Keep the Comment Bots at Bay

Space Invaders - Found at: does not take long after your blog opens before the automated comment spam bots start to invade your beautiful creation. Dealing with comment spam is a daily task for every blogger, and if the automated comment spam bots have you on their list of blogs to attack it can be an over whelming task. There are many different methods that you can use to keep them from attacking your blog with a barrage of bad and often non-sense comments. You can try to ban the ip addresses using your htaccess file, you can install different types of captcha plugins and add in hidden comment fields to stop the bots. The method I prefer is to use Javascript to redirect a real person leaving a comment from an automated comment spam bot leaving a comment.

To understand how this method works you need to know a little bit about how WordPress processes the comment form. If you look at the source code of a WordPress comment form you will see the form tag. It should llook something like this:
<form action="" method="post" id="commentform">
WordPress uses the wp-comments-post.php file to handle the processing of comments. Automated comment spam bots know this so all they do is add your blog to their list of sites to target and their software goes to work spamming your blog by posting directly to the wp-comments-post.php file. You can try to simply rename the default WordPress file for handling comments but that will only work for a little while until the bot does read the actual html form and adds the new url and file name to their database.

Automated comment spam bots so far have one flaw that we can still use to our advantage. They don’t read external Javascript files very well. What we simply do is hijack the normal comment form action using Javascript and send the real person to the correct comment processing script and let the bot go ahead and post to the default WordPress comment file. Here is how you do it.

Warning: This requires the editing of core WordPress files. You are reminded to make a backup of your blog before doing this just in case or at the very least copies of the files you are going to edit.

Step 1
Create a copy of the wp-comments-post.php file from the root of your WordPress blog. Give the copy of the wp-comments-post.php file another name, one that is hard to guess would be best, but it should be something different from wp-comments-post.php. I often use a randomly generated file name created from a password generator, but something as simple as nospamcomments.php should work. This copy of the wp-comments-post.php is going to become your new comment form processing file, so make a note of the file name you will need it later.

Step 2
Now that you have a copy of the wp-comments-post.php file you can go ahead and edit the wp-comments-post.php file. What we want to do is keep the wp-comments-post.php

I edited it down to just this:

header('Allow: POST');
header('HTTP/1.1 405 Method Not Allowed');
header('Content-Type: text/plain');

require( dirname(__FILE__) . '/wp-config.php' );

$location = ( empty($_POST['redirect_to']) ? get_permalink($comment_post_ID) : $_POST['redirect_to'] ) . '#comment-' . $comment_id;
$location = apply_filters('comment_post_redirect', $location, $comment);



Save the file.

Essentially what we want to do is just redirect the submitted form from the bot to the post that the bot says it came from without actually doing anything.

Step 3
We need to create a way to direct real users to the correct comment form processing script. We do this with a little bit of Javascript. In your text editor create a new file and add the following Javascript:

function nospamaction(theForm) {
return true;

Save the file as nospamaction.js (it can be named something different if you want, it is up to you).

Step 4
If you have been editing these files on you home computer you will need to upload the new files to your web server. If you have been editing/creating new files on your web server using your web server control panel then you can skip this step.

Step 5
Once you have the files uploaded to your web server you can login into your WordPress admin panel and login. You need to make two small edits to your theme files. Go to the Presentation tab and choose Theme Editor. Select your header file first. The javascript file you created needs to be added to the header. Add the following line between the head tags. If you don’t know where that is just place the line just before the closing head tag (</head>).

<script language="javascript" type="text/javascript" src=""></script>

Update the file header file and then edit the comments file. You need to find the form tag for the comment form. The default one looks like this from the Kubrick theme:
<form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform">

To make the form submit to the proper file to process the form we need to add a Javascript event to the form. Add the onsubmit event handler to the form tag and call your Javascript function to redirect the form output to the correct comment handling file.
<form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform" onsubmit="return nospamaction(this);">

Update your comments file.

Step 6
Go and test your comments form on your post. Make sure you clear your web browser cache and if you are using wp-cache or Super cache turn them off. Try your new form with Javascript turned on first to make sure it redirects properly to your renamed wp-comments-post.php. If you get a new comment posted then you know if worked. Then try your form with Javascript turned off. You should be redirected right back to your post and no comment will appear in your admin.

