Spam Protection¶
Comment spamming and other types of spamming have become common problems for systems that permit user-submitted information. If you are not familiar with comment spamming, it is when someone repeatedly submits malicious comments into your system. This can be done by someone manually, or if the person is more sophisticated, it can be done using scripts designed to insert hundreds, or even thousands of comments automatically. The purpose of spam is to increase traffic at the spammer’s web site. By leaving comments linking to their site, they increase their position in Search Engine listings.
ExpressionEngine has several security features aimed at preventing spamming. There is no “silver bullet”, as spammers adapt their tactics to new deterrents, but the combination of security features in ExpressionEngine will provide a high degree of safety, particularly against the automated spamming methods.
Blacklists¶
The ExpressionEngine Blacklist/Whitelist Module is an integral part of EE’s spam prevention capability. This Module allows you to specify URLs, IP addresses, and user agents that you want to deny (blacklist) or specifically allow (whitelist) from your site.
The blacklist checks all content that is submitted to your site. ExpressionEngine will compare the submitted content against your blacklist/whitelist and then behave accordingly.
CAPTCHAs¶
A CAPTCHA is a computer-generated test that humans can pass but computer programs cannot. Since a great deal of spam is generated by automated scripts or “bots”, a CAPTCHA can be effective at preventing their use.
When the CAPTCHA is enabled, an image containing a random word appears next to the comment and member registration forms. In order to submit the form, the word must be typed into a form field.
ExpressionEngine can use CAPTCHAs for comment submission and member registration.
Comment Time Interval¶
This setting defines the amount of time that must lapse between comment postings. A malicious user will have to wait until the time has lapsed before being able to post again.
The setting is located at: Admin ‣ Channel Administration ‣ Channels ‣ Edit Preferences
Rank Denial¶
The primary goal of spammers is to have their sites ranked highly in Search Engines in order to generating more traffic for themselves. They achieve this by posting comments at your site which contain links to their own site. The more links to their site scattered in channels across the internet, the higher Search Engines will rank them.
The Rank Denial feature denies a spammer this “ranking” benefit by altering all links submitted by users so that they point to an intermediary “redirect page” at your site first, before being sent to the target destination.
The setting is located at: Admin ‣ Security and Privacy ‣ Security and Sessions
Secure Form Mode¶
Secure Form Mode prevents automated scripts (the most common way spam is generated) from repeatedly submitting comments or other form data. A submission is only allowed when a user manually loads a page and submits the form from your site. And once the form data is received, the user has to manually reload the page before they can submit again.
The setting is located at: Admin ‣ Security and Privacy ‣ Security and Sessions
Deny Duplicate Data¶
The “Deny Duplicate Data” feature prevents a comment from being accepted if an identical one already exists in your database. A malicious person can’t submit the same information more than once.
The setting is located at: Admin ‣ Security and Privacy ‣ Security and Sessions
Site Membership¶
Although this isn’t technically a security feature, requiring your users to be members of your site provides additional safety against spamming since you have better control over the people posting on your site.