WordPress: The Missing Manual (2014)

Part II. Building a WordPress Blog

Chapter 8. Comments: Letting Your Readers Talk Back

In the chapters you’ve read up to this point, you learned to create the two most essential ingredients of any WordPress site, posts and pages. They’re the vehicles for your content—the way you’ll reach friends, potential customers, or hordes of devoted readers.

Still left to explore is the WordPress commenting system, which is a keenly important part of almost every WordPress site, whether it’s a chatty blog or a buttoned-up business website. Used properly, comments can change your site from a one-way lecture to a back-and-forth conversation with your readers or customers. Commenting isn’t just a fun way to make friends—it’s also a serious tool for promoting your work, getting more traffic, turning casual browsers into repeat visitors, and even making money.

In this chapter, you’ll learn how to manage comments on your site. You can banish offensive ones, insert yourself into the discussion, and even tweak the way WordPress displays comments by formatting them to make them more readable and adding author pictures. Once you understand the basics of comment management, you’ll be ready to confront one of the single biggest hassles that every WordPress site faces: comment spam—the messages that dubious marketers and scammers slap across every site they can find. You’ll learn strategies for preventing spam without aggravating your readers, and you’ll take a side trip to explore the spam-crushing Akismet plug-in.

NOTE

This chapter points out a few optional plug-ins that self-hosting WordPressers can use to fill in the gaps in WordPress’s commenting features. However, you’ll probably want to wait until you read Chapter 9, which explains how to manage plug-ins, before you try any of them out on your site.

UP TO SPEED: WHY YOUR WORDPRESS SITE NEEDS A COMMUNITY

Once upon a time, people thought comments belonged only in personal blogs and discussion forums. Serious-minded web publishers ignored them. Small business avoided them—after all, if people really needed to get help or make their opinions known—well, that’s what email was for, right?

Today, the website landscape has changed dramatically. Web commenting is an essential ingredient for sites small and large, fun and serious, casual and moneymaking. Here’s what a comments section can do for you:

§ Attract new visitors. New visitors immediately notice whether a website has a thriving conversation going on or just a single lonely comment. They use that to evaluate how popular a website is. It’s crowd mentality, working for you—if new visitors see that other people find a topic interesting, they’re more likely to dive in to check out your content for themselves.

§ Build buzz. If you’ve taken to the Web to promote something—whether it’s a new restaurant, a book, a community service, or whatever—you can only do so much to persuade people. But if you get your fans talking to other people, the effect is exponential. Comments help you spread the word, getting your readers to talk up your products or services. And once they’re talking on your blog, it’s just a short hop away for other bloggers to post about you on their blogs.

§ Build loyalty. A good discussion helps make a site sticky—in other words, it encourages people to return. Put another way, people may come to your site for the content, but they stay for the comments.

§ Encourage readers to help other readers. Often, readers will want to respond to your content with their own comments or questions. If you ask them to do that by email and your site is popular, you readers will easily overwhelm you. But with comments, your audience can discuss among themselves, with you tossing in the occasional follow-up comment for all to see. The end result is that your site still has that personal touch, even when it’s big and massively popular.

Allowing or Forbidding Comments

If you haven’t changed WordPress’s factory settings, all your posts and pages already support comments. You’ve probably already noticed that when you view an individual post or page, there’s a large “Leave a Reply” section just below your content.

But it doesn’t always make sense to allow comments on everything you publish. Many static pages don’t lend themselves to discussion. You probably won’t get a great conversation going on an About Us or Our Location page, for example, so it makes sense to disable comments for these pages and let people have their say somewhere else.

Posts usually allow comments, but you might want to disable them if you write on a contentious subject that’s likely to attract an avalanche of inflammatory, insulting, aggressive, or racially charged feedback. News sites sometimes disable comments to avoid legal liability (for libelous comments someone posts, for example, or for trade secrets someone reveals). Allowing comments on posts or pages isn’t an all-or-nothing decision—you can pick and choose what content allows comments.

NOTE

Comments apply equally to posts and pages. For convenience, most of the discussion in this chapter refers to posts, but everything you’ll learn applies equally to pages.

Changing Comment Settings for a Post

You can turn off comments for an individual post or page by changing the comment settings when you create or edit that post or page. However, WordPress usually hides the settings. To see them, you need to click the Screen Options button in the top-right corner of the Add New Post or Edit Post page, and then turn on the checkmark next to Discussion. This adds a Discussion box to your post-in-progress, which offers just two settings (Figure 8-1).

Figure 8-1. You can opt out of comments for a single post or page by turning off the “Allow comments” checkbox. You can also disable trackbacks and pingbacks, which you’ll consider on page 260.

If you have a pile of posts that allow comments and you want to remove the comment feature from all of them, WordPress makes it easy by letting you edit posts in bulk. Here’s how to do that:

1. Choose Posts→All Posts.

WordPress lists all your posts.

2. Turn on the checkbox next to each post you want to change.

3. Choose Edit from the Bulk Actions drop-down list, and then click Apply.

The edit panel appears at the top of the post list, with a number of settings you can change (see Performing Bulk Actions).

4. In the Comments drop-down list, pick “Do not allow,” and then click Update.

You can use the same trick to turn commenting back on and to change the comment settings on your pages.

Changing the Default Comment Settings Site-Wide

To create a site that’s mostly or entirely comment-free, you probably don’t want to fiddle with the Discussion settings for every post. Instead, you should create a universal setting that applies to all new posts and pages. Choose Settings→Discussion on the dashboard, and then turn off the checkmarks next to “Allow link notifications from other blogs (pingbacks and trackbacks)” and “Allow people to post comments on new articles.” Then scroll down to the bottom of the page and click Save Changes.

Now all new posts and pages will be comment-free. You can add the comment feature back to specific posts or pages by turning on “Allow comments” in the Discussion box, as shown back in Figure 8-1.

There are many more options in the Settings→Discussion page that change the way comments work. You’ll learn to use them in the rest of this chapter.

The Life Cycle of a Comment

The easiest way to understand how WordPress comments work is to follow one from its creation to the moment it appears on your site and starts a conversation.

Depending on how you configure your site, comments travel one of two routes:

§ The slow lane. In this scenario, anyone can leave a comment, but you need to approve it before it appears on the post. You can grant an exemption for repeat commenters, but most people will find that the conversation slows down significantly, no matter how quickly you review new comments.

§ The fast lane. Here, each comment appears on your site as soon as someone leaves it. However, unless you want your website drowned in thousands of spam messages, you need to use some sort of spam-fighting tool with this option—usually, it’s an automated program that detects and quarantines suspicious-looking messages.

For most sites, the second choice is the best approach, because it allows discussions to unfold quickly, spontaneously, and with the least possible extra work on your part. But this solution introduces more risk, because even the best spam-catcher will miss some junk, or allow messages that aren’t spam but are just plain offensive. For that reason, WordPress starts your site out on the safer slow lane instead.

In this chapter, you’ll consider both routes. First, you’ll learn the slow-lane approach. Then, when you’re ready to step up your game with more powerful spam-fighting tools, you’ll consider the fast-lane approach.

Leaving a Comment

Leaving a comment is easy, which is the point—the more convenient it is to join the conversation, the more likely your visitors are to weigh in.

Assuming you haven’t tweaked any of WordPress’s comment settings, visitors need to supply two pieces of information before they can make their thoughts known: their name and their email address. They can optionally include a website address, too (Figure 8-2).

NOTE

If you’re logged into your website as the administrator, you won’t see the commenting layout shown in Figure 8-2. Instead, you’ll see just the box for comment text, because WordPress already knows who you are. This won’t help you understand what life is like for ordinary readers, however, so before you go any further, log out (click “Log out” above the comment box) or go to the page from another computer or browser. Then your site will treat you like a stranger, and you’ll see the same commenting boxes your visitors see.

Here’s what WordPress does with the information it gets from commenters:

§ Name. It displays the commenter’s name prominently above her comment, thereby identifying her to other readers.

§ Email address. WordPress doesn’t display this publicly, so commenters don’t need to worry about spam. In fact, WordPress won’t stop visitors from inventing imaginary email addresses (although it will prevent them from typing in gibberish that obviously doesn’t make sense). WordPress won’t even send would-be commenters one of those pesky “Confirm this is your address” email messages. However, email addresses are important if you want to display a tiny picture of each commenter next to each comment (see The Gravatar Service for details).