This method can help prevent automated comment spam from overwhelming your blog.
Lets automated comment bots think they successfully posted.

Requires Javascript be turned on in your readers browser. Most have this turned on.
Edits a core WordPress file. When you upgrade your WordPress install you will need to redo steps one and two again and upload the files.

I have used this simple Javascript hijack to prevent comment spam on several WordPress installations and it has cut down considerably on automated comment spam. The comment spam that does get through will be trackback spam and spam from real people actually visiting your blog and filling in the comment form. I have used this method on other types of comment and contact forms as well and it continues to work on several high profile sites that I have worked on in the past. This is only one solution to comment spam. If you are not comfortable editing WordPress files you might want to have someone that is do it for you, or try some of the other techniques that are available. The sooner you don’t need to worry about dealing with comment spam the sooner you can do what you love, writing great content for your blog!

Top Blogs Failing at Error Pages

404 Dead End - found at: is still pretty new and in the rush to open the doors we did not take a lot of time to dust the cobwebs off of all the corners around the place. One of the cobwebs that I wanted to get around to sprucing up is the Epiblogger 404 error page. Many WordPress themes come with a 404 Template included in the theme, but often they are nothing special. As you can see the Epiblogger one does not give you much information.
Epiblogger 404 Page before image

I know what I like in a good 404 error page. I like to let users know that what they were looking for is no longer there and help them to find either what they came looking for in the first place or something even better. That usually means giving them some options to search the site, links to places where they might find what they are looking for and sometimes links to the most popular posts.

I thought I would go looking for some inspiration before I worked on the 404 error page here at Epiblogger so I checked out what the Technorati Most Popular blogs use for 404 error pages. I also checked a few other blogs that I thought might be interesting. I was looking for 404 error pages that helped readers to continue to browse the blog and were friendly. I thought I would find some creative uses of 404 error pages on the top blogs. I started to grade them as I went along. What I discovered surprised me.

Default Web Server 404 Error Page

boingboing 404 error page
These blogs returned nothing but the default web server error page. Not a lot of information is given in the web server default error page. It certainly does not give a user that has lost their way much to go on to find what they were looking for. There is not even a friendly link to the blogs home page. For this reason alone I gave all of these blogs a grade of F.

  • Boing Boing
  • Ars Technica
    Is actually less than a typical web server 404 page. Simply returns “The requested file was not found”.
  • Daily Kos
  • Perez Hilton
  • Seth Godin
    I really enjoy reading Seth Godin’s blog. I am surprised that the 404 error page is the default web server one. Is this not a missed marketing opportunity?
  • ReadWriteWeb
    Returns nothing but a blank page. No error code, no text, nothing. Better not get lost over here. If it was possible to give a lower grade than F they would have gotten it.
  • Kotaku, the Gamer?s Guide
  • Talking Points Memo
  • Drudge Report
  • O’Reilly Radar
    I expected more from O’Reilly. They write some of the best books on web technologies out there (I have several myself) but their 404 page is the default Apache? Sad but true.
  • How to Change the World
    Guy Kawasaki’s blog is one that everyone needs to spend some time reading. Just don’t look at the 404 error page.
  • Wired Blogs
    These aren’t the blogs you’re looking for. You can’t go about your business. Move along to a boring Apache 404 error page.

Prettied Up Web Server 404 Error Page

These blogs returned a custom or modified 404 error page, but they are close to the default web server error page. They also do not offer a lost user much to go on to help them find what they are looking for. Because they offer little to no help to the lost user they also get a grade of F.

Default Blogging Platform 404 Error Page

Techcrunch 404 error page
These pages return pretty much exactly what Epiblogger returns. Just a note saying the page is not there. Some had a search box, but considering most templates have a search box included in them they offer nothing more to help lost readers find something of interest.

