Category: Email

How to Stop WordPress Spam: The Ultimate Guide

No matter how big or small your WordPress site, unwanted WordPress spam in comments sections, site registrations and contact form messages are issues that you’ll need to address.

Left unchecked, WordPress spam comments and spam user registration issues can quickly take over your site with intrusive content that detracts from the message your site is intended to portray.

In this guide, we’ll take you step-by-step through the process of stopping WordPress comment spam. You’ll also learn the best ways to prevent spam registration WordPress messages, end spam user registration efforts, stop WordPress contact form spam, and a lot more. Let’s take a closer look.In This Guide:

What Is WordPress Spam?

Spam has been an annoying, and often serious issue since the Internet became a staple in our lives. In the early days of being online, we became familiar with spam when unsolicited messages started to overtake our email inboxes, promoting everything from car insurance to cheap vacations. In fact, you probably continue to deal with this kind of unwanted spam every time you log into your email.

When discussing the spam that bombards a WordPress website, it’s a more multi-faceted subject than traditional email spam.

In a nutshell, WordPress spam attacks happen in many forms. As a WordPress site owner, chances are that you’ve dealt with these 3 types of WordPress spam:

  • Comment spam
  • User registration spam,
  • Contact form spam

While these WordPress spam attempts are, of course, highly annoying to both you and your site visitors, it’s important to understand that there are also some major security components that are tied to the spam you’re experiencing.

WordPress Spam

While attacking and defeating WordPress spam head-on might seem like an overwhelming task, protecting your site actually isn’t that difficult. All you need is the right approach and the best tools.

With the many different types of spam attacks happening on WordPress, it’s important to understand the different approaches that spammers take. Then we’ll look at the specific tools and tips that will allow you to take full control of the problem.

WordPress Contact Form Spam Explained

For most websites, a contact form is an absolute necessity. Contact forms help facilitate communication between you and your site visitors in a way that’s streamlined and user-friendly.

However, spammers see your contact form as a way to further promote their agenda.

WordPress contact form spam is different than other types of spam that attack your site. This is because your contact form requires the use of a plugin, unlike site registrations and comments that are natively built-in to your WordPress core installation.

When employing a contact form, you can choose from popular WordPress forms plugins such as Gravity Forms, Ninja Forms, or Contact Form 7. Just as each of these contact form plugins has its own unique set of features, they also employ different ways of eliminating WordPress contact form spam.

The specific features to protect your site from spam will be found in the settings of the plugin you choose. In some cases, you may need to download and install a companion plugin for full spam protection.

More on that later.

How To Stop WordPress Contact Form Spam

While the annoyance factor of receiving contact form spam emails is high, the solution for stopping them dead in their tracks is quite simple.

The first thing you’ll want to do is install a WordPress spam blocker plugin like Askismet.

If you’re using WPBruiser or Akismet, it’s good to know that either one is ready to work in unison with a wide variety of WordPress contact form plugins. In fact, Akismet will work directly out-of-the-box with Jetpack, Ninja Forms, Gravity Forms and Contact Form 7.

Conversely, WPBruiser is a little different in the way it combats WordPress contact form spam. WPBruiser requires a commercial extension in order to work with your WordPress contact form plugin.

With that said, WPBruiser has a much wider range than Akismet for spam protection options on plugins such as Formidable Forms, Fast Secure Contact Form, and the other popular contact form plugins detailed above.

Additionally, you’ll get a free Jetpack contact form extension in the core WPBruiser plugin installation.

No matter the contact form plugin you’re using, Akismet and WPBruiser will use robust spam blocking tools to help keep your contact forms safe from unwanted spam messages.

WordPress User Registration Spam Explained

The WordPress user registration feature is built directly into WordPress core.

The user registration feature is extremely useful for:

  • Membership sites
  • Online communities
  • eCommerce site customer accounts

Unfortunately, spam user registration is an area where spammers can easily focus their bots on malicious spam attacks. To prevent spam registration WordPress issues, it’s important to look at the root of the problem. WordPress stop spam registrations begins there.