§ Comment text. This is the meat of the comment (Figure 8-2).

§ Website. If your commenter includes this detail, WordPress turns the commenter’s name, which appears above posts, into a link. Other readers can click it to travel to the commenter’s site.

To see how comments work, try typing in one of your own. First, make sure you aren’t logged in as the administrator (if you are, you’ll bypass the moderation process described below, because WordPress figures you’ll always allow your own comments). Assuming you’re logged out and you see the text boxes shown in Figure 8-2, type in a comment and then click Post Comment.

Figure 8-2. Ordinarily, a commenter needs to include his name and email address (although WordPress doesn’t verify either). Optionally, commenters can include a website address or leave this box blank.

Now, WordPress plays a slight trick on you. When you submit a comment, WordPress immediately adds it below your post (Figure 8-3), making it look as though your comment has been published. But in reality, when you use the slow-lane commenting route, no one can see the comment until the site owner (that’s you) reviews it and formally approves it. This process is called moderation.

Figure 8-3. Here’s what your upcoming comment will look like when it’s published. Right now, no one can see it but you.

GEM IN THE ROUGH: COMMENTS THAT USE HTML

Most people who comment on a post or page will type in one or more paragraphs of ordinary text. However, craftier commenters may include a few HTML tags to format their comments.

For example, you can use the <b> and <i> elements to bold and italicize text. Type this:

I’m <i>really</i> annoyed.

and your comment will look like this:

I’m really annoyed.

You can also add headlines, line breaks, bulleted and numbered lists, and even tables. You could use the <a> element to create a link, but that’s not necessary—if you type in text that starts with www. or http://, WordPress automatically converts it to a clickable link.

Now that you know you can use HTML in a comment, the next question is, should you? Most site owners don’t mind the odd bit of bold or italic formatting, but they may trash messages that include shamelessly self-promotional links or ones that attempt to steal focus from the conversation with wild formatting—it’s like an attention-starved kid throwing a grocery-store tantrum.

You can edit comments that use HTML inappropriately, but that takes time and effort. As a safeguard, some site owners don’t allow HTML elements at all. If you run a self-hosted site, you can ban HTML by creating a custom theme, an advanced task detailed in Chapter 13. Once you do, you need to edit its functions.php file (Extending WordPress with Functions.php) and add these instructions anywhere after the first line (which holds the <?php marker that starts the code block):

add_filter( 'comment_text',

'wp_filter_nohtml_kses' );

add_filter( 'comment_text_rss',

'wp_filter_nohtml_kses' );

add_filter( 'comment_excerpt',

'wp_filter_nohtml_kses' );

Now WordPress strips out any HTML tags from comments and disables the linking capability of web addresses.

Moderating Comments Through Email

When a comment awaits moderation, the discussion on your site stalls. WordPress takes two steps to notify you of waiting comments:

§ It sends you an email message, with information about the new comment (and the links you need to manage it).

§ It adds an eye-catching number-in-a-circle icon to the Comments button on your dashboard menu, where you can manage all your comments.

These two actions underlie the two ways you moderate WordPress comments: either by email or through your site’s dashboard. First, you’ll consider the email approach.

Email moderation is, for practical purposes, an option only for a small site that receives a relatively small number of comments. If you’re the sort of person who carries around a web-connected device (like a smartphone) everywhere you go, email moderation gives you a convenient way to approve or discard comments mere minutes after they’re made (Figure 8-4).

Figure 8-4. The email message WordPress sends notifying you of a comment includes all the information the commenter supplied. It ends with several links. Depending on which you choose, you can approve the comment (which publishes it), trash it (which simply deletes it), or report it as spam (which deletes it and notifies WordPress, so the same user can’t put his spam message all over everyone else’s blog).

Email moderation is a great idea, but it’s increasingly impractical for the websites of today. The problem is comment spam—advertisements for Viagra and Cialis, porn, shady discount deals, and so on. If you use email moderation, you’ll receive an ever-increasing load of notifications as a host of black-hat characters try to insert their junk onto your pages. Not only is it difficult to manage the sheer number of messages you get, it’s often difficult to quickly verify that a message is legitimate, because spammers try to make their comments sound real. Often, the only way to confirm that a comment is bogus is to visit the commenter’s site, where you usually find ads unrelated to anything in the comment. If you plan to review comments on a mobile device, this extra step is neither quick nor convenient.

For these reasons, few people use email moderation to manage comments. You can try it, and it may work wonderfully at first, but you’ll probably need to abandon it as more and more spammers discover your site, or you’ll need to supplement it with one of the antispam plug-ins you’ll learn about on Understanding Akismet. That way, your plug-in can take care of the massive amounts of obvious spam, while you concentrate on moderating the comments that make it past the spam filter.

NOTE

Don’t fall into the trap of thinking that you’re safe because your audience is small. Most spammers don’t target WordPress sites by popularity. Instead, they try to spread their junk everywhere they can. And their site-discovering techniques are surprisingly sophisticated. Even if you haven’t told anyone about your site and you’ve configured it so it’s hidden from search engines, you’ll still get spam comments, usually within days of the site’s creation. But here’s the happy news: Any plug-in that blocks automated spam should reduce comment moderation to a manageable task.

WordPress comes with email moderation turned on. If you decide you don’t want to be notified because you’re receiving too many spam messages, you can easily switch it off. Choose Settings→Discussion, find the “Email me whenever” section, and clear the checkmarks next to “Anyone posts a comment” and “A comment is held for moderation.”

FREQUENTLY ASKED QUESTION: WHERE ARE MY EMAILS?

I have the comment notification settings switched on, but I’m not getting any emails.

Ironically, email programs often misinterpret the notifications that WordPress sends as junk mail. The problem is that the messages contain quite a few links, which is a red flag suggesting spam. To find your missing messages, check your junk mail folder.

To avoid having your comment notifications identified as junk mail, tell your email program to always trust the address that sends them. The sending address is wordpress followed by your website domain, as in wordpress@magicteahouse.net.

Moderating Comments from the Dashboard

The other way to moderate comments is through the dashboard. The disadvantage here is that you need to open a browser, visit your site, and log in. The advantage is that you’ll see all your site’s comments in one place, and you can accept or discard them en masse.

If you have comments awaiting moderation, you’ll see a black circle-with-a-number icon in the dashboard menu. This circle looks like the one that notifies you of WordPress and plug-in updates (Major Updates), except that it appears over the Comments menu and indicates the number of unreviewed comments you have (Figure 8-5). If you go to the dashboard’s home page (Dashboard→Home), you’ll also see the most recent comments in the Recent Comments box.

Figure 8-5. WordPress wants you to know that five comments await your attention.

To review comments, click Comments in the dashboard menu. Initially, you see a list of all the comments left on all the posts and pages of your site, ordered from newest to oldest. Click the Pending link above the comment list to focus on just the comments you need to review (Figure 8-6).

Here’s what to do once you examine a comment:

§ If it’s spam, click the Spam link. Do not click Trash. Yes, both links remove the comment from your list, but only Spam reports the spammer to WordPress, which can help intercept the spam before it hits other sites.

§ If it’s a valid comment, click Approve to publish it. If the same person returns and posts another comment using the same email address, WordPress lets it through automatically, no moderation required. (This works because WordPress automatically turns on the “Comment author must have a previously approved comment” setting.)

§ If it’s a valid comment that you don’t want to allow, click Trash. For example, if someone read your post and replied in an abusive manner, you don’t need to publish her comment—it’s up to you.

Figure 8-6. The comment list is packed with information. On the left are two useful links to help you evaluate whether a comment is legit. Underneath the comment are the links that let you approve or delete it.

You don’t need to deal with comments one at a time. You can use a handy bulk action to deal with multiple comments at once. This is particularly useful if you need to clear out a batch of suspicious-looking junk.

To deal with a group of comments, start by adding a checkmark to each one you want to process. Then pick a comment-handling action from the Bulk Actions drop-down list. Your options include Approve, Unapprove, Move to Trash, and Mark as Spam. Finally, click Apply to carry out your action.

