Neil Turner's Blog

Blogging about technology and randomness since 2002

Bad Behavior for WordPress configuration guide

Screenshot of Bad Behavior in WordPress

One of the WordPress plugins that I recommend most emphatically is Bad Behavior, which, in my experience, is the single most powerful spam protection plugin available for WordPress. It has cut my comment spam down to practically zero, and can stop automated attacks against WordPress, such as brute-forcing the login screen or known exploiting security vulnerabilities in old versions. Unlike spam plugins like Akismet, which quarantine possible spam comments after they’ve been submitted, Bad Behavior stops bots from submitting these comments in the first place, which means you can spend less time tidying up your spam queue.

When installed with the default settings, Bad Behavior is quite effective, but you can fine-tune it to suit your needs. There’s a brief official guide on the Bad Behavior web site, but here is my guide:

Logging mode

You have three options here, and the default is ‘Normal’. This should be fine for just about everyone. I would not recommend disabling logging, and enabling ‘verbose’ logging will log every visit to your site, whether it’s suspicious or not. This could rapidly fill up your database and so I wouldn’t recommend it.

Strict checking

Enabling ‘strict checking’ will block more suspicious traffic to your blog, but potentially at the expense of also blocking some legitimate users with old or badly-configured software. However, having checked my logs after enabling strict mode, I haven’t seen many cases of legitimate traffic being blocked, so I’ve enabled it on this blog. If you’d rather err on the side of caution, then leave it turned off, but my recommendation is to enable it.

Allow form postings from other web sites

By default Bad Behavior blocks form submissions from other web sites, such as cached copies of your site in Google or the Web Archive. However, allowing off-site form submission is also needed for some WordPress plugins – OpenID login is one but I also believe that Jetpack’s enhanced comments feature needs this too. I have it enabled (i.e. allowing form postings from other sites) to no ill effect, so you may want to tick this option – especially if you’re a Jetpack user and use its enhanced comments form.


http:bl is a service run by Project Honey Pot, which maintains a list of IP addresses being used by bots to gather email addresses for spam, and submit spam comments. Bad Behavior can optionally query the http:bl blacklist, and block access to IP addresses hosting bots. To do so, you’ll need to register with Project Honey Pot to get an access key. Although this means that Bad Behavior will be checking each visit from a new IP address with a third-party, it’s done quite quickly and shouldn’t have a big impact on your page loading times.

You can leave the rest of the http:bl settings as they are, as these seem to work well in my experience.

Reverse Proxy

If you’re using a load balancer such as CloudFlare, then you will need to full out this section. I’m not.


The whitelist is a separate Settings page, and lets you define certain IP addresses or user agents to always let through. This is especially useful when running Bad Behavior in Strict mode, which may result in some legitimate bots from being blocked. Under user agents, I have the following entries:

Mozilla/5.0 (compatible; AMZNKAssocBot/4.0)
InAGist URL Resolver (
Protopage/3.0 (

The first is Amazon’s crawler that needs access to my site to show relevant advertising. The other two sometimes fall foul of Bad Behavior’s checks despite them not being malicious. Hopefully their developers will make them more compatible in future – in the past, I’ve had problems with the crawler for Zite, but after contacting its developers, they fixed it so that Bad Behavior allowed it through.

Monitoring the Bad Behavior Log

Under your ‘Tools’ section in WordPress, Bad Behavior will log all potentially suspicious access attempts to your blog. Some are ‘permitted’ – suspicious, but probably benign, but the rest were blocked. Bad Behavior will tell you why they were blocked – missing an ‘Accept:’ header, trying to submit a Trackback ping despite identifying as a web browser, or the IP address is on Project Honey Pot’s http:bl blacklist. It’s worth keeping an eye on the logs for a few days just to make sure that you’re keeping the right balance between good and bad bots.

If you spot something that should have been allowed, then you can add its IP address or user agent to Bad Behavior’s whitelist. Conversely, if you notice a lot of abusive hits from a particular IP address over a long period of time, then you could consider blocking them completely from your site, by modifying your .htaccess settings in Apache, or your firewall settings. This is beyond the scope of this article though.

Hopefully this blog post will have helped you get Bad Behavior set up in a way that effectively keeps spam off your blog. I’ve used it for a long time and I’m really impressed with it.

Comments are closed.