Al-Muhajabah's Movable Type Tips

As mentioned in the previous entry about crapflooding, in addition to throttling and blacklists, there are three things you can do to secure your blog further:

1) Change the name of your comments script
2) Force users to go through preview mode
3) Require users to enter a CAPTCHA or security code

The reason that these three tricks can be effective is that crapflooding is done using an automated comment submission script. The crapflooders are not looking at your blog's comment form like a human user is. Thus, they may be fooled by a comments script named something other than the standard mt-comments.cgi and they don't realize that posting to the form only sends the comment to a preview page and doesn't submit it, and they don't have any way to see and enter the security code.

There are ways around each of these tricks, but each of them alone will deter at least some crapflooders and all of them together may deter more.

To implement a CAPTCHA in MT, use the SCode plugin. If you are using MT-Blacklist, you will need to apply the SCode hack to MTBlPost.pm as well as Comments.pm. If you are using EZ Subscribe, you will need to add the "code" and "scode" form fields to the sub-to-com.cgi script.

If you are using forced preview as well as a security code, you can leave the security code fields off of your commenting listing (or individual entry archive) template. MT will not check the comment for submission errors between the posting form and the preview page, so it's pointless to ask for the security code at that stage. Since it doesn't check for the security code, you can leave it out without problem. This makes it a bit easier for your visitors. However, you must include the security code fields on your comment preview form and comment error form.

This is the way that I have it set up on all my blogs, including this one. I had earlier converted my preview page to do a spell-check; the spell-check stage is now required.

What happens is that the user enters their comment and information and sees only a "Spell-Check" button to submit with. When they click this, it takes them to the comment preview page. They can review their comment and make changes. They must enter the security code, then can click on a "post" button and their comment will be submitted.

I made some modifications to my comment preview form. I removed the user information fields and created hidden fields to pass the data on. Instead, users see only fields relating to the content of their comment. Hopefully this makes the page less cluttered and more user-friendly, inshallah.