UP TO SPEED: EVALUATING COMMENTS

When you review comments, your goal is to separate the well-meaning ones from the offensive ones (which you may not want to allow) and to delete spam (which you definitely don’t want). Be careful, because spammers are often crafty enough to add a seemingly appropriate comment that actually links to a spam site. They may identify keywords in your posts and cobble them together in their comments. They may report imaginary errors in your blog, claiming links don’t work or pictures don’t load. Often, they’ll throw in some flattery in a desperate attempt to get approved.

For example, in Figure 8-6, the last three comments are real spam comments, received on the actual Magic Tea House sample site. The second and third comments were posted together, and they appear to strike up a fictitious conversation. But the clues abound that something isn’t right. The comments discuss a product that hasn’t existed in years (Microsoft’s Zune player) and has nothing to do with the post topic (teas from Kuala Lumpur). The fourth comment is a more typical example of spam: vague but effusive praise for the site that always manages to avoid stating anything specific.

The acid test for spam is to view the commenter’s website. To do that, click the corresponding link (to the left of the comment in the comment list). Sometimes just looking at the URL is enough. In Figure 8-6, a careful examination exposes at least two of the spam comments as come-ons for X-rated websites.

Once you identify one spam message, you may be able to detect others sent from the same spammer by using the message’s IP address (a numeric code that uniquely identifies web-connected computers). For example, in Figure 8-6 two spam messages come from the same IP address (204.45.103.70). WordPress even gives you a shortcut—click the IP address, and it shows you only the comments that originated from that address. You can then flag them all as spam in a single bulk action (see Performing Bulk Actions).

TIP

Remember, if you accidentally put a comment you want in the Spam or Trash bin, you can get it out if you act fast. Click the Spam or Trash link above the comments list to see a list of removed comments, which you can then restore.

Moderating Comments for a Specific Post

The Comments page is the only place where you can see all the comments on your site in one list. But the Comments page isn’t always the most convenient place to review comments, particularly if you have hundreds to look through.

WordPress gives you another option: You can review just the comments that relate to a specific post. To do that, edit the post and scroll down to the Comments box at the bottom of the Edit Post page. There, WordPress displays a list of the post’s comments, along with links that let you approve, trash, or edit each one.

Lastly, if you’re logged in to your site, you can deal with comments without even skipping back to the dashboard. When you read the comments section after a post, you’ll see an edit link next to each comment (Figure 8-7). Click that, and you’ll get the chance to modify or remove that comment. This approach takes a few more clicks, and it works only on comments you’ve already approved. (Comments you haven’t approved don’t show up on the post page.) However, if you use automatic post approval with a spam plug-in, as you’ll learn to do on Understanding Akismet, this is a quick way to deal with the errant bit of spam you find slipping through your filters.

Figure 8-7. If you spot spam on a post, you can deal with it in situ, no dashboard required.

Sanitizing Comments

By now, you’re well acquainted with your role as supreme comment commander. Only you can decide which comments live to see the light of day, and which ones are banished to the trash or spam folders.

WordPress gives you one more power over comments that may surprise you. You can crack open any comment and edit it, exactly as though it were your own content. That means you can delete text, insert new bits, change the formatting, and even add HTML tags. You can do this by clicking the Edit link under the comment, which switches to a new page named Edit Comment, or you can edit it more efficiently by clicking the Quick Edit link, which opens a comment-editing text box right inside the list of comments.

You might use this ability to remove something objectionable from a comment before you allow it, such as profanity or off-site links. However, few site administrators have the time to personally review their readers’ comments. Instead, they get WordPress to do the dirty work.

One way to do that is to use the Comment Moderation box. Choose Settings→Discussion and fill the box with words you don’t want to allow (one per line). If a comment uses a restricted word, WordPress adds it to the list of comments that need your review, even if you approved an earlier comment from the same person, and even if you disabled moderation (Understanding Akismet). However, mind the fact that WordPress checks not only whole words, but within words as well, so if you disallow ass, WordPress won’t allow jackass or Assyria. If you want to be even stricter, you can use the Comment Blacklist box instead of the Comment Moderation box. You again provide a list of offensive words, but this time WordPress sends offending comments straight to your spam folder.

If you run a self-hosted site, you can use a gentler approach, one that replaces objectionable words but still allows the comment. For example, the WP Content Filter plug-in (http://tinyurl.com/wpcontentfilter) changes words you don’t want (like jackass) with an appropriately blanked-out substitution (like j******, j*****s or *******). Of course, crafty commenters will get around these limitations by adding spaces and dashes (jack a s s), replacing letters with similar-looking numbers or special characters (jacka55), or just using creative misspellings (jackahss). So if you have a real problem with inappropriate comments and you can’t tolerate them even temporarily (in other words, before you have the chance to find and remove them), then you need to keep using strict moderation on your site so you get the chance to review every comment before it’s published.

The Ongoing Conversation

You’ve now seen how a single, lonely comment finds its way onto a WordPress post or page. On a healthy site, this small step is just the start of a long conversation. As readers stop by, more and more will add their own thoughts. And before long, some people will stop replying to your content and start replying to each other.

WordPress keeps track of all this in its comment stream, which is similar to the stream of posts that occupies your site’s home page. WordPress sandwiches the comment stream between your content (the text of your post or page), which sits at the top, and the “Leave a Reply” box, which sits at the bottom. Unlike the post stream, the comment stream starts with older comments, followed by newer ones. This arrangement makes it easy to follow an unfolding conversation, where new comments refer to earlier ones.

TIP

If you have lots of comments and want to emphasize the newest ones, you can flip the order, so that the newest comments appear first. Choose Settings→Discussion, find the setting that says “Comments should be displayed with the older comments at the top of each page,” and pick “newer” instead of “older.”

Threaded Comments

The most interesting part of the comment stream is the way it threads comments—it orders the comments that visitors post in reply to other comments. When new visitors read your post and join the conversation, they have two options: They can reply directly to your post by scrolling to the “Leave a Reply” section at the bottom of the page, or they can reply to one of the existing comments by clicking the Reply button (or link) next to the comment.

When a guest comments on another comment, WordPress puts the reply underneath the original note, indented slightly to show the relationship. Figure 8-8 shows how one of the standard WordPress themes (in this case, Twenty Thirteen) handles threaded comments.

TIP

WordPress has a handy shortcut that lets you, the site owner, join a conversation straight from the dashboard. When reviewing a comment on the Dashboard→Comments page, click the Reply link, fill in some text, and then click the Reply button (or “Reply and Approve” if you’re responding to a comment you haven’t approved yet).

If several people reply to the same comment, WordPress arranges the replies underneath the comment and indents them, either from oldest to newest (the standard) or newest to oldest (if you changed the discussion settings as described in the Tip at the top of this page).

Figure 8-8. The Twenty Thirteen theme highlights a comment reply by indenting it under the original comment. Some themes go further and corral related comments using a box or shaded background.

Comment replies can go several layers deep. For example, if Sarah replies to your post, Jacob can reply to Sarah’s comment, Sergio can reply to Jacob’s comment, and then Sarah can reply to Sergio’s reply, creating four layers of stacked comments (Figure 8-9).

Figure 8-9. If you expect to get piles of comments, the WordPress year themes might not be the best choice for you. They tend to spread comments out with plenty of whitespace in between, which makes for more visitor scrolling. Many other themes pack comments tightly together, like the Greyzed theme shown here.

WordPress allows this replying-to-replies madness to continue only so far; once you get five levels of comments, it no longer displays the Reply button. This prevents the conversation from becoming dizzyingly self-referential, and it stops the ever-increasing indenting from messing with your site’s layout. However, you can reduce or increase this cap (the maximum is 10 levels) by choosing Settings→Discussion, finding the setting “Enable threaded (nested) comments 5 levels deep,” and then picking a different number. Or turn off the checkmark for this setting to switchthreaded comments off altogether, which keeps your conversations super-simple, but looks more than a bit old-fashioned.

WORD TO THE WISE: AUTHOR COMMENTS

Don’t forget to add your voice to the discussion. Authors who never take the time to directly engage their readers lose their readers’ interest—quickly.

