Over the last week I’ve been helping out a couple of bloggers on WordPress issues.

Both have similar problems, despite having captchas enabled on registration. Both have ridiculous numbers of fake subscribers (one, 5000+ a week), an equally high number of spam, although Akismet catches the vast majority and both these popular blogs that have been around for well over 5 years, being on fairly good hosting plans, with no exotic plugins enabled, are seeing frequent and random outages.

Off course this is distressing for them; the hosts in one of the cases where it’s a managed service deny any liability and offer no advice.  Both blogs have any number of competitors that would happily see them offline and knowing how easy and cheap it is for anyone with a PayPal account to launch a denial of service attack, but that wouldn’t make sense due to randomness.

So having installed a simple Event Viewer, I quickly see a second problem, huge numbers of attempts at guessing the password for “admin” the default account for wordpress, which in both these blogs cases has been removed which is simple best practice, strangely enough I also see attempts at the “administrator” which is strange as that’s only really used on windows operating systems.

While I wouldn’t normally worry too much about password guessing on the “admin” account if none exists, the frequency could be to blame here. The fact so many large numbers of spammer accounts are being so quickly being created is resolved by increasing the captcha complexity and finding the pain threshold of potential sites commentators, and in one case deleting an immense number of obviously fake accounts, upon agreement with the client, we were aware that quite a large number of valid accounts were also deleted.

When I logged back in to one of them, the spam has died back quite a bit, and in the last 24 hours I can’t see one new spammer account created, but I notice a number valid accounts have been recreated, so deem that a success. But on both of them I’ve found the password guessing to have ramped up quite a bit, one of them quite a concerted effort employed, multiple IP addresses a second or less between each attempt. Now I have not had a great experience on WordPress with the firewall widgets available, finding they can put a greater load on the installations than the actual abuse, but I installed what appears to be a reasonably lightweight one (won’t name till it’s proved itself), with the pleasant addition of a username blacklist which I quickly added “admin” and “administrator” to.

Again I am asked if Disqus could be an option, well I’ve tested it myself on demo installations with default templates and no other plugins, and it’s worked without an issue. But when I’ve backed up, and restored a live site with a few years (50,000+) of comments, it failed miserably and due to client not wanting to potentially pour more money down the drain, we gave up. I think it I best quantify my objection to Disqus, firstly reviews are not as great as I would like to see on a widget that can’t simply be switched off and reversing a larger installation could potentially take days of work and disruption. Secondly they seem to have full control over what really is your content which might be ok today (I really don’t know), but what if they suddenly stop providing the service either generally or for a reason related to your site specifically, what happens to your content, or they start adding inappropriate advertising.

All seems well with these blogs now, time will tell, the spammers will no doubt find another way to sell their fake designer goods and Viagra. It’s not malice, it’s just their job.