A spam user registration consists of a phony site registration by spam bots that intend on spreading their message throughout your site. These spam user registrations will often lead to spam comments in your blog. They can even lead to more malicious attacks involving site security or a cluttered site with an unwanted front-facing membership directory.

What’s more, many WordPress plugins and themes have security vulnerabilities that can allow low-level site users, such as subscribers, to garner access to the administrative settings on your site. This is an important reason to prevent spam registrations WordPress is infamous for.

While the security flaws in themes and plugins typically require a spammer to work in a roundabout method to exploit the built-in vulnerabilities, it’s important to understand that even the most dormant-looking WordPress user registration spam account could be waiting and ready to exploit your site at any time.

Understanding the need to prevent spam registration WordPress attacks is the first step to solving the issue. Then, it’s time to employ a robust spam user registration blocker to put the issue to rest.

The aforementioned WPBruiser plugin will go a long way toward preventing WordPress user registration spam. It’s your first layer of defense in the WordPress stop spam registrations game.

However, there are a few other simple steps you should take in the WordPress stop spam registrations battle. Make sure to read this guide until the end for full details.

WordPress Comment Spam Explained

When you use the built-in WordPress comment section on your website, you’re automatically inviting conversation from users and readers.

Unfortunately, you’re also inviting a bunch of unwanted spam comments. These spam comments distract users from meaningful conversations about your content and severely muddy the overall experience for the user.

As discussed, spambots are constantly looking to exploit vulnerabilities in your WordPress security, which is a major reason to download and install the best WordPress security plugin.

But these same bots also search out and exploiting your comments section in a very malicious way. If you leave your site unprotected, the spambots will litter your entire site with more nonsense comments than you can keep up with. And they can do it in an extremely short timeframe.

WordPress Comment Spam Examples

WordPress comment spam, aside from the obvious blatant advertisements or garbled-up characters that don’t make sense, should quickly stand out to you because they’re highly complementary, but don’t contain any specific information or questions.

For example, you may see WordPress spam comments that read something like:

“Great blog you’ve got here! Beyond that, your website loads quickly and is easy to use. What site host do you use? Would it be possible to get your affiliate link to the host you use? I really wish my site would load as fast as yours. This is great $4/month hosting with a free domain and SSL, if you’re interested.”

“It looks like you’ve really thought through all of what you’ve presented in this post. Your words are very convincing and I think they’ll work. Even still, the posts your write are perfect for newbies. I do think that you should lengthen your future posts a bit. But thank you for this one.”

“I’m a frequent blogger and sincerely appreciate the information you’ve presented. The article really piqued my interest from the very first word. I just bookmarked your site and will check back for new content once every week. I also subscribed to your RSS feed.”

As you can see, these types of comments are very general and don’t address anything specific about your content. Once you understand this very obvious WordPress comment spam technique, they become quite easy to spot.

WordPress comment spam

You may also see lots of question marks in a spam comment. Lots of question marks are a good indicator of spam.

Is Having a Comment Section On WordPress Worth the Trouble?

The easiest and most effective way to immediately put a stop to WordPress comment spam is to simply turn off the commenting function. If you’re not committed to keeping up with user comments, this is the best way to be free from spam comments cluttering up your site.

To turn off comments on individual posts and pages, you can do so from Post or Page settings. Scroll down to the Discussion section.

There are also several comment disabling options from the WordPress dashboard > Settings > Discussion page. From this screen, you can enable additional settings that can help curb comment spam, like requiring users to register to comment.

The WordPress comment moderation field on this page also allows you to set certain words or even IP addresses that will flag a comment to be held in the comment moderation queue, meaning the comment won’t automatically go live on your site.

That said, there are many different types of WordPress sites that have a need for a live and active comments section. This is especially true for blog sites that are content-based and thrive with heavy user interaction.