Of course, it’s also possible to have too much of a good thing, and authors who reply to every comment will seem desperate (at best) or intrusive (at worst). They’ll suffocate a conversation like a micro-managing boss. The best guideline is to step in periodically, answering obvious questions and giving credit to good feedback (while ignoring or deleting the obvious junk). Do that, and your readers will see that your comments section is well cared for. They’ll know that you read your feedback, and they’ll be more likely to join in.

WordPress makes site owners’ comments stick out from those of the riffraff so your readers can easily spot your contributions. The way it does so depends on the theme, but most change the background color behind your comment. If you run a self-hosted blog, or if you bought the Custom Design upgrade for your WordPress.com site, you can make your replies even more obvious. The trick is to tweak the formatting that the bypostauthor style applies. Puzzling Out the Styles in a Theme explains how.

Paged Comments

WordPress provides a comment-organizing feature called paging that divides masses of comments into separate pages. The advantage is that you split awkwardly long discussions into more manageable (and readable) chunks. The disadvantage is that readers need to click more links to follow a long discussion.

To use pages, choose Settings→Discussion and then turn on the checkbox next to “Break comments into pages.” You can type in the number of comments you want included on each page (the factory setting is 50).

You can also choose the page that readers begin on—the standard setting is “last,” which means that new readers will start on the last page of comments first, seeing the most recent chunk of the conversation before they see older exchanges. But the overall effect is a bit weird, because the very latest comment appears at the bottom of the first page. What you probably want is the latest comment to appear at the top of that page. To get this effect—paged comments, with the most recent comment at the top of the list on the first page—change “last” to “first” (so the setting says “and the first page displayed by default”) and change “older” to “newer” (so the setting says “Comments should be displayed with the newer comments at the top of each page”).

Advertising a Post’s Comments

As you’ve seen, comments appear right underneath the post they refer to. They don’t appear at all in the reverse-chronological list of posts that acts as the home page for most WordPress sites. You can think of it this way: Each post is like a separate room at a party, with its own conversation. The same guests can wander between rooms and join different conversations, but the conversation from one room doesn’t intrude on the conversation in the next.

However, WordPress does attempt to alert readers to the presence of comments in the post list, if not their content. If a post has at least one comment, WordPress shows the comment count next to that post. If a post doesn’t have any comments, WordPress displays a “Leave a comment” link. Technically, your site theme controls this detail, but most are fairly consistent in this practice (Figure 8-10).

Figure 8-10. Most themes show you how many comments a post has. If a post doesn’t have any, readers are invited to add the first one, although the exact wording of this link differs from one theme to another.

Here’s another way to highlight comments on your home page: Use the Recent Comments widget, which highlights the most recent comments made on any post or page (Figure 8-11). When you add this widget (in the Appearance→Widgets section of the dashboard), you can choose the number of recent comments it lists. The standard setting is 5.

TIP

If you want a better Recent Comments widget, there are plenty of plug-ins that fill the gap. Most excerpt the first part of the comment and display it right inside the widget to give readers a taste of the conversation (and to encourage them to join in). See, for example, the Better WordPress Recent Comments plug-in (http://tinyurl.com/wprecentcomments).

Figure 8-11. The Recent Comments widget tells you who’s commenting on what post. However, it doesn’t show you any of the comment content, which is a shame. Readers can click a comment link to see both the comment and the corresponding post.

Comment Ratings

You’ve no doubt seen sites that let readers rate each other’s comments, often by clicking a tiny thumbs-up or thumbs-down icon (Figure 8-12). It’s one more form of audience participation.

Figure 8-12. Here, Lisa Chang’s comment gets three thumbs-up votes and one thumbs-down vote. Keep in mind, however, that comment votes are a quick-and-dirty feedback tool. There are several ways for people to cheat the system and trick their browsers into letting them vote more than once.

Bloggers and other web authors are divided over the value of comment ratings. On the upside, they encourage readers to get involved, and let people feel like they’re taking part in a discussion even if they don’t write a comment. On the downside, comment ratings have a nasty habit of turning discussions into arguments. If you’re dealing with a contentious subject, readers may simply scan the list of comments to vote up the ones they agree with and vote down the ones they don’t. (Some sites try to reduce the negativity by replacing comment voting with a Like button that allows readers to vote for comments but not against them. But even this type of rating encourages readers to gang up with the people who share their opinions.)

Philosophical questions aside, it’s fairly easy to add comment ratings to your site if it’s running on WordPress.com. In the dashboard, choose Settings→Ratings, click the Comments tab, and then turn on the “Enable for comments” checkbox. You can position the voting icons above the comments (as in Figure 8-12) or below them. When you finish, click Save Changes.

Unfortunately, self-hosted WordPress sites don’t get the comment rating feature. The solution is to install a comment voting plug-in, like Polldaddy (http://tinyurl.com/wp-polls). But first you need to learn a bit more about plug-ins, as detailed in Chapter 9.

Linkbacks

There’s one type of comment you haven’t seen yet: the linkback, a short, automatically generated comment that lets you know when somebody is talking about your post. Figure 8-13 shows what a linkback looks like—but be warned, it’s not particularly pretty.

NOTE

Linkbacks are comments. They appear in the comment list and need your approval before WordPress publishes them, just as any other comment does.

The neat thing about linkback comments is that WordPress creates them automatically. Here’s how the linkback in Figure 8-13 came to be:

1. First, you published the “Community Outreach Fridays” post on the Canton School site.

2. Then, the Time for Diane site created the “Fun at Glenacres Retirement” post. Although it isn’t shown in Figure 8-13, that post included a link to your “Community Outreach Fridays” post.

3. When the Time for Diane site published the “Fun at Glenacres Retirement” post, the site sent a notification to the Canton School site, saying “Hey, I linked to you” in computer language. (The person who wrote the “Fun at Glenacres Retirement” post doesn’t need to take any action, and probably doesn’t even know that a notification is being sent.)

4. On the Canton School site, WordPress springs into action, adding the linkback comment shown in Figure 8-13.

Figure 8-13. If you allow linkbacks on your site, this is the potential result. You write a post (in this example, that’s “Community Outreach Fridays”). Someone else writes a post that links to your post (that’s “Some Fun at Glenacres Retirement),” and WordPress adds the comment shown here as a way of letting the whole world know that someone is talking about you.

NOTE

Linkbacks aren’t a WordPress-only feature. Many web publishing platforms support them, and virtually all blogs can send linkback notifications and add linkback comments.

The purpose of linkbacks is twofold. First, they show your readers that people are seeing and discussing your content, which makes it seem more popular and more relevant. Second, it provides your readers with a link to the post that mentioned your post. That means readers on your site (say, Canton School) can click a linkback comment to head to the referring post on the other site (Time for Diane). In an ideal world, this is a great way to network with like-minded sites.

In the not-so-distant past, a certain faction of bloggers cared dearly about linkbacks and saw them as an important community-building tool. Nowadays, popular opinion has shifted. Here are some reasons why you might not want to allow linkbacks:

§ Clutter. Extra comments, no matter how brief, can end up crowding out real conversation. Some themes (like Bueno) separate linkbacks from the main comment stream, but most mix them together. If you have a popular topic that gets plenty of mention on other sites, your linkbacks can split up the more interesting human feedback and push it out of sight.

§ Why risk spam? More comments equals more spam, and shady advertisers can send linkbacks to your site just as often as they send other types of comment spam.

§ Links are a good way to reward your commenters. If someone writes a good comment, they can include a link in their comment text (“I was frustrated with the stains my kids left on everything, so I wrote a post with my favorite stain tips in it. Check it out athttp://helpfatheroftwelve.com.”). And if the commenter included his website address in the Leave a Reply form (Leaving a Comment), WordPress automatically turns his user name at the top of the comment into a clickable link. With all this intra-post linking going on, why reward someone who hasn’t even bothered to comment on your site with a linkback?

NOTE

In short, most people find that linkbacks aren’t worth the trouble. To disable them, choose Settings→Discussion and remove the checkmark next to the setting “Allow link notifications from other blogs (pingbacks and trackbacks).” Technically, WordPress supports two linkback mechanisms: pingbacks and trackbacks. The technical details about how pingbacks and trackbacks send their messages aren’t terribly interesting. The important thing is that if you allow linkbacks (and, unless you change the factory settings, your site does), you may start getting comments like the one in Figure 8-13.