  • TechCrunch
    Standard WordPress 404 page. No better than Epibloggers, except full of ads.
    Grade D-
  • The Official Google Blog
    Default Blogger page not found error page. I suppose you can’t do much when you are on Blogger. You take what they give you.
    Grade D-
  • Crooks and Liars
    Very basic. The blog template and error code.
    Grade D-
    Just offers a search box in the sites template. Their sidebar is really long, and a search box does not take a lot of room on a page so, the sidebar runs over the footer and makes the whole page look like a mess. Time to fix it up Mashable.
    Grade D-
  • uthink
    It looks pretty but does not offer much to help you find anything.
    Grade D
  • Search Engine Land!
    Gives you a search box, but the rest is just your basic 404 page.
    Grade D
  • dooce
    Offers a nice Google ad but the rest is the blog template.
    Grade D-
  • Matt Cutts: Gadgets, Google, and SEO
    Has a search box and that is about it. For some reason I thought the famous Google software engineer would have something more.
    Grade D
  • John Chow
    Other than his template advertising the 404 error page is surprisingly bare. Just a little blurb about the file not being found. I am surprised he does not have a specialized ad rate just for his 404 page.
    Grade D
  • Lorelle on WordPress
    I really thought Lorelle would have more than just a search box. Her WordPress blog usually offers so much. I thought the 404 error page would as well.
    Grade D

Links to Categories/Other Pages

Huffington Post 404 error page
These blogs make it easier for lost readers to find what they are looking for. Most offer not just a search box, but also links to the home page, archives, categories or popular posts. They give readers a place to go instead of a dead end while still letting people know that there has been an error.

  • The Huffington Post
    Offers a nice search box and links to the different sections of the site.
    Grade C
    I thought they would at least have a funny picture of a cat, but it is pretty boring.
    Grade C
  • Problogger
    Offers a search box, a way to contact him and links to the most popular posts.
    Grade C
  • Smashing Magazine
    Not only offers links to the home page but they include one of their posts talking about 404 error pages. Lots of great information. Probably the most informative 404 error page I have ever seen.
    Grade A
  • TreeHugger
    Offers a search and links to the home page and recent posts. Informative and useful.
    Grade C
  • Dosh Dosh
    Offers a Google search and links to the most popular posts.
    Grade C
  • Copyblogger
    Offers a link to the home page and some hints at how to find what you are looking for. This was close to being placed in the default blogging platform 404 error page section. To be honest I expected more from Copyblogger.
    Grade C-
  • ShoeMoney
    Lets you know something went wrong and offers excepts of the latest posts. It was surprisingly simple but effective.
    Grade C+
  • GigaOM
    Links to categories and author pages.
    Grade C
  • A List Apart
    I had high expectations for A List Apart. They offer links to the home page articles and the about page. The page is the best written 404 page I think I have seen.
    Grade B+
  • Neatorama
    Offers links to the most popular posts, but uses images. Some are pretty funny. My favorite was the Top 10 Coolest BBQ Grills image. How I wish I could BBQ…but I digress.
    Grade A-
    Offers you a list of the archives, popular posts and a search box.
    Grade C
  • 43 Folders
    Offers similar options as other blogs. A search box, most searched for pages and popular posts. The popular posts section is divided up between popular now and most popular.
    Grade C+

Redirects to Home Page

These blogs redirected the 404 errors right back to the home page. You would not even know if you had made a mistake or not. I had to watch the headers using Firebug. Often I would not even get a 404 error, but a 301 or 302 redirect. While I can understand why you would want to redirect people to the home page on a 404 error I think the server should at least return a 404 error code to the browser. For this reason I gave these blogs a grade of F.


Overall I looked at just under 50 blogs and their 404 error pages. What did I learn? That the state of 404 error pages on blogs is atrocious! I count 25 top blogs that I consider failing at helping users that find their site by broken links to be able to easily find something useful and interesting on the blog.

I was also surprised at how many of the top blogs listed by Technorati have 404 error pages that are the default. It is so easy in the majority of blogging platforms to create a custom 404 error page that there is no excuse not to do it. If I was not writing this post I would have had the 404 error page here at Epiblogger done in under 30 minutes, and that is if I ran into a problem.