If your website falls under that category, the first thing you need to do is stop the spam comments from overtaking your little slice of the online world.

Stopping spam comments is going to take a healthy combination of plugins, along with some common sense spam administrative practices.

To start out, the default WordPress settings for the comment section (Settings > Discussion) can easily be adjusted to limit the harm that comment spammers do. When you look under the “Other Comment Settings” heading, it’s important to check the box next to “Automatically close comments on posts older than ___ days,” and “Users must be registered and logged in to comment.”

These are fast resolutions that’ll cut down on your WordPress comment spam immediately.

How to Stop WordPress Spam Comments

If you’ve chosen to make your comments active, the next best thing to do is install a WordPress spam blocker plugin. The plugins you can use for this purpose typically require very little in terms of ongoing maintenance and are quite simple to use.

After the initial setup process, these tools will do their job to keep you from dealing first-hand with the spam that continually bombards your comments.

1. Use a Spam Blocker Plugin like Akismet

Akismet is the first spam blocker to look at for preventing spam comments. It’s one of the few default plugins that come in every installation of WordPress core. Because of this, many WordPress users find Akismet to be one of the best WordPress spam blockers for comment section spam.https://wordpress.org/plugins/akismet/embed/#?secret=2x8NVUsWwL#?secret=Mm1J0eHr1Y

The Askismet plugin works 24 hours per day to filter out any potential spam comments and set questionable ones aside for your moderation. But beyond that, Akismet has a discard feature that automatically blocks out all known spam, which saves you the time and hassle of ever seeing it.

While Akismet does offer a free spam comment blocking feature, it’s important to note that your protection is normally only as good as what you’re willing to pay for. If you’re running a personal site or blog with relatively low traffic, you should be able to get away with running on the free plan.

If, however, your site is for business and pulls in a lot of traffic and comments, it’s best to upgrade to one of the paid commercial protection plans. The paid plans for commercial and business sites begin at only $5 per month. That small fee is more than worth it when you consider the amount of spam that you’ll never need to deal with.

WPBruiser is another option for fully ridding your comments section of unwanted spam posts.

With the WPBruiser application, you’ll get a customizable and free WordPress comment spam blocker plugin that doesn’t rely on any other third-party services. In other words, you won’t need to fumble around with API keys or open your site up to additional privacy or security concerns.

This plugin creates a comment blacklist, which prevents spam bots from even submitting comments at all. You can also set the plugin to clear out your logs after a specified period of time, and it won’t slow down your site like some other spam plugins.

More Powerful WordPress Spam Protection Techniques

To prevent spam registrations WordPress gives us several more options. WordPress user registration spam, comment spam and contact form spam are all enemies of running a successful WordPress website.

1. WordPress CAPTCHA or reCAPTCHA

While we’ve already covered WordPress stop spam registrations techniques and know how to prevent spam registration WordPress is infamously famous for, putting a complete end to spam requires implementing a CAPTCHA.

The best way to do this is by using the iThemes Security Pro plugin to add a WordPress reCAPTCHA to all user comments, user registrations, password resets and logins. This is an incredibly effective tool that determines exactly what a bot is and who your real users are.

To get started using Google reCAPTCHA, enable the option on the main page of the security settings.

WordPress reCAPTCHA to prevent spam

The next step is to select which version of reCAPTCHA you want to use and generate your keys from your Google admin.Note: We recommend using reCAPTCHA v3. We cover each of the 3 versions in more detail in the Understanding Different reCAPTCHA versions section.)

reCAPTCHA type

Now enable reCAPTCHA on your WordPress user registration, reset password, login, and comments.

Finally, set the number of failed reCAPTCHAs need to trigger a lockout with the Lockout Error Threshold.

Selecting different versions of reCAPTCHA will display different settings.

2. Honeypots

Another helpful idea for throwing bots off your tail is to create a “honeypot field.” This is a form that’s hidden within your page’s code and is invisible to any real people that browse your WordPress site.