Optionally, you can clear the checkmark next to the setting “Attempt to notify any blogs linked to from the article.” When this setting is on and you write a post that links to another post on someone else’s site, WordPress automatically sends a notification to that site, and its administrator can choose whether to display the linkback.

NOTE

Oddly enough, if you have the “Attempt to notify any blogs linked to from the article” setting switched on, WordPress notifies even your own site if you create a post that includes a link to one of your other posts. It creates a linkback comment in the initial post that points to the referring post, just as though the posts were on two different sites. (Of course, you’re free to delete this comment if it bothers you.)

Making Comments More Personal

On a really good website, you won’t feel like you’re debating current affairs with anonymous_guy_65. Instead, you’ll have the sense that you’re talking to an actual person, someone who exists in the real world, beyond the pixels on your computer screen.

Often, all you need to do to personalize comments is include a few small details in the right places. One key enhancement is including a user-supplied profile picture with that person’s comment. WordPress gives you two ways to do that—you can get pictures from its excellent Gravatar service, or you can take them from a person’s Facebook or Twitter account. The following sections show you how to do both.

The Gravatar Service

To give comments a personal touch, you can display a tiny picture next to each person’s thoughts. This picture, called an avatar, could be an actual photograph of the person or something quirkier, like a mythical creature or cartoon character the person has chosen to represent her. The idea is that the avatar helps your guests see, at a glance, which comments belong to the same person, and it just might give them a taste of the author’s personality (Figure 8-14). Avatars also add a visual complement to web discussions, making a page of comments seem just a bit more like a real conversation.

Figure 8-14. Each of these users has an avatar—a thumbnail-sized picture—next to her comment.

WordPress uses an avatar service called Gravatar, which is short for “globally recognized avatar.” The idea is that ordinary people can use Gravatar to set up an avatar and include some basic personal information. They can then use that image and profile info on sites throughout the Web. Originally, Gravatar was a small service cooked up by a single person, but these days Automattic runs the service, making it freely available to virtually any blogging platform or website-building framework. (A Gravatar-supplied avatar goes by the name gravatar.)

You don’t need to take any special steps to enable avatars; WordPress uses them automatically. As you already know, every would-be commenter has to enter an email address. When he does, WordPress contacts the Gravatar service and asks if it has a picture affiliated with that address. If it does, WordPress displays the picture next to the comment. If it doesn’t, WordPress shows a featureless gray silhouette instead.

UP TO SPEED: WHY GRAVATARS MAKE GOOD SENSE

The obvious limitation to gravatars is that you won’t see personalized images unless your readers sign up with the Gravatar service. And unless your visitors are web nerds, they probably haven’t signed up yet—in fact, they probably haven’t even heard of Gravatar.

However, this dilemma isn’t as bad as it seems, for the following reasons:

§ Gravatars are optional. Some people use them, others don’t. There’s no downside to allowing gravatars on your site. And if someone notices that another commenter gets a personalized picture, that person just might ask about how to get the same feature.

§ Gravatars can be auto-generated. As Changing the “Mystery Man” Gravatar explains, you can replace the boring gray silhouettes for non-Gravatar users with an auto-generated gravatar. The neat thing about auto-generated gravatars is that they’re unique and consistent, which means they can help people identify comments left by the same person.

§ Gravatar can coexist with Facebook and Twitter pictures. As you’ll learn on Facebook and Twitter Comments, you can get comment pictures from Facebook and Twitter accounts. In this case, Gravatar is just one more picture-gathering option that works in harmony with the others.

§ Gravatars have WordPress.com support. WordPress.com users are more likely to have gravatars than other people, because the Gravatar service is integrated with the WordPress.com profile feature. If you’re a WordPress.com fan, choose Users→My Profile from the dashboard to set your gravatar quickly and painlessly.

§ You can remind your readers to get a gravatar. If you run a self-hosted site, you can edit the comments.php file in your theme (Introducing the Template Files) to add a reminder, like a link that says “Sign up for a Gravatar and get a personalized picture next to your comment.” Just don’t expect that many people will follow your recommendation.

Signing Up with Gravatar

If you aren’t a Gravatar fan yet, here’s how you sign up:

1. Go to http://gravatar.com and click the Create Your Own Gravatar button.

The sign-up page appears.

2. If you already have a WordPress.com account, you can use that with Gravatar. Click “I already have a WordPress.com account.”

You’ll need to fill in your email address and password, and click Authorize to link everything up. Then skip to step 4.

3. If you don’t have a WordPress.com account, you can sign up now. Fill in your email address, pick a user name and a password, and then click the “Sign up” button.

When you get the confirmation email, click the activation link inside to complete the signup.

4. If you haven’t already done so, sign in to Gravatar with your email address and password.

You arrive at the Manage Gravatars page, which informs you that you don’t yet have any images associated with your account.

5. Click the “Add one” link.

Gravatar gives you a number of ways to find an image. You can upload it from your computer’s hard drive (the first, and most common, option), snag it from a website, or snap a new one with a webcam (assuming you have one).

6. Click the appropriate button for your image (for example, “My computer’s hard drive”) and follow the instructions to find and crop your picture.

Gravatars are square. You can use an image as big as 512 x 512 pixels, and Gravatar will shrink it down to a thumbnail-size tile and display it next to each comment you leave.

7. Choose a rating for your Gravatar (see Figure 8-15).

Ordinarily, WordPress sites show only gravatars that have a G rating. If you want to tolerate more friskiness on your site, go to Settings→Discussion. Scroll to the Avatars section and ratchet up the Maximum Rating setting to PG, R, or X.

TIP

Are you concerned about inappropriate gravatars? You can disable gravatars altogether from the Settings→Discussion page. In the Avatars section, turn on the “Don’t show Avatars” radio button.

Figure 8-15. Some sites may not display gravatars that are mildly naughty (PG), violent or sexually explicitly (R), or over-the-top disturbing (X). It’s up to you to pick the rating that represents your image best, but if you use an ordinary headshot, G is the right choice.

8. Now Gravatar associates your avatar with your email address.

All new comments you leave will include your new picture, and comments you already left will get it, too (assuming you haven’t changed your email address since you posted the comment). If, in the future, you decide you want a different picture, log back into Gravatar and upload a new one.

Changing the “Mystery Man” Gravatar

Ordinarily, if a commenter doesn’t have a gravatar, WordPress displays the infamous gray silhouette that it calls Mystery Man. You can replace Mystery Man with one of several other pictures from the Settings→Discussion page. Scroll down to the Avatars section and change the Default Avatar option.

The alternate possibilities include no image at all (select Blank from the Default Avatar list) or a stock Gravatar logo (select Gravatar Logo). More interestingly, you can give mystery commenters a tailor-made, unique gravatar (for your site only). WordPress creates it by taking your guest’s email address, using it to generate some semi-random computer gibberish, and then translating that into a specific type of picture. You can choose from four auto-generated gravatar types: Identicon (geometric patterns), Wavatar (cartoon-like faces), MonsterID (whimsical monster drawings), and Retro (video-game-style pixelated icons). Figure 8-16 shows two examples.

Figure 8-16. Algorithmically generated gravatars add some fun to your site, even if your readers don’t have real profile pictures. Here are two examples: Wavatar (left) and Retro (right). Notice that Sarah Crawford’s gravatar remains consistent for both her comments.

Gravatar Hovercards

The tiny comment pictures that Gravatar provides add a personal touch to your comments section, but the service can provide more than just pictures. It can also smuggle in a bit of personal information about each commenter. This information shows up as a hovercard—a small box that pops up when someone points to an avatar (Figure 8-17).

Figure 8-17. A hovercard is like a virtual business card. It displays your personal information, no matter what Gravatar-enabled site you visit. (If you’re curious about what happens when you click View Complete Profile, jump ahead to Figure 8-19.)

