, ,

If you want to get started with a company or community forum I believe the best offer out there is Vanilla Forums. I say best not as in the one with the most features or the largest community but as in the one that is simple and which, hopefully, can be grasped in a few hours, including software changes.
The installation is rather simple. Much like any other LAMP application you need to create the database, copy the files into a folder (I put mine at http://www.gepsoft.com/forum/) and do some configuration. This may seem complex if you are not acquainted with this type of web application but they provide very good step-by-step instructions.

And then it begins…

Installation is the simple part. It is the forum management that will eat into your time. As soon as your forum hits Google you will be flooded by dozens of bots. These are scripts that create new user accounts and try to post spam in the comments and forum entries or that post links in their Activity page (more on that below).  For me it took a couple of weeks to go from the odd annoying signup to a flood of dozens of new users that needed to be deleted every morning.

It all comes down to the registration facilities. One option – called Basic – is to have the user solve a CAPTCHA and verify their email. That was my first choice because the users can start posting immediately which is very convenient for my real users. Unfortunately it proved way too open for the nasty ones. As it happens the bots are able to somehow solve Google’s CAPTCHA, verify the email and post a bunch of spam very quickly. I don’t know how many times they fail but I got several successes a day. But even before that there was another well hidden attack. They posted spam links to their Activity page which is a page where you can post comments to your profile (I am not sure what that is for to be frank). So I changed to Approval registration where your users register and get put in an Applicants queue where you manually approve one by one. Unless you are expecting a flood of users this seems like a reasonable solution. The problem with this solution is that Vanilla does not use the CAPTCHA for this type of registration so you are flooded with dozens of fake approvals a day and it is very easy to miss a real user in the middle of all garbage. On top of that there is no way to bulk delete users so it gets old very fast.

The Solution So Far

The good news is that Vanilla supports plugins and there are a number of those dedicated to this problem. But before we install anything there is a small change that stops the Activity spam I mentioned before. When a user signs up in basic mode (the CAPTCHA one) he is put in the Confirm Email role. While he is in this role he cannot post to the forum but, for some reason, he can add comments to his Activity page. To avoid this, go to the Admin Dashboard, select the Roles & Permissions tab, edit the Confirm Email role and uncheck all the boxes except the Allow Signin role. This way they will not be able to post anything until they confirm their email.
Finally, and I think this should be in the base installation, add the BotStop plugin. This is a very simple plugin that adds a custom question to the signup form such how much is 2 plus 1 and it is a life saver. Surprisingly, and I am say this in fear, even the default values stop all the bots from signing up. The only problem I found is that this plugin is not compatible with OpenID so I had to drop OpenID for the moment but the bots are eerily silent. I am even contemplating dropping the email confirmation step if this state of affairs does not change.