However, it attracts spambots.

They view it as another contact form or field to clutter up with spam messages.

The idea with this technique is that the bots will fill out the honeypot field, unaware that it will immediately expose them as spam. The entry is immediately rejected and the message will never land your inbox or cause any other mayhem on your site.

The honeypot technique, in theory, is a simple way to filter spam out of your life. But the reality is that it can sometimes be hit-and-miss. Some of today’s more sophisticated bots may be capable of getting around your honeypot trap.

While a lot of WordPress security plugins and contact form plugins include built-in honeypot features, make sure it isn’t the only solution you use. When you combine it with CAPTCHA and a spam filter plugin, you’ll have robust, multi-layered protection from spam attacks.

It’s also critical to employ a powerful WordPress backup plugin such as BackupBuddy. With the sophistication of today’s spambots, they can wreak all kinds of havoc on your site without warning. If and when that happens, the BackupBuddy plugin will automatically have a fully-functioning backup copy of your WordPress site ready to go, that you can get online immediately.

Make Spam on WordPress a Problem of the Past

WordPress stop spam registrations is a process that none of us want to deal with. However, to prevent spam registration WordPress has given us powerful tools to use.

As we’ve covered in this guide, spam on WordPress comes in many different forms, including emails, comments, and spam registrations. Fortunately, the techniques and tools discussed in this article will give you a strong upper hand on reducing spam on WordPress to an absolute minimum.

Remember, spam is a constant nuisance and, unfortunately, part of our everyday lives. It’s safe to say that none of us, or our websites, are immune to the problem. As such, we have to limit its impact.

Source :
https://ithemes.com/blog/how-to-stop-wordpress-spam/

Bulk add and remove Office 365 Licences

I recently had a to move around a few thousand EMS licences to enable MFA for Office 365 and Azure, I decided to do two quick scripts to remove and add back the licences to the required users. I thought I would do a quick post on how I moved the licences.

As always any scripts should be tested on a subset of users before running on larger groups to test that they work as expected.

For this script we need the Office365 PowerShell module installed.

To check if the module is installed run

Get-Module -ListAvailable MSOnlineBulkAdd

First step is to get the AccountSKU to do this run

Import-Module MSonline and then Connect-MsolServiceBulkAdd2

Get-MsolAccountSku | Select-Object AccountSkuIdBulkAdd3

To make things easier and more repeatable in case I need to remove or add other licence I am using Out-GridView -PassThru to select the CSV file and also the licence SKU.

First Out-GridView is for the Csv file with UserPrincipalName (UPN)BulkAdd4

The second is to select the SKU to be removedBulkAdd5

Once the two items are selected the script will then runBulkAdd6 The full remove license script is below. The only part that needs to be updated is the $csv variable to point to the correct folder where the csv files will be kept.

## Bulk Remove licenses ##
## Select Csv file
$csv = Get-ChildItem -Path C:\temp\Office365Licence\Remove\ -File | Out-GridView -PassThru

## Import Csv
$users = Import-Csv $csv.FullName

## Select Account SKU to be removed
$accountSKU  = Get-MsolAccountSku | Select-Object AccountSkuId | Out-GridView -PassThru

## Loop through each user in the Csv
foreach($user in $users){
Write-Host "Removing $($accountSKU.AccountSkuId) licence from $($user.UserPrincipalName)" -ForegroundColor Yellow

## Remove licence
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -RemoveLicenses $accountSKU.AccountSkuId
}

The add script is the same only I added a check to confirm if the user requires the licence. The only part that needs to be updated is the $csv variable to point to the correct folder where the csv files will be kept.

Just a note on this I was applying the licence to existing users who where already setup with a usage location so if this is not set the script will error out. 