The only blog that I thought made a great use of their 404 error page was Smashing Magazine. They not only gave readers helpful hints on how to find the information they are looking for they also delivered a complete post on 404 error pages. Congratulations you did something creative and useful for people that could have just ended up at a dead end.

I have to give the top blogs a horrible grade of D- for their error pages. Considering how well these blogs produce quality content they certainly did not take the time to look at their error page and how they could use it to help visitors find what they wanted and possibly even become regular readers of their blogs.

Epiblogger 404 error page afterWhat did I decide to do with the Epiblogger 404 error page? Well I added a link to the home page, a search form and our archives. I also added something fun lower down on the page. Many of the 404 error pages are all just dead serious, but there is no reason why you can’t have a little fun with your 404 error page. If I was to grade our 404 error page, well we went from a D- up to a C+. We offer readers options to find the information that they are looking for, but there are no links to our most popular posts or excepts from the most recent posts.

A welcoming 404 error page can be helpful to encourage a lost reader to become a regular reader. Take a few moments to take a look at your 404 error page on your blog and see how you can improve it to help readers find the information they are looking for. What unique features would you add to your 404 error page?

Use WordPress to Welcome Visitors

One of the great things about WordPress is how extend able it is. By adding in a few simple plugins you can have WordPress create special welcome messages to people depending on how many times they have visited your website or where they are coming from. […]

lee-erica-matthew.jpgRhett was right, where are our manners. How rude of us to just jump right in and start posting and not give you some background about us. I think we were both just so excited about Epiblogger opening its doors that we just forgot our manners. Let me try this again.

Hello, my name is Lee Robertson and welcome to Epiblogger. The photo is a picture of me and my two year old daughter Erica and four year old son Matthew out having some fun in the snow on Boxing Day. I am 37 and live in a great community called Rosthern in Saskatchewan Canada. I have been involved in some kind of web project since 1994 when I created my first website for a non-profit. I have worked for non-profits, web design companies, large corporations and most recently I have been running my own web development and computer consulting business. I have been blogging for roughly two years with my Video Rambler family friendly YouTube blog and my webmaster blog that I started roughly a year ago.

These two welcome posts have me thinking about how to welcome people to your blog? The thing about a welcome is it makes people feel important that you took extra time to greet them. If you have ever bought anything at eBay or Amazon you have noticed how they greet you by your name or username. One of the great things about WordPress is how extend able it is. By adding in a few simple plugins you can have WordPress create special welcome messages to people depending on how many times they have visited your website or where they are coming from.

  • What Would Seth Godin Do? – This plugin adds a special welcome to new visitors to your blog and encourages them to subscribe to your RSS feed. You can customize the message to say anything you want though, and how many times a user is considered new. It uses cookies to determine if a user is new or not.
  • Hello Stumbler – I like to treat Stumblers special. Perhaps I am biased because it is my favorite social media that I use. Hello Stumbler will place a nice welcome message at the top of the post to welcome Stumblers to the page.
  • Digg This – I am not a big Digg user, but if you are interested in having your blog highlighted on Digg then you should have this plugin. If I recall it can be setup to only show once a post has been Dugg and if people are coming from Digg. It could probably also be modified to show a custom welcome to Diggers.
  • Reddit Button – Similar to the Digg This plugin. Offers Reddit users a button to click and can be setup to only display if people are coming from Reddit.
  • Berri Personalized Care – I have not actually used this plugin, but it looks like you can customize up to four message templates for different referrers. It is based on the rthanks plugin by Alamsyah Rasyid.
  • From RSS? – I have not personally used this plugin and just recently came across it, but it looks promising. You can then welcome your regular RSS subscribers special.
  • I wanted to add another plugin that offers readers that come from search engines a related post to the one they landed on, but I can’t find where I stored the link. If anyone knows what the plugin is called leave a comment and link.

