One-click WordPress Install

Hey, which one of you DH wise guys decided to add support for a one-click install of WordPress?

You’re going to put my WordPress installation notes out of business. Poor little WordPress install tutorial. Now, no one will stop by to read it. Sad, lonely web page. It’s only visitor will be Mr. (or maybe Ms.) Googlebot. I’ll probably need to send it off for counseling.

Seriously, though, it’s great that you added this feature. The support for upgrades is a nice bonus.

One minor note about MovableType - with 3.x you have the option of doing on-the-fly page builds. But, dealing with their license restrictions and license fee would be problematic, and as the newsletter states, WordPress is lots easier to install.


Instead of sending it off to the museum, I think this one-click installation of WordPress actually pushes you to add a new chapter to your original guide (which has been very useful), esp. when the default template looks so terrible esp. with IE. At least you can show us poor little lost souls how to easily get rid of the grey/green coloring. :slight_smile: - Register your own domain with DreamHost for just $14.95 now

Hey Robert!

And actually, I should thank you for that installation page you made… it’s what I used when setting up this new one-click install thing actually! :slight_smile:

So in that way, a part of your installation notes will live forever!


Ka-ching! Do I hear some DH merchandize in the mail for Robert?! Clearly this is a bulletproof case of a customer earning his laurels! :slight_smile: Go Robert!

Try out DreamHost with a free WebIDPrices, options

WooHoo! This is just another reason why Dreamhost rawkz d000dz! :wink:

Robert, you’re instructions will remain valuable. Sometimes it’s better to do things yourself if you really want to learn something. But DH, y’all should be commended for thinking through, and choosing, a great solution for easy customer blogs.

I think they are going to have to upgrade all their servers if people start to install this :slight_smile:

I just did a quick install, not really going to use it. But thought I would have a look while it was a one-click install.

And the comment spammers were on me within minutes, in its default setup state its a nice and juicy steak for those firms who help others to improve their google rank.

It may be a one click install, but stopping those comment spammers aint. :slight_smile:

Thanks for the kind replies!

Josh, I’ll be happy to send you some notes on how to spam-proof a WordPress install. I was getting nearly 100 spam comments a day on my blog before I made the changes. Since then, I have received zaroo comments of the spammer persuasion.

I think it would be very easy to automate these changes with a shell script and sed or with perl. I’m off to work, now, but I’ll post something tonight or tomorrow. I mentioned a couple of the anti-spam changes in my install notes, but intentionally didn’t provide all the details.

I kept thinking, what if spammers learn how to read and launch counter-attacks? Then I thought, should I be this paranoid? And then I got distracted by a shiny metal object.


I’d be interested in your spam-control hints. I will probably move my MT blog to WordPress and would want to be ahead of the spammers if I did. I use MT-Blacklist currently. I’ve acutally got my blog behind a password protected directory right now because I’m not updating it and want to rethink it, but the spammers get in anyway and post their rubbish. Right now my blog’s sort of honeypot because everytime they post new links and they get added to the blacklist they (or their masters) have to pay for new domains. So, at least it’s costing them something.

Spammers ruined my wiki though, cleaning it up was easy enough, but they still get listed in the previous versions of the pages, so more incentive to keep coming in and making a nusiance.

How to ride WordPress of SPAM:

Uhm, it’s great, but when I click ‘View Site’ it says ‘No input file specified’. In options I wanted the home page in the root (ie. directory but it only works if I leave it in directory. Apparently it’s not that straightforward. Anyone know what the problem is?

In any case, thanks Dreamhost, I couldn’t even get this far on my own. :slight_smile:

Edit: Yeh, never mind. Figured out what I was doing wrong. You Dreamhost guys made my weekend is all I can say :slight_smile:


Yeah, that was the first thing I noticed… my totally new test domain had 3 spam comments on the first post within a few hours… and nobody on earth knew about that domain but me!

It turns out I had the “update service” on so as soon as I did a test post, 13 different “weblog aggregators” knew about it, and so did all the spammers.

I’m going to change the setup email and the kbase articles to mention you might want to turn that service off.

I also already added today some tweaks to wp-comments-post.php and -popup.php that another customer recommended to try and stop some automated spamming. I’m going to see how that does, and if it doesn’t do so well, in the worst case I may install one of those “captcha” plugins for people by default.

We’ve already had a fight with comment spammers with DreamBook, which I believe we’ve more or less won at this point… so hopefully we can do the same thing with WordPress spam!


WP Anti-Spam Trick #1 - Rename the File That Posts Comments

The Comment Spammers have tools that can automatically post comments to blogs. It’s trivial to find out the default filenames for the scripts used by the main blogging tools for posting comments. Once the spammer’s tool finds a blog, it can blindly try each common filename variant, so the spammer doesn’t even have to know which blogging tool you are using.

This trick works with any blogging tool that uses a script to post a comment. All you have to do is rename the file that posts the comments, and then update any other file that links to that file.

With WordPress, the script is in the wordpress directory and is named wp-comments-post.php. Rename it to something else, e.g.,
$ mv wp-comments-post.php wp-comments-alt-post.php

Then, edit wp-comments.php, wp-comments-popup.php, and wp-comments-reply.php to use the new filename. Be sure to rename (i.e., use the mv command) instead of copy the wp-comments-post.php file. If you leave the file on your server with the original filename, the spammers can obviously still access it.