## Bulk Add licences ##
## Select Csv file
$csv = Get-ChildItem -Path C:\temp\Office365Licence\Add\ -File | Out-GridView -PassThru

## Import Csv
$users = Import-Csv $csv.FullName

## Select Account SKU to be removed
$accountSKU  = Get-MsolAccountSku | Select-Object AccountSkuId | Out-GridView -PassThru

## Loop through each user in the Csv
foreach ($user in $users) {

## Check if Licence is already applied
$check = Get-MsolUser -UserPrincipalName $user.UserPrincipalName | Select-Object UserPrincipalName,Licenses
Write-Warning "checking for $($accountsku.AccountSkuId) on $($user.UserPrincipalName)"
if ($check.Licenses.AccountSkuId -notcontains $accountsku.AccountSkuId){

## Add licence
Write-Warning "Adding $($accountSKU.AccountSkuId) licence to $($users.UserPrincipalName)"
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -AddLicenses $accountSKU.AccountSkuId

}
else
{
## Licence already applied
Write-Host "$($user.UserPrincipalName) has $($accountsku.AccountSkuId) licence assigned" -ForegroundColor Green

}
}

Source :
https://thesleepyadmins.com/2019/10/12/bulk-add-and-remove-office-365-licences/

The Next Evolution of Authentication

Bringing identity proofing to Symantec SiteMinder

Readers of this blog won’t need much convincing that today’s digital threat landscape is complex and formidable. Where I expect to find more skepticism is around the prospect of a quick, simple, yet powerful security upgrade to your existing infrastructure.

You’re not wrong to be skeptical.

It’s exceedingly rare when two security technologies, from two different vendors, actually strengthen one another. Much more often the opposite is true, when a lack of identity continuity allows security vulnerabilities and usability barriers to take root in the small gaps between disparate identity systems.

But that’s what makes Daon’s new partnership with Broadcom Software, and our native integration with Symantec SiteMinder, so noteworthy. It really is a fast, simple, affordable way to make SiteMinder even better at what it already does so well—protecting the applications that your business relies on.

Authentication is nice, but is it enough?

SiteMinder has always been highly effective at ensuring that only users with the right identity credentials can gain access to your applications. It manages multiple types of authentication credentials and flow, applying the appropriate mechanism to balance security and convenience.

But in today’s world of ubiquitous password breaches, intercepted OTPs, and stolen devices, there is a quite reasonable and growing level of concern around the inviolability of those very credentials.

At any point along the user journey, how are we to be sure that the identity credentials meant for “Jane” are still, and solely, in her possession?

The Strengths & Weaknesses of Multifactor Authentication

Two-factor authentication solutions like Symantec VIP that utilize multifactor credentials and contextual risk analysis are a critical step in strengthening the authentication process and providing greater confidence that users are who they claim to be.

But this classic model of authentication—including even the strongest, most secure biometric authentication factors like fingerprint authentication—has a limitation. Authenticating that a user’s fingerprint matches the fingerprint on file does not, in itself, prove that the fingerprint belongs to a legitimate user (e.g., Jane). What if the person who submitted the original reference fingerprint was not actually Jane? Or what if someone other than Jane gains access to her account through other means and then changes the reference fingerprint to match their own?

A fast, simple, affordable way to make SiteMinder even better at what it already does so well—protecting the applications that your business relies on.

Consumer biometric authentication tools like TouchID and FaceID are plagued by this vulnerability. On an iPhone or Android phone, you can circumvent the biometric security with a simple password, then proceed in seconds to replace all the biometric reference data on that device. What seemed at first glance like robust biometric security is in fact nothing more than an elaborate password proxy.

And there’s a second problem, too.

As Katie Deighton recently wrote in The Wall Street Journal, “Consumers who use two-factor authentication are finding that changing a phone number or neglecting to write down recovery codes can leave them inadvertently locked out of online accounts.”

When authentication becomes too dependent on a trusted device, genuine SiteMinder users who lose a device, have a device stolen, or change to a new device may find themselves suddenly unable to access their SiteMinder-protected applications.

