Get it while it’s hot: User Spam Remover for WordPress

I’m releasing a WordPress plugin that I wrote to tackle the scourge of user registration spam — those annoying bots that linkspam the WordPress registration form.

If you need a way to silently and automatically delete these spam accounts, and block the new user notification e-mail that WordPress normally sends, check out User Spam Remover.

If you’re thinking, “But, I already know about [Plugin X] that uses Captchas, RBLs and double opt-in activation e-mail to keep spammers away!” then well, that’s great. But I wrote User Spam Remover with a different goal in mind: It doesn’t interfere with the user registration process at all. It just deletes spam and other unused user accounts after it’s clear they’re abandoned.

I could totally go off on this topic, but my logic is that Captchas, RBLs and activation are (a) easily and routinely exploited and (b) annoying to configure and deal with, both from an admin and user perspective. They’re a pain in the butt, and they don’t work 100% — you’ve still got spam getting through, and now you’ve got false positives as well, impacting your “real” users.

The problem is that, unlike comment spam, which can be reliably (thanks, Akismet) detected using pattern matching, there’s simply too little data in a user account to accurately identify spam based on just a username, password, URL and IP address. (The same goes for, say, a human attacker.)

So, User Spam Remover is designed based on the assumption that these users can and will register, but won’t be allowed to do anything other than comment. Then, if they do comment (99% of the time they won’t — they’re just linkspamming the registration URL), their comments will be caught by Akismet or otherwise modded into oblivion.

So, in the end, these accounts can be identified and deleted based on the fact that they’re totally unused (have added no posts, links or comments).

User Spam Remover takes care of identifying and removing these user accounts in the background. It’s fully configurable, and includes full logging and backup of every database record it deletes, for seamless restoration if need be (it is deleting from your users table, after all).

I’ve tested the released version on data dumps from several live blogs including thousands of users, and have been running it for several weeks without incident. That doesn’t mean it’s bug-free — this is an initial public release — but it’s ready for wider use.

I suggest testing it on a development copy of your site first: For instance, use it to delete some user spam, and then reload them from the SQL backup file:

mysql your_wp_database < userspamremover.restore.sql

Once you're confident that the plugin works, and that you know how to restore user accounts if something goes wrong, then you can feel a lot more secure about trying it out on your blog.

Filed under: Code.  Tagged: .

No comments »

No comments yet.

Add a comment

You can also log in (or register) for easier commenting on lyncd.

Lyncd is an evolving group blog-in-progress. Weʼll be designing the site, adding users and content, and developing a hifalutin site focus as we go. For now, just think of our site mantra as “minimalism.” :)