I also did the rename file trick on my Movable Type blog. It worked for a while, but the spammers eventually figured out the new name. All someone had to do was write a script that parsed the returned HTML and looked for the new filename.

But, you have to deal with spammers with a layered defense, just like how you deal with black hat hackers. This trick will knock out the first horde of dumb spam comment robots.

Bonus Credit - Spam Comment Honeypot
While I recommended above that you not copy the file, copying is okay if you’ve got something sneaky up your sleeve. After making the copy, modify the original so that it doesn’t actually post a comment. Modify the script to send back an HTTP response that makes the spammer think the post succeeded. Also, log the IP address of the spammer.

Extra Bonus Credit - Spam Comment Tarpit
Figure out a way to punish the spammer for accessing your site. Causing a long timeout for the spammer would be nice, as it would tie up their resources. However, you want to make sure you don’t tie up DreamHost’s resources. Another variant would be to do an HTTP Redirect to another website, perhaps to another spammer’s website. Just make sure Google doesn’t mistake it for an onbound link to the spammer. Perhaps you could point them to a website for enhancing their anatomy.


The site that MacManX linked to above is a fantastic resource. I got most of the ideas for my anti-spammer warfare from the links on that page.


WP Anti-Spam Trick #2 - Comment Preview

You can cut out quite a few spam comments by forcing all commenters to go through a preview stage.

The basic info is here:

Spammers want to post comments as quickly as possible. Forcing them to go through two pages slows them down.

Also, they can’t parse the first page for the name of the file that posts comments. They have to get to the preview page before they can do that. This trick obviously works well with Trick #1.

Finally, I didn’t like the fact that WordPress didn’t provide a built-in preview step for comments. I often want to preview my comments, especially if the text edit box is really small. Having a preview stage is especially nice if you allow limited HTML in comments.

So, this anti-spam technique had the nice side effect of adding a feature I had wanted.


Oh, by the way … I don’t see any 1-click (or even few-click) uninstall at the Goodies/WordPress Blog tab of our CP; do you need to delete WordPress manually? Thanks. - Gung-ho Web Hosting :: $7.95/mo for 800 MB Disk and 120 GB Transfer

To delete it manually, just delete the MySQL database that you used with WordPress and then removed all of the WordPress files from the directory that you installed them in.

WP Anti-Spam Trick #3 - Allow Comments to Be Posted Only from Your Website

This trick limits your comment-posting script to being called only with a HTTP referer URL from your website. This means that, with a few caveats I will describe below, someone can post a comment to your blog only by actually visiting your blog through a web browser and clicking on the button to post a comment.

Caveat #1 - This means that someone else using a legitimate application (other than WordPress, of course) that posts comments by directly calling the PHP file on your site will no longer be able to do so. I don’t know of any such applications, though, so this may be one of those restrictions that actually affects no one. Of course, it can be worked around by forging the referer URL.

Caveat #2 - Which leads to caveat #2, which is, referer URLs can be forged. If the spam commenter is really savvy, he or she could forge the referer to make it look like the request came from a link on your site, as opposed to from their spam-comment-generator application. So far, I haven’t run into any spam commenters who are that savvy, but I wouldn’t put it past them.

So, here’s how you do it. You need to edit the .htaccess file at the root of your blog, or in any directory above it. For example, if the index.php file for your blog is in, then you can make the changes to either or

Here are the lines to add:

RewriteCond %{HTTP_REFERER} “!^http://[www.]?*$” [NC]
RewriteCond %{REQUEST_URI} ".wp-comments-posting-script.php$"
RewriteRule .
- [F]

Line 1 says that the referer URL must begin with or The NC at the end makes the condition case-insensitive, i.e., lower case or upper case in the domain name is ignored.

Line 2 indicates the name of the PHP file that actually posts the comment. Edit this to reflect whatever you decided to name your script. The . and the * and the $ are regular expression symbols. The .* represents any character preceding the w in the file name. This allows the condition to work regardless of how many directories you might have buried your blog in. The $ represents the end of the line, or string. This tells the regular expression parser when to stop looking for a matching file name. If none of this makes sense, don’t worry. Just make sure you change wp-comments-posting-script.php to exactly match the file name for your comment-posting script.

Line 3 says that if the above conditions aren’t satisfied (that is, someone tried to access your comment-posting script with a referer URL that didn’t begin with the domain name of your website), then send back a 403 error (Forbidden).

If you implement tricks 1, 2, and 3, I think you will find you have a layered defense that works pretty well. Since I implemented these tricks, I went from approximately 100 spam comments a day to 0 spam comments for the entire 5 weeks or so since I made the changes.


No no no, your little webpage is not going to die a lonely little death with no feeding tube! Silly girls (and boys, I’m sure) like me will always be looking for the quickest way to get things done. Your website is great and terrific! Thank you so much for taking the time to put that all in writing.

WP Anti-Spam Trick #4:
I don’t work here. I’m just your typical support forum volunteer.