But there’s a catch: Hovercards appear only if your site runs on WordPress.com, or if you’re a self-hoster using Jetpack (the ridiculously useful free plug-in you’ll learn to install on The Jetpack Plug-In). If you meet one of these requirements, your comments probably display hovercards already. To check, choose Settings→Discussion, scroll down to the Avatars section, and make sure the checkbox next to “View people’s profiles when you mouse over their Gravatars” is turned on. (If you run a self-hosted site but don’t have Jetpack installed, you won’t see this setting and you won’t be able to use hovercards.)

Hovercards are a small but nice feature. They help readers learn a little bit about your commenters. You might assume that the hovercard details are part of your visitor’s WordPress profile, but they’re not. (In fact, hovercards work even if guests don’t have a WordPress account.) Instead, hovercards get their information from the profile that Gravatar users optionally set up.

This design is both good and bad. The advantage is that it makes hovercard information portable—it travels with the avatar, no matter what Gravatar-enabled site you visit (even if the site doesn’t run WordPress). The disadvantage is that if your readers don’t bother to fill out the profile information, hovercards won’t appear at all (Figure 8-18).

To make sure your hovercard looks good, you need to fill in the profile information, too. Visit the Gravatar site (http://gravatar.com), click the My Account button, and then choose Edit My Profile. There’s plenty of information you can fill in, but the details that appear on the hovercard are your full name (Display Name), where you live (Location), and a short blurb that describes yourself (About Me), which the hovercard truncates after the first couple of sentences. When you finish, click Save Profile to store your information with your Gravatar, allowing it to appear on hovercard-supporting sites everywhere.

Figure 8-18. Hovercards are a whole lot less impressive when visitors don’t bother to fill out their Gravatar profiles.

GEM IN THE ROUGH: GRAVATAR VERIFIED SERVICES

As you’ve seen, the Gravatar service is more than just a way to display your picture on different websites. It’s also a way for you to store a mini-profile with a bio, some basic personal details, and links to all the Gravatar-enabled websites you use.

This last part is one of Gravatar’s niftier features. It lets you add links in your Gravatar profile that point to other social websites or blogging services you belong to. For example, you can add links to your Facebook or Twitter accounts. Or you can include a link to your photos on Flickr, your videos on YouTube or Vimeo, your blog on WordPress (or Blogger, or Tumblr), and your accounts on many other social sites.

When you first sign up with Gravatar, it doesn’t include any of these links. You need to add them by editing your Gravatar profile from the Verified Services section. Choose a service from the list (like Facebook), and then click Add. Gravatar asks you to sign in to set up the link. (This is why Gravatar calls them verified services—it doesn’t actually add the link unless you verify that it truly belongs to you.)

In the past, when you added a verified service, Gravatar included a tiny icon for it in your hovercard (which was quite cool and very convenient). Sadly, Gravatar no longer takes this step, possibly to prevent spammers from abusing hovercards. However, verified service links still appear in a clearly visible place on the Gravatar profile page (Figure 8-19). To see them, click the View Complete Profile button that appears in every hovercard (Figure 8-17).

Figure 8-19. Salah Khan has three verified services with Gravatar: a WordPress.com blog, a Facebook account, and a YouTube account.

Facebook and Twitter Comments

Gravatars are a great idea, but they might not be practical for your site because people might not bother to use them (or they might not even realize how to use them). No matter—you can give visitors other comment options. For example, you can let them log into your site using their Facebook or Twitter credentials, and then post a comment. In such a case, WordPress grabs your guest’s Facebook or Twitter profile picture and displays it next to that person’s comments (Figure 8-20).

Figure 8-20. In this example, Charles Pakata is a WordPress.com user who has signed up with the Gravatar service. But Lisa and Rakesh are Facebook users. As long as they log into Facebook, WordPress uses their Facebook profile pictures, without forcing them to sign up with Gravatar or take any extra steps.

If your site runs on WordPress.com, you already have the Facebook and Twitter sign-in feature, and there’s no way to switch it off.

If you run a self-hosted blog, the best way to get Facebook and Twitter comments is with the Jetpack plug-in (The Jetpack Plug-In). However, you won’t be able to see the comments until you explicitly enable them. To do that, click Jetpack in the dashboard menu. Look for the box named “Jetpack Comments,” and then click the Activate button inside (Figure 8-21). Incidentally, this setting isn’t just for Facebook and Twitter users—it also lets anyone with a Google+ or WordPress.com account join in.

TIP

You might find that once you enable Jetpack comments, your comment section gets a new background that doesn’t blend in with the rest of your page. To fix this, choose Settings→Discussion, scroll down to the Jetpack Comments section, and try different options under Color Scheme. You can pick Light, Dark, or Transparent; finding the best fit is a trial-and-error process.

Figure 8-21. A self-hosted site doesn’t get Jetpack comments unless you install the plug-in and specifically opt in by clicking the Activate button shown here. To turn Jetpack comments off, you need to return to this box, click Learn More, and then click Deactivate.

Some people turn on Facebook and Twitter comments and enable the “Users must be registered and logged in to comment” setting (which you can find at Settings→Discussion). This creates a site that requires commenters to provide a social identity. When a site owner takes this step, he’s usually thinking something like this:

“I’ve been flexible, and now I want something in return. I’ve given my readers several good options for establishing their identity (Facebook, Twitter, Google+, and WordPress.com). By making them use one, I can lock out spammers and force people to bring their virtual identities to my site.”

Think carefully before you take this step. First, it only partly protects your site against spam, because many spambots have fake Facebook identities. Second, it guarantees that you’ll scare away at least some potential commenters, including those who don’t have a social media account, those who can’t be bothered to log in, and those who don’t want to reveal their social identities to you.

Stamping Out Comment Spam

So far, you’ve focused on the comments that are supposed to be on your site—the ones your visitors leave in response to your posts. Up to now, this discussion has skirted a disquieting fact: On the average WordPress site, spam comments outweigh legit comments by a factor of 10 to 1. And spammers don’t discriminate—they don’t attempt to chase the most popular blogs or the ones that cover their favorite topics. Instead, they spew their dreck everywhere.

Understanding Spam

You’re no doubt familiar with the idea of email spam—trashy chain letters and hoaxes that try to get you to download malware or send your banking information to a Nigerian gentleman with a cash flow problem. Blog spam is a different creature altogether. While email spam tries to lure you in, blog spam tries to slip right past you. That’s because blog spammers aren’t after you—they’re targeting your readers. The goal is for them to sneak their advertisements onto your site, where they can attract the attention of people who already trust your blog. Every bit of blog spam is trying to lure a reader to travel to the spammer’s site, either by clicking the commenter’s name or a link in the comment text.

In the past, spammers were crude and their messages easy to identify. Today, they’re trickier than ever. They attempt to disguise themselves as actual readers to fool you into allowing their comment (with its link to their site). Or they pretend to sell real products (which they never deliver). And spammers hire low-paid workers to hand-write spam messages and circumvent safeguards against spambots, like Captchas (Using Akismet).

Some WordPressers tell horror stories of receiving hundreds or thousands of spam messages a day. The problem is severe enough that, if you’re not careful, you can wind up spending more time dealing with spam than managing the rest of your site. Fortunately, you can use the tools and strategies discussed below to fight back.

UP TO SPEED: CAUGHT IN THE WILD

Spammers take great care to make their messages look as natural as possible. The spammer’s payload is a link, which is submitted with the comment and hidden behind the commenter’s name.

Here are some of the spam messages that we caught on this book’s example sites. Would any have fooled you?

“Glad to know about something like this.”

“Perhaps this is one of the most interesting blogs that i have ever seen. interesting article, funny comment. keep it up!”

“i was exactly talking about this with a friend yesterday, and now i found about it in your blog. this is awesome.”

“Could you tell me when you’re going to update your posts?”

“I’ve also been thinking the identical thing myself lately. Grateful to see another person on the same wavelength! Nice article.”

“We’re a bunch of volunteers and opening a brand new scheme in our community. Your site offered us with valuable info to paintings on. You have done an impressive job and our whole community can be grateful to you.”

Spam-Fighting Strategies

You can defend against spam in several ways:

§ Forbidding all comments. This is obviously a drastic, ironclad approach. To disable comments, you turn off the “Allow people to post comments on new articles” checkbox on the Settings→Discussion page. But be warned that if you do, you’ll sacrifice the lively conversation your visitors expect.

