Improving WordPress Commenting with Postmatic

We've set out to create a fantastic commenting plugin for WordPress. It's called Postmatic and what it does is a first for any blogging system: to allow synchronous 100% email and web-based commenting. The web folks can engage via the web. The email folks can stick to email. And everyone can remain focused, engaged, and most important: at their own pace.

But WordPress has a spam problem. Which means that sooner or later, if we aren't paying attention, we're going to have one as well. Or even worse we could dramatically compound the existing ugliness. We've put a lot of time into thinking about this, proactively dealing with it, and planning for the future. Parts of our strategy build on the ideas brought forth in David's post about preventing comment spam. Others are our own. By bundling together some proven strategies and trying a few ideas of our own we're having pretty good success.

The spam challenge we face

People are funny about their email. Perhaps it is because email is so deeply a part of many peoples identities and daily life. For many, an email address or domain service is an online marker used to convey an impression, a sense of belonging, professionalism or even just a peek into a special and private part of their online world. It can even show a hierarchy in the movers and shakers of the cultural world, especially if you have an address like @well.com, also known as the "Park Place of email addresses." Email connects us to each other, but unlike social media it does so in a quiet and personal way.

As email lovers we are keenly aware of all this. I've been using email for.. ahem... 23 years. Chances are if you are a geek in your mid 30s you have as well. Email has become kind of sacred to people like me, and the space is filled with innovation to help keep it that way. Common complaints about too-full inboxes and too much noise are quickly becoming a thing of the past as once again the very people that depend on email work harder to keep this open, un-owned platform performing as the dependable workhorse it always has been.

If there is one thing email users hate more than clutter it is spam. But spam in email is also pretty well under control if you take the right steps. My current email setup is that a collection of 10 or so addresses I have acquired in the last 23 years (jobs, schools, businesses) which all funnel into the same gmail box. That's 10 different addresses that spammers could target. Out of that, I have to deal with 2 or 3 spam messages per week. Not a big deal.

But now lets talk about spam and WordPress

This is a whole different thing. While spam in email has largely been conquered, WordPress suffers terribly.

You're probably aware of the problems with native WordPress commenting when it comes to spam.

What spambots do

There is a whole ecosystem of spambots out there hoping to publish their spewage on your website. We'll probably never know all flavors and colors they come in, but we can make some gross generalizations. They want to hit your WordPress site with a submission that looks just a like a new comment submission from a real human commenter, but with a payload of rotten spammy content. They crawl the web looking for things that look like WordPress comment forms, and pump out submissions whenever they find one. They have some techniques for defeating well known defenses. Maybe they can only get past a very old version of Akismet, for example, but they'll try no matter what, and it will work often enough to be worth it. Here's a tiny sample of real submissions from spambots. Most WordPress sites get bombarded with these all day long.

And here we are, rolling out a nice highway for all of that WordPress comment spam to find its way into inboxes.

But it's not getting there.

Just imagine this scenario. You run a WordPress blog with 3,000 subscribers. Postmatic emails your post to 3,000 inboxes, and in the footer of each email is an invitation to leave a comment just by hitting reply (thereby subscribing to future comments as well) or at least subscribe to comments by replying ‘subscribe'. And let's say this is a particularly interesting post. Five hundred people subscribe to the comments from either web or email. Ninety-nine people send a reply. And then one spambot sends in a reply and blasts a viagra ad to them all. Directly into their inbox. And you can't take it back. Email is forever. Ouch. This makes you look bad. It makes us look bad. It makes WordPress look bad. And it makes your subscribers run for the hills.

Let's make sure that never happens

The way we see it there are three things we have to keep a close eye on to make sure something like the above never happens. And here is a little bit about what we are doing to address each. Maybe it'll give you some additional spam fighting ideas of your own.

1. Protect the subscribe widget

At the core of gaining news subscribers in Postmatic is a widget that sits in your sidebar and invites people to subscribe to the blog, the author, or maybe just comments on a single post. It's a simple form that is just ripe for bots to hammer on. We've addressed this by using some of the concepts in David's post on fighting spammers with javascript. We use a similar technique coupled with some honeypots as a first line of defense. There are a number of free plugins that David's technique in a few different ways which we also recommend to all installations. In particular we like WordPress Zero Spam.

But even if a bot did defeat the widget the next line of defense is...

2. Make joining difficult for bots with a tricky double opt-in confirmation email

If a bot manages to trick the js in the widget or comment form, the next step is to confirm the subscription via email. We made a decision here which was unorthodox and has raised complaints from some users—but ultimately it's the right thing to do. And it's proving itself quite nicely.

Instead of sending an email with a link that says to confirm your subscription click here (lame and easily tricked imho), we force the user to actually reply to the email with the word agree. This is a lot harder for a bot to do and by training users to the behavior at present we can do something even cooler (and absolutely bulletproof) in the future: let the site admin define a question which the subscriber has to supply the correct answer to. For example the subscription confirmation email on a Vermont-based blog might say in order to confirm your subscription please answer the following question: what is Vermont's sweetest export? The answer, of course, would be maple or maple syrup.

These first two options put us in a good place to keep bots from ever becoming email-based subscribers to our customers' sites. The remaining and biggest risks in our system are how to keep web-based spam comments from being sent to inboxes.<'p>

3. Helping our users protect themselves

This part is going to be a little bit touchy. But I'm going to say it: WordPress sites which are proactive about stopping spam don't have a spam problem. There are dozens if not hundreds of plugins, techniques, and tricks to keep spammers out. We have a how-to guide on our support site which lets our users know how to stop spam immediately and permanently. We run dozens of WordPress sites with these very techniques in place and spam is completely obliterated.

We go out of our way to educate our users as to the current best practices and plugins for fighting WordPress spam. We do this through our support site, the WordPress dashboard, and in our installation guides.

Seeing Success

This week Postmatic leaves beta and bring 100% email-based commenting to all WordPress sites. Throughout our testing period we've served hundreds of thousands of emails (still waiting for the millionth!) on behalf of WordPress sites both high and low profile. And so far? Not a single spam message. We think that says a lot about the ingenuity and generosity of people like David and the larger WordPress community. Check us out at gopostmatic.com.

About Jason Lemieux

Jason Lemieux is a seasoned WordPress developer and the founder of Postmatic. He lives in Vermont and blogs about farm life at http://vernalvermont.com.

gopostmatic.comgopostmaticPosts