages you to keep your database as lean and mean as possible.
Stats Plugins

The leaner a WordPress database is, the happier the WordPress install is. While having a plugin that handles your stats (and displays them in your admin interface) is nice, they can actually inflate the database almost as quickly as unchecked spam can. This means you should be cautious of using them, and pay special attention to your database if you do so.

Optimally, you'd use something that doesn't depend on your server environment like Google Analytics — but if you prefer a server side solution, Piwik is available in our one-click installer and works rather nicely.
XML-RPC

If you received a notice about spam being sent from your account, there is a definite possibility that one of WordPress' default files was used by a hacker to send spam from your website. By default, WordPress installs a file called xmlrpc.php. This file is sometimes used for some administration tasks. If you do not know how to use it, or do not use it at all, you can safely remove the file. If you do use the file though, you should probably make sure you have the latest version for each WordPress blog running under your account. The most recent version should always be available from here.
Missing Files

Sometimes, due to upgrades or some poorly coded pre-packaged themes, your WordPress install might have some missing files. Missing files make the server expend a little extra effort and can drive up load considerably on a popular site. One of the most common missing files is the favicon (favicon.ico). If you've recently used the one-click installer, a favicon should be generated for you — but it never hurts to make sure one exists in the main directory for your site.

Adding a favicon if one doesn't already exist is easy. It does require SSH access however. In the root directory of your site (i.e. /home/username/example.com/), type:

touch favicon.ico

That will mean that your favicon will be blank — but a blank icon is far better than one that is missing.

To check for any other missing files, it's suggested you run your site thru Pingdom Tools. A single pass thru their site will point out any missing files that could be causing your site to come up slow. Just look for filenames in red and either replace them or remove references to them in your themes or posts.
JavaScript

JavaScript can add a lot of interactivity and interesting remote content to a site — but when it is used liberally, it can also cause pages to load slower. There are a few things you can do to your JavaScript in order to speed up page load time however.
Remote JavaScript

Instead of inserting remote JavaScript towards the top of your page — as plenty of instructions for insertion suggest — it is totally acceptable to add it right before the </body> tag in your theme. Due to the way page load order is handled in the browser, this will allow your content to start rendering and display before having to wait for remote files (which would load first were they in the header) on possibly problematic servers.

If you'd like to save yourself from tweaking your themes manually, the JavaScript to Footer should help quite a bit.
Local JavaScript

Pushing local JavaScript to the bottom of the page will also give the appearance of speeding up load time, so you might want to throw a little edit on your theme to migrate any local JavaScript from header.php to footer.php.

Also, while mod_deflate should compress JavaScript, you can cut a little bit of overhead off by pre-caching the compression. All you need to do is save gzipped copies of your theme's JavaScript in the same directory as your current files. Again, you'll need to SSH in to do this — but don't let that scare you.

The location of JavaScript varies from theme to theme, but for the theme itself can always be found in the "wp-content/themes/" directory. Once you have found the JavaScript for your site, simply run:

gzip javascript.js

So long as you replace "javascript.js" with the actual filename you wish to compress and repeat the process for all of your files, a compressed version of your .js files will be created. The benefit to this is that once it's done, you don't have to do anything else. Well, so long as the JavaScript libraries don't get updated in a future revision of your theme. Still, that's pretty straightforward, right?

It should be noted that some themes attempt to compress JavaScript and CSS by adding a ".php" to the end of the file name. This actually processes the file thru PHP unnecessarily and can cause a significant amount of overhead. So if you notice your theme doing that, please modify your theme and use the gzip method above.

And if all of that sounds like a lot of work to trim a second or two of load time off of your page, several customers have had success with the Scripts Gzip plugin.
Upgrading to A Private Server

If you've tried the plug-ins and suggestions but are still seeing a high load on the server, then it could be that you have launched an awesome blog that has outgrown shared hosting. At this point you may wish to consider adding a Private Server to your hosting package, which starts at only $15 per month. Should you have any questions about adding the Private Server to your account, please contact HostingInIndia support for more info.
Tools

Some tools to help you troubleshoot performance issues

Firebug: A very handy toold that will display what is loading and how long it takes
YSlow: A companion to Firebug that might give you some pointers on what to fix and how.
Web Inspector: Built into Chrome and Safari, it gives you much of the same information as Firebug

For Sites on a Virtual Private Server or Dedicated Only - Do Not Run if you're using Shared Hosting:

Load Impact: a load testing service that hits your server with many simultaneous users. A free version does a 50 user test.

Be sure that you have caching enabled before running -- during this, you can watch the CPU load with 'top', and RAM levels with 'free -m' - or both with 'vmstat 1' (Ctrl-c to stop).
Handy Links

WordPress.org
WordPress Plugins Directory
WordPress Support Forums

Further Reading

WordPress Configuration Tricks
Why my wordpress site is so much faster than yours
How to hunt for Wordpress Performance Hogs

  • 5 Корисниците го најдоа ова како корисно
Дали Ви помогна овој одговор?

Понудени резултати

WordPress Security Tips and Hacks

Below given are some of the security tips for wordpress: 1.)Blocking WP- folders from being...

How do I prevent WordPress from overloading my shared server?

WordPress blogs can be extremely resource intensive if you happen to experience a surge in...

Powered by WHMCompleteSolution