Download EE 2 Docs Download EE 1 Docs
ExpressionEngine

2.9.0 User Guide

Spam Protection

Comment spamming and other types of spamming have become common problems for systems that permit user-submitted information. If you are not familiar with comment spamming, it is when someone repeatedly submits malicious comments into your system. This can be done by someone manually, or if the person is more sophisticated, it can be done using scripts designed to insert hundreds, or even thousands of comments automatically. The purpose of spam is to increase traffic at the spammer’s web site. By leaving comments linking to their site, they increase their position in Search Engine listings.

ExpressionEngine has several security features aimed at preventing spamming. There is no “silver bullet”, as spammers adapt their tactics to new deterrents, but the combination of security features in ExpressionEngine will provide a high degree of safety, particularly against the automated spamming methods.

Blacklists

The ExpressionEngine Blacklist/Whitelist Module is an integral part of EE’s spam prevention capability. This Module allows you to specify URLs, IP addresses, and user agents that you want to deny (blacklist) or specifically allow (whitelist) from your site.

The blacklist checks all content that is submitted to your site. ExpressionEngine will compare the submitted content against your blacklist/whitelist and then behave accordingly.

CAPTCHAs

A CAPTCHA is a computer-generated test that humans can pass but computer programs cannot. Since a great deal of spam is generated by automated scripts or “bots”, a CAPTCHA can be effective at preventing their use.

When the CAPTCHA is enabled, an image containing a random word appears next to the comment and member registration forms. In order to submit the form, the word must be typed into a form field.

ExpressionEngine can use CAPTCHAs for comment submission and member registration.

Comment Time Interval

This setting defines the amount of time that must lapse between comment postings. A malicious user will have to wait until the time has lapsed before being able to post again.

The setting is located at: Admin ‣ Channel Administration ‣ Channels ‣ Edit Preferences

Rank Denial

The primary goal of spammers is to have their sites ranked highly in Search Engines in order to generating more traffic for themselves. They achieve this by posting comments at your site which contain links to their own site. The more links to their site scattered in channels across the internet, the higher Search Engines will rank them.

The Rank Denial feature denies a spammer this “ranking” benefit by altering all links submitted by users so that they point to an intermediary “redirect page” at your site first, before being sent to the target destination.

The setting is located at: Admin ‣ Security and Privacy ‣ Security and Sessions

Deny Duplicate Data

The “Deny Duplicate Data” feature prevents a comment from being accepted if an identical one already exists in your database. A malicious person can’t submit the same information more than once.

The setting is located at: Admin ‣ Security and Privacy ‣ Security and Sessions

Site Membership

Although this isn’t technically a security feature, requiring your users to be members of your site provides additional safety against spamming since you have better control over the people posting on your site.

User Contributed Notes

You must have an EllisLab product license and have at least 50 posts to the community forums to contribute notes to the User Guide