Verdict: An extreme solution. The cure is worse than the disease.

§ Using moderation. This is the default WordPress approach, and it’s the one you learned about in this chapter. The problem is that you just can’t keep moderating a site that’s growing in size and popularity—it becomes too labor-intensive. It also has a distinct drawback: It forces commenters to wait before their comment appears on your site, by which point they may have lost interest in the conversation.

Verdict: Not practical in the long term, unless you combine it with a spam-catching tool (like Akismet, which you’ll meet in a moment).

§ Forcing commenters to log in (for self-hosted sites only). To use this approach, you need to add each visitor’s ID to your WordPress site, or create some way for them to register on your site themselves. This approach definitely isn’t suitable for the average public blog. However, it may work if you have a small, captive audience—for example, if you’re building a site for family members only, or for a team of coworkers.

Verdict: For special cases only. You’ll learn about multiuser blogs in Chapter 11.

§ Making commenters log in, but allowing third-party log-ins. A third-party login verifies your guests through an authentication service—typically one provided by WordPress.com, Facebook, or Twitter. This requirement may work, because many people already have Facebook or Twitter accounts that they don’t mind using (whereas they definitely won’t bother creating a new account just to leave a single comment). Still, forcing logins may drive away as many as half of your would-be commenters. And it’s still not truly spam-proof, because clever spam-bots can create Facebook accounts, just like real people can.

Verdict: A good idea, but not a complete spam-fighting solution.

§ Using Akismet or another spam-catching plug-in. Many WordPress administrators swear that their lives would not be livable without the automatic spam-detecting feature of Akismet. It isn’t perfect—some site owners complain that legitimate comments get trashed, and they need to spend serious time fishing them out of the spam bucket—but it usually gives the best spam protection with the minimum amount of disruption to the commenting process.

Verdict: The best compromise. It’s also essential if you turn off moderation.

The pros and cons of managing comments by moderation versus spam-fighting are a lot to digest, even for seasoned webheads. But the evidence is clear: Most WordPress pros eventually start using a spam-catching tool. They may use it in addition to moderation, or—more likely—instead of it.

NOTE

If you don’t have a spam filter, you are the spam filter. And given that an ordinary WordPress site can attract dozens of spam messages a day, you don’t want to play that role.

If you’re ready to ditch comment moderation in favor of a livelier, more responsive, and less controlled discussion, choose Settings→Discussion and turn off the checkboxes next to these settings: “An administrator must always approve the comment” and “Comment author must have a previously approved comment.” Then click Save Changes at the bottom of the page.

Now continue to the next section to make sure you have a proper spam-blocker in place.

POWER USERS’ CLINIC: WORDPRESS’S OTHER SPAM-CATCHING OPTIONS

WordPress has a few built-in spam-fighting options on the Settings→Discussion page. In the past, they were a practical line of defense that could intercept and stop a lot of junk comments. Unfortunately, spamming evolved in the intervening years, and now these settings are only occasionally useful. They include:

§ “Hold a comment in the queue if it contains 2 or more links.” Use this setting to catch posts that have a huge number of links. The problem is that spammers are on to this restriction, so they’ve toned down their links to make their spam look more like real comments.

§ The Comment Moderation and Comment Blacklist boxes. Try these boxes, described earlier (Sanitizing Comments), as a way to keep out offensive text. They also double as a way to catch spam. However, don’t rush to put in obvious spammy keywords, because you’ll just end up doing a clumsier version of what Akismet already does. Instead, consider using these boxes if you have a spam problem that’s specific to your site—for example, a certain keyword that keeps coming up when spammers target your posts.

§ “Automatically close comments on articles older than 14 days.” Unless you set it, this option isn’t switched on. However, it’s a potentially useful way to stop spammers from targeting old posts, where the conversation has long since died down. And you don’t need to stick to the suggested 14 days. You can type in any number, even making the lockout period start a year after you publish a post.

Understanding Akismet

Akismet is one of many spam-fighting plug-ins developers created for WordPress. However, it has a special distinction: Automattic, the same folks who built WordPress, makes it. It’s also the only spam-blocking tool with which WordPress.com blogs work.

Akismet works by intercepting each new comment. It sends the details of that comment (including its text and the commenter’s website, email, and IP addresses) to one of Akismet’s web servers. There, the server analyzes it, using some crafty code and a secret spam-fighting database, to attempt to determine whether it’s legitimate. Any one of a number of details can betray a spam message, including links to known spam sites, a known spammer IP address, phrases commonly found in spam messages (“free Viagra” for instance), and so on. Akismet quickly makes its decision and reports back to your website. Your site then either publishes the comment or puts it in the Spam folder, depending on Akismet’s judgment.

WordPress experts report that Akismet’s success rate hovers at around 97 percent. Usually, when Akismet errs, it does so by flagging a safe comment as spam (rather than allowing real spam through). However, Akismet’s success depends on the site and the timing. When spammers adjust their tactics, it may take Akismet a little time to catch up, during which its accuracy will drop.

Akismet is free, mostly. Personal sites pay nothing (unless you volunteer a small donation). However, small businesses and money-making blogs are expected to contribute $5 per month. Large publishers that want to spam-proof multiple sites are asked for $50 a month.

NOTE

Akismet uses an honor system, and there are plenty of sites that earn a bit of money but don’t pay the Akismet fee. If you want a totally free business-friendly solution for a self-hosted site, you need to find a different plug-in. Several good alternatives are described in the box below.

FREQUENTLY ASKED QUESTION: AKISMET ALTERNATIVES

I need a spam-catching tool, but I don’t want Akismet. Are there other options?

If you run a self-hosted WordPress site, there’s no shortage of spam-fighting plug-ins. Unlike Akismet, many are free for almost everyone. (Some plug-in developers collect donations, charge for only the highest-traffic sites, or make extra money charging support fees to big companies. Others do it simply for the prestige.)

Two caveats apply. First, if you plan to use Jetpack’s social commenting feature (Facebook and Twitter Comments), which lets visitors comment using their Facebook and Twitter identities, your options are limited. Currently, Akismet is the only spam fighter that works with these identities.

Second, it’s impossible to know which anti-spam tool is the best for your site—you need to try them out yourself. Anti-spam developers and spammers are locked in an ever-escalating arms race. The spam blocker that works perfectly this week might falter the next week when clever spammers work around its detection rules.

Three good Akismet alternatives include:

§ Anti-spam (http://tinyurl.com/wp-anti-spam)

§ Antispam Bee (http://antispambee.com)

§ AVH First Defense Against Spam (http://tinyurl.com/avhspam)

To try one of these out, install it using WordPress’s plug-in feature. But before you do, skip ahead to the basics of plug-in management described in Chapter 9.

Installing Akismet

If your site is on WordPress.com, you’re already using Akismet, and there’s no way to turn it off. As soon as you turn off comment moderation, you leave the entire process in Akismet’s hands. (Skip ahead to the next section to learn more about that.) If you have a self-hosted site, there’s a little more to Akismet’s setup. The plug-in is so valuable that Automattic bundles a copy with every WordPress site. However, it isn’t activated, which means it’s just an idle file sitting on your web server. To make Akismet spring to life, you need to sign up for an Akismet key and activate the plug-in. Here’s how:

1. First, you need anAkismet key. To get that, head to http://akismet.com/wordpress.

You can think of the Akismet key as a license to use Akismet on your site.

2. Click “Get An Akismet API Key.”

The sign-up page appears.

3. If you already have a WordPress.com account, you can use that login information with Akismet. Click “I already have a WordPress.com account.”

You’ll need to fill in your email address and password, and click Authorize to link everything up. Then skip to step 5.

NOTE

Remember, if you use any of the other services Automattic provides, such as Gravatar for comment pictures (The Gravatar Service) or the Jetpack plug-in (The Jetpack Plug-In), then you already have a WordPress.com account linked to your email address.

4. If you don’t have a WordPress.com account, you can sign up now. Fill in your email address, pick a user name and a password, and then click the “Sign up” button.

When you get the confirmation email, click the activation link inside to complete the signup.

5. If you haven’t already done so, sign in to Akismet with your email address and password.

Before Akismet will give you a key, it checks to see if you’re willing to pay for the privilege.

