Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member
Anything that can be used can also be abused. That's especially true online where anonymity forms a shield against responsibility. Sadly, that means you have to plan your site knowing that it'll be attacked by anonymous vandals and profiteers, but you do have tools to stop them. This video discusses some of them. The best way to solve a problem is to ensure it doesn't pop up in the first place. So let's start by checking our permissions. To do that go up to People and Permissions, and by the way this site I just installed a few hours ago and I haven't changed anything about the People or Permissions yet.
As you know there are three default roles Anonymous User, is someone who's not logged in, Authenticated User is someone who is in, and there's a special Administrator role. The thing that you mostly want to watch out for is Anonymous User. So let's just quickly scroll down here. They can view comments, can't cause a problem with that. They can use this text format; that's okay. They can view content. So this is pretty well locked down actually. Now let's take a look at the Authenticated User, by scrolling all the way back up and then start scrolling down again looking at that middle column.
They can view comments. Oh, Post comments -- this is where a problem could come in. The biggest problem is the Skip comment approval. If you leave this checked. it means that people will be able to create an account and then post all the comments that they want. So that leads us to the second part: how do people create accounts on your system? To see that go up to Configuration and Account Settings, scroll down a little bit under Registration and Cancellation. By default, anyone can register an account, but they won't be able to post comments until you approve that account.
So effectively that does stop spam as long as you watch who's actually registering those accounts. And that can be kind of difficult because when all you have is a name and e-mail address, you can't really tell one person from another. So another possibility is to only allow the administrators to make accounts. The thing that you want to be especially aware of is if you have visitors, that means that anyone can create an account without getting an administrator to approve it. If that's so and you have Skip comment approval on authenticated roles, then you have just opened yourself up to a world of spam.
So those settings take care of a big part of the problem. But what if you need to keep your commenting system open to anonymous visitors for some reason? First, I would consider again requiring some kind of login from them, even if it's not for your own site specifically. Core Drupal comes with a module called OpenID that lets people log in with their credentials from Facebook, Google, and other membership sites. You can see that by going up to Modules, then scrolling down within this core module group, and there it is, OpenID.
It's there but it is turned off by default. I talk more about it in the video on logging in using Facebook, Twitter, and other sites. You can also learn about it by going to drupal.org/documentation/modules/OpenId. But let's say they've logged in. You still have ways to throw up barriers to spam, and in fact there's a whole category of Drupal modules dedicated to this very matter. To see it, go to drupal.org/project/ modules. As usual filter by 7.x, and then look under the category Spam Prevention.
As usual these are ordered by popularity, and these top two I found have been of great help in all the sites that I have run. The first one throws up what's called the CAPTCHA. That is a test that is easy for human to figure out, but hard for a machine. It's usually something visual like this, but there's a lot of plug-ins as well so that you could have it, for example, pick the cat out of this group of pictures; again a machine won't be able to do. The second one is Mollom, which was created by the person who created Drupal in the first place, Dries Buytaert.
It adds a little bit of intelligence to the whole process about whether to show a CAPTCHA or not, and it has some other features. I talk about it in the video Slowing Spam in my course Drupal Gardens Essential Training, which is also on lynda.com. That leads us to our to our next line of defense, checking unapproved comments. If you remember back when you looked to the Permissions, there are two having to do with comments, one is Post comments and the other is Skip comment approval. People who can post comments, but not skip approval, get their comments put into an approval queue.
I will go back to my site so you can see where that is. Go up to Content, then to Comments, and you find it in this Unapproved comments group. We don't have any since of course this is not live site. But if you do have anything here you would look at the comment and then you could choose whether to publish or delete it. The problem with this system is that there may be comments there that you just don't know about because you haven't been notified. On my own site, tomgeller.com, I have it set up so that I get a notification using only core Drupal's modules Trigger and Action.
I'll show how that works. I'll go to my site where I am already logged in as the administrator. I click Structure and scroll to the bottom and look at Triggers. Now the Triggers module is not turned on by default when you install Drupal, although it is part of core. So of course we will have to go to Modules; turn it on before you can do this. But let's take a look, and then I'll look at what the triggers are for Comments, and as you can see I have set one up to e-mail me whenever a comment is posted. Now this is the way to do it using core Drupal's modules, but you can also do it using the much more flexible Rules module, which I discussed elsewhere in the course.
So there are the basics in spam comment moderation. Remember that you will have to make similar efforts if you allow people to create full nodes as well as comments, and you can see whether they have that permission once again by going up to People and Permissions, and then scroll down until you see the Node group. Once there for each content type there is a group of permissions such as for here for Blog entry. You might also have to watch content that you have coming in automatically from outside sources such as through RSS feeds.
One strategy I try to keep in mind is to continually ask myself: Just how much access to my site do visitors need? Is the value of their comments outweighing the bother of moderating them? A conflict arises because Drupal encourages openness and sharing, which society itself too often mishandles.
Get unlimited access to all courses for just $25/month.Become a member
61 Video lessons · 100129 Viewers
56 Video lessons · 113153 Viewers
71 Video lessons · 82024 Viewers
131 Video lessons · 39354 Viewers
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.