Bad Behavior is a WordPress plugin which effectively stops spam, by analyzing not just the content of the spam, but also the way it is delivered (for example, by blacklisting requests made directly to wp-comments-post.php). I installed it a couple of months in response to my spam comment numbers (which exceeded 10,000 per month), and it has been massively effective at killing spam.
Installing and configuring Bad Behavior
Once you install the plugin, you can pull up the settings page from the Settings menu. The overall settings are fairly simple and really, they can be left at default and work very effectively.
You have options to decide whether to display your statistics in the footer, how to log HTTP requests and what kind of requests to block. I have enabled strict checking, which is stricter, but may block some legitimate requests – I’m OK with that, given how much spam I have to deal with.
You can then activate the http:BL service as an extra measure, which checks each request against a centrally maintained blacklist (similar to how Akismet works). You’ll need an Access Key for this, but it’s free and signing up is easy. You can set two values for how strict you want http:BL to block requests, but I’ve left them at the default values and they seem to be working well for me.
If applicable, you also have options for EU Cookie Handling and Reverse Proxy/Load Balancers. However, these shouldn’t apply in most cases.
Bad Behavior in action
Once Bad Behavior is set up and deployed, malicious server requests will instantly get returned a 403 error. This will save you a lot of bandwidth and precious server resources. Furthermore, if a legitimate request in block inadvertently, the error page gives a unique key that enables you to refer to the individual access attempt, and also allows the user to see why their request was blocked and offers them recommendations on how to resolve it, such as by removing malware on their machine.
The error log
Bad Behavior can keep a log of blocked access attempts if you so wish. It makes for quite interesting reading, to see where people are trying to get access to your site.
From my original position of more than 10,000 spam comments per month, I am now down to less than 200, most of which Akismet catches. So between the two, I’ve got a great system which produces very few false positives and doesn’t leave much bloat in my database. I love it and I don’t think that Bad Behavior gets enough good press.
How about you? Have you ever heard of it? Have you given it a go? How did it work for you?