Akismet shows three sign-up options (Figure 8-22), depending on the type of site you have. It may also offer you the chance to buy Akismet in a bundle with VaultPress, a WordPress backup tool described on Using an Automated Backup Service.

Figure 8-22. If you run a small, not-for-profit site or personal blog, you can click Sign Up in the Personal box without guilt. If you have a more serious site, your conscience compels you to click Sign Up in the Pro box.

6. Click the appropriate Sign Up button.

If you picked the personal plan, Akismet still asks for a donation (Figure 8-23). You choose an amount using a slider below the question “What is Akismet worth to you?” (In fairness to freeloaders everywhere, it’s difficult to answer this question before you actually start using Akismet.)

Figure 8-23. Akismet asks for a donation of $36 a year. Drag the slider either way to change the amount you’re willing to pay. Go all the way to the left and your voluntary contribution declines to nothing, and the credit card options disappear.

7. Fill in your name and click Continue.

If you elected to pay for Akismet, you need to enter your credit card or PayPal information as well.

8. Shortly thereafter, you’ll receive an email message with your Akismet key in it.

It’s a funny-looking code, like 0286f4c389b2. Make note of it, because you’ll need it in a few steps.

9. Return to your site’s dashboard, and then choose Plugins→Installed Plugins.

You’ll see a list of plug-ins, with Akismet at the top.

NOTE

You’ll learn far more about plug-ins, including how to manage them and how to find more, in the next chapter. But for now, these steps walk you through the very simple process of activating the Akismet plug-in you already have.

10.Point (without clicking) to Akismet, and click the Activate link that appears.

At this point, WordPress shows a message at the top of the Plugins page with an activation button.

11.Click the “Activate your Akismet account” button and then click the “I already have a key” link.

This brings you to the page where you enter your Akismet key.

12.Copy the key from your email message and then paste it into the text box (Figure 8-24).

Figure 8-24. Before Akismet can start catching spam, it needs your API key, which looks like the series of letters and numbers shown here.

13.Click Save Changes.

Akismet displays a message that confirms that everything worked out and your setup is complete. It also displays two optional settings that you can tweak:

o “Auto-delete spam submitted on posts more than a month old” tells Akismet to periodically delete old messages in your spam folder, whether you reviewed them or not. This is generally a good idea, because it prevents your site from collecting thousands of spam comments that will swell up your WordPress database to an ungainly size. (The box on What to Do When Your Blog is Buried in Pending Comments has more about the problem.)

o “Show the number of comments you’ve approved beside each comment author” tells Akismet to add an extra piece of information to the comments list in the dashboard. This is a count with the number of comments you previously approved from each would-be commenter. Presumably, if you’ve approved plenty of messages from the same person, you can trust their newest contributions.

To revise these settings later, head to the Plugins→Akismet section of the dashboard.

Using Akismet

Akismet integrates so seamlessly into WordPress’s comment system that you might not even realize it’s there. It takes over the comments list, automatically moving suspicious comments to the spam folder and publishing everything else.

To give Akismet a very simple test, sign out of your site, and then try adding a few comments. If you enter ordinary text, the comment should sail through without a hiccup. But type in something like “Viagra! Cialis!!” and Akismet will quietly dispose of your comment.

Just because you disabled moderation and started using Akismet doesn’t mean your comment-reviewing days are over. Once your site is up and running with Akismet, you should start making regular trips to the Comments section of the dashboard. Only now, instead of reviewing pending comments that haven’t been published, you should click the Spam link and check for any valid comments that were accidentally removed. If you find one, point to it and click the Not Spam link. If you find several, you can restore them all with a bulk action—first, turn on the checkboxes next to the comments, pick Not Spam from the Bulk Actions list, and then click Apply. You’ll soon get a feeling for how often you need to check for stray messages.

Fighting Spam with CAPTCHA

Some WordPress administrators find that a traditional spam-analysis tool like Akismet isn’t enough to stop the inevitable avalanche of spam. Others find that Akismet consistently flags good comments as spam, creating a different sort of comment-moderation headache. If you’re in the first camp, you might want to supplement Akismet with something else. If you’re in the second camp, you might want to try switching Akismet off and plugging the hole with a different tool.

Either way, one good candidate is a Captcha (which computer nerds translate into the phrase “Completely Automated Public Turing test to tell Computers and Humans Apart”). The idea behind Captcha technology is to force commenters to do something that automated spam-bots can’t, at least not easily. If you’ve ever registered with a site that asks you to retype a set of fuzzy letters or distorted words, you’ve seen Captcha in action. Facebook, Hotmail, and Gmail all use it, for example.

The problem with Captchas is twofold. First, there’s no Captcha that’s too hard for some spambot to crack. Second, there’s no Captcha that’s so easy that it won’t annoy your readers, at least a little. But if you use an easy, unobtrusive Captcha, you just might be able to reduce spam to more manageable proportions, without annoying your visitors too much. (Hint: You don’t want to use the fuzzy letter system.)

To add a Captcha, you need to be running a self-hosted WordPress site, and you need to add a plug-in. If you search the WordPress plug-in repository, you’ll find dozens. Here are three worth considering:

§ Growmap Anti-Spambot (http://tinyurl.com/growmapspam). This is almost the simplest Captcha you can use. It simply asks the commenter to check a checkbox. Thus, it annoys almost no one but still trips up the majority of automated spam-bots.

§ CAPTCHA (http://tinyurl.com/wp-captcha). This generically named plug-in lets you use simple math questions, like “seven + 1.” Yes, shockingly enough, some would-be commenters will still manage to get these questions wrong. However, it won’t drive visitors away as quickly as a fuzzy-word-reading test.

§ Anti-CAPTCHA (http://tinyurl.com/wp-anticaptcha). This plug-in performs an invisible test. Essentially, it asks a guest’s web browser to run a snippet of JavaScript. That snippet then sets a hidden value in the web page. Automated spam-bots usually ignore JavaScript code, so they won’t be able to set the hidden value that Anti-CAPTCHA looks for, and thus they’ll fail the test. Overall, this plug-in catches the least amount of spam, but it presents no inconvenience to your readers.

Remember, CAPTCHA isn’t foolproof. It won’t stop human spammers (who typically account for less than 10 percent of all spam), and it won’t stop the sneakiest spambots. However, it can reduce the total amount of spam enough to improve your life.

TROUBLESHOOTING MOMENT: WHAT TO DO WHEN YOUR BLOG IS BURIED IN PENDING COMMENTS

Spammy comments are a danger to any blog. If visitors find your site choked with spam, they’re far less likely to keep reading or make a return visit.

But even if spam comments aren’t approved, they can still pose a problem for your site. First, they clog your Comments page in the dashboard, making it harder for you to find the real comments. And because WordPress stores them in its database, they can bloat it with meaningless content, wasting space on your web host and making it more difficult and time-consuming to back up your site.

The solution seems obvious—just delete all the spam—but it’s not always so easy. If your site has the misfortune to fall victim to an automated spam-spewing tool, you can find yourself with thousands or even hundreds of thousands of spam comments in short order. (It’s happened to us.) So what’s a WordPress administrator to do?

If you use a spam-catching plug-in like Akismet, spam comments end up in the spam folder. The good news is that you can clean out all your spam with just a few clicks. In the dashboard menu, click Comments, and then click the Spam link at the top of the list. Finally, click the Empty Spam button. (Even better, get your spam catcher to automatically clean out old spam, as explained onUsing Akismet.)

If you’re not using a spam-catching plug-in, you’ve got a bigger problem on your hands. That’s because the spam comments will be pending comments, and the dashboard doesn’t provide a way to delete a huge number of pending comments at once. Even bulk actions can act on no more than a single page of comments at a time. At that rate, deleting thousands of spam comments is a several-day affair.

There are two solutions. First, you can use a plug-in that removes all pending comments, such as WP-Optimize (http://tinyurl.com/wp-opti). Or, if you’re a tech savvy person who’s not intimidated by the idea of diving into your WordPress database and fiddling around, you can use a tool like phpMyAdmin to peer into your database and remove the junk. To get started in this endeavor, read the walkthrough at http://tinyurl.com/deletepen2.