Introducing Daon Identity Proofing

Real-time identity proofing is the next step in the evolution of authentication. It requires a biometric factor (your face) that can be easily verified against a trusted source document (your government-issued photo ID)—something that’s readily available to users but that cannot be altered without detection. 

With ID in hand, a user can quickly snap some photos of the document’s front and back, and then a selfie. In seconds, machine learning algorithms will verify the document, match the selfie to the document image, and use “liveness detection” to prevent spoofing with a photo or video recording. Voilà—the user is authenticated as if they’d presented their credentials to you in person, but with the convenience that digital users have come to expect from all their online interactions. What’s more, this capability can be easily implemented into your Symantec SiteMinder environment through a simple, standards-based OIDC interface.

Your Path Forward

We couldn’t be more delighted that Broadcom Software chose to partner with Daon to bring this powerful capability to SiteMinder users everywhere. Broadcom Software selected us because we’ve been the global leader in biometric identity assurance for over two decades—chosen to secure over a billion identities around the world, performing more than 250 million authentications each day, and trusted by iconic international brands like American Airlines, Hyatt, PNC, Experian, Carnival, and hundreds more.

I hope you’ll watch the short video below for some additional information, and when you’re ready, we invite you to come learn just how easy and affordable biometric identity proofing can be by visiting us here.

Source :
https://symantec-enterprise-blogs.security.com/blogs/feature-stories/next-evolution-authentication

Hackers Breach Mailchimp Email Marketing Firm to Launch Crypto Phishing Scams

Email marketing service Mailchimp on Monday revealed a data breach that resulted in the compromise of an internal tool to gain unauthorized access to customer accounts and stage phishing attacks.

The development was first reported by Bleeping Computer.

The company, which was acquired by financial software firm Intuit in September 2021, told the publication that it became aware of the incident on March 26 when it became aware of a malicious party accessing the customer support tool.

“The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised,” Siobhan Smyth, Mailchimp’s chief information security officer, was quoted as saying.

Although Mailchimp stated it acted quickly to terminate access to the breached employee account, the siphoned credentials were used to access 319 MailChimp accounts and further export the mailing lists pertaining to 102 accounts.

The unidentified actor is also believed to have gained access to API keys for an unspecified number of customers, which the company said have been disabled, preventing the attackers from abusing the API keys to mount email-based phishing campaigns.

In the wake of the break-in, the company is also recommending customers to enable two-factor authentication to secure their accounts from takeover attacks.

The acknowledgment comes as cryptocurrency wallet company Trezor on Sunday said it’s investigating a potential security incident stemming from an opt-in newsletter hosted on Mailchimp after the actor repurposed the stolen data to send rogue emails claiming that the company had experienced a security incident.

The fraudulent email, which came with a supposed link to download an updated version of the Trezor Suite hosted on what’s actually a phishing site, prompted unsuspecting recipients to connect their wallets and enter the seed phrase on the trojanized lookalike application, allowing the adversary to transfer the funds to a wallet under their control.

“This attack is exceptional in its sophistication and was clearly planned to a high level of detail,” Trezor explained. “The phishing application is a cloned version of Trezor Suite with very realistic functionality, and also included a web version of the app.”

“Mailchimp have confirmed that their service has been compromised by an insider targeting crypto companies,” Trezor later tweeted. “We have managed to take the phishing domain [trezor.us] offline,” warning its users to refrain from opening any emails from the company until further notice.

The American company hasn’t so far clarified on whether the attack was carried out by an “insider.” It’s also unclear at this stage how many other cryptocurrency platforms and financial institutions are impacted by the incident.

A second confirmed casualty of the breach is Decentraland, a 3D virtual world browser-based platform, which on Monday disclosed that its “newsletter subscribers’ email addresses were leaked in a Mailchimp data breach.”

Source :
https://thehackernews.com/2022/04/hackers-breach-mailchimp-email.html

Exit mobile version