Welcome Entrecard users with a custom message.If you can’t find a plugin to help you create a special welcome to visitors you are getting from specific websites you can always use some ingenuity to create your own. By using Daiko’s Text Widget and some quick PHP code you can create a special welcome for any visitors you want. The great thing about Daiko’s Text Widget is it accepts PHP code. An example of how you can use this is with Entrecard. I used a Daiko’s Text Widget to add the Entrecard widget to Epiblogger. Before the widget I added a simple referrer check to see if the visitor was coming from Entrecard and if so give them a nice little welcome message. You could do something more complex and automatically link to your latest post, a post you think might interest Entrecard users or what ever you like I suppose. If you are John Cow perhaps you could tell people to piss off, although that would not be very welcoming would it.

$entrecardurls = Array('','');
$urlcamefrom = array_change_key_case(parse_url($_SERVER['HTTP_REFERER']));
if (in_array($entrecardurls['host'],$urlcamefrom)) {
echo 'Hello Entrecard User! Welcome to Epiblogger';
Place Entrecard Javascript here

There is one small pitfall to generating custom content to welcome people. It can create more load on your server. If you use WP-Cache 2.0 or WP Super Cache to help relieve the stress of a large Stumble or Digg then what can happen is the page with the special content can be cached and will show to all readers instead of just those readers coming from StumbleUpon or Digg.

What are some other ways that you can create a special welcome message for readers on your blog? Do you have any examples of blogs that offer you unique welcome that you like?

Update: Don’t you hate when you just write a post and then the next day you find more information that you really should have in the post. Today in my travels I came across two other plugins that you should look at if you want to welcome visitors.

  • Welcome Visitor! Reloaded – Appears similar to the Welcome Plugin but appears to use cookies to distinguish from new or previous visitors.
  • The Welcome Plugin – Looks like a very robust plugin to welcome visitors including the ability to welcome them by name and display their MyBlogLog avatar.

I will have to take a closer look at both plugins and try them out.

5 WordPress Security Essentials

Blogging can be a lot of fun and there is nothing more thrilling than having people appreciate your hard work by leaving comments and passing the word around about how great your blog is. Unfortunately along with all of your great fans there are also just as many bad guys out there that would love [?]

Security - photo found at can be a lot of fun and there is nothing more thrilling than having people appreciate your hard work by leaving comments and passing the word around about how great your blog is. Unfortunately along with all of your great fans there are also just as many bad guys out there that would love to deface and hack your beautiful creation. Here are five basic security tips that you can easily implement on your WordPress blog to try and keep the bad guys out.

  1. Use a Strong Password – Choosing a good strong password is one of the first and easiest defenses against being hacked. Choosing your partners first name is probably not the most secure password. While there are many differing opinions out there on what makes a secure password here are some things to keep in mind. Passwords that are longer than 8 characters and contain a combination of upper and lowercase letters, numbers, and symbols creates a stronger password. I often don’t use special characters but will make passwords at least 10 characters long. If you need to create a strong password and don’t already use a password manager check out this great tool from LastPass to generate a strong your password.
  2. Protect the WordPress Admin Folder – Stopping the bad guys from getting into the WordPress admin folder in the first place is an excellent place to start to secure your blog. There are many different ways to increase the security of your WordPress admin folder including:
  3. Deny Access to Other Folders – Many web hosts by default allow people to browse a folder if there is no default index.html file. This can be a security concern for folders like your WordPress plugins folder. You can prevent people from snooping in these folders by adding blank index.html files or setting up an htaccess file to prevent browsing of folders without indexes. You can read more on All Tips and Tricks.
  4. Remove the WordPress Version – Many hackers are looking for vulnerable WordPress installs. You can slow them down by removing the WordPress version that is included in most themes by default. If you don’t want to dig around in the code of your theme you can install Blog Security’s bs-wp-noversion plugin: Removes WordPress Version to remove the WordPress version for you.
  5. Update WordPress – Perhaps one of the easiest security essential to keeping your WordPress blog secure is to keep an eye on your WordPress dashboard for announcements of new releases of WordPress and to update your install as soon as you can. The same also goes for the plugins you run. WordPress 2.3 and up notify you when plugins have been updated. Take the time to update your plugins regularly to keep security concerns down to a minimum.

A very valuable page to read is the Hardening WordPress over at By doing some very simple things you can make it more difficult for the bad guys to ruin your day by defacing or hacking your blog. A few minutes spent on these items can save you hours if your blog gets hacked. If the bad guys do happen to get in, restoring your blog is much easier if you have a recent backup of your website.

WordPress 2.5 in March

wordpress-logo WordPress 2.4 was scheduled to be released here in January but with the holidays and the new Administration Panel that is coming it was decided to hold off on releasing 2.4 in January and instead release 2.5 in March. It is good to know that they are not rushing the new release out the door with so many major changes.

If you have not seen some of the new enhancements for the Administration Panel check out the demo that is available.

Also check out this great video showing some of the new features.

WordPress 2.3.2 Released

In other WordPress news if you have not noticed, WordPress 2.3.2 has been released. This is mainly a security release to fix a bug that could expose your draft posts, and to suppress error messages that could expose information about your WordPress database. They also added in a bonus that lets you define a custom DB error page. I will have to take a look at that and add it to the list of things to do here. You can read more about the release on the WordPress 2.3.2 blog post. You can also download WordPress 2.3.2 now and update your site.

Logo by 4_EveR_YounG

5 WordPress Search Engine Essentials

One of the things we want to do here at Epiblogger is focus on ideas and tips for bloggers to make blogging easier and more fun. I come to blogging from a very different perspective than Rhett. I consider myself a webmaster, not a blogger, I enjoy sitting and coding websites from scratch and there are things about WordPress that frustrate me. Don’t get me wrong, WordPress is a very good platform to create a blog with, but it is far from perfect on first install. There are a number of things that the default WordPress install overlooks that bloggers should pay attention too to help increase their blogs profile in the search engines.

  1. All in One SEO Pack – This plugin should be built into WordPress. WordPress on its own does not create very nice page titles, creates a lot of duplicate content and does not generate keywords and description meta tags for each post. All in One SEO Pack takes some of the hardest work to tweak a WordPress blog and does it for you in seconds.
  2. Robots.txt – Spending a little time looking at your robots.txt file can also improve how your blog does in the search engines. Much like using the All in One SEO Pack you can direct the search engines to now index the duplicate content that exists on one your WordPress blog. At the bare minimum you will probably want to include the following on your robots.txt file.
    User-agent: *
    Disallow: /cgi-bin
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins
    Disallow: /wp-content/cache
    Disallow: /wp-content/themes

    There are more folders you might want to disallow access to and we will look at those more in depth in a future post.
  3. Permalink Structure – The only reason you should use the default WordPress permalink structure ( is if you have no other choice! It is unfriendly to your readers, and while search engines will still index it, you will most likely rank higher in the search results with a nicer permalink structure. While the there is endless debate about what the ultimate permalink structure is here are the three choices I would choose:
    1. Date and Name based: This structure is a familiar one to people that have used Blogger since it uses a similar permalink structure. It looks something like this: Depending how often you plan on posting I would remove the day and leave it to /year/month/
    2. Category based: Many people are using a category based permalink structure. It is more friendly to people and many people think it helps search engines because the url has more keywords in it. It looks something like this:
    3. Postname based: This is the easiest and the one choosen for Epiblogger. It is simply It gets right to the point and will probably deliver more search engine benefits than the other structures.
  4. URL Canonization – Before WordPress 2.3 WordPress blogs suffered from a problem with URL Canonization. That is whether or not they had the www in the front of the domain name or not. This created duplicate content for the search engines because and would seen as different websites, even though they had the same content. If you are running WordPress 2.3 or higher you no longer have to worry about this because WordPress will use the url you place in your options. If you are not using WordPress 2.3 or higher you really should upgrade for security reasons.
  5. StatisticsThere are three kinds of lies: lies, damned lies, and statistics. (Wikipedia) Statistics might just be a bunch of lies, but there are better lies and worse lies. Install a decent statistics package to help you keep track of what people read, how they find you and to help you improve your blog. Google Analytics is a good package, but there are others. I have used pMetrics Performancing Metrics and it is very good as well.

Next week I will look at 5 WordPress Security Essentials to keep your blog secure.