Don’t get me wrong, Drupal has its good side. It is easy to install, easy to configure and customize, fun to play around with and generally well built. The problem is that it suffers tremendously from its success. The default Drupal installation is woefully and hilariously poorly equiped to handle any kind of spam.
You see, these spammers are targeting a wide range of Drupal versions and just crawling the net finding Drupal sites to exploit. If you let a module get out of date for as little as a week, an exploit will hit your site and it will be in ruins when you get back. They attack the forums, they create semi plausible conversation chains then weave in dubious viagra links once they believe they’ve earned your site’s trust. They even find ways to post as the ‘0’th user, so its harder to remove. They hide articles throughout the site with spam for crappy Louise Vuiton knockoff bags. They post in crazy languages that probably no one can read.
Recently, I came back from a few weeks of not visiting my site to see a huge fleshy mound of spam. I deleted over 15k comments and forum posts, 10k fake users. However, some legitimate comments got hit by the purge and for that I feel sorry. I apologize if you spent the time to post on my site only to have it spam terminated later on.
I took measures to stop the spam, I installed some anti-spam modules, for example, TypePad AntiSpam. I also installed captcha modules, including ReCaptcha. Which helped a TON… at first. However, spammers keep finding ways around them. And security vulnerabilities in Drupal keep hosing me. It turns into a frustrating cat-and-mouse whack-a-mole carnival game that you simply can not win.
Therefore, I have decided that the only winning move is not to play. I’m turning off the forums and comments for now, I’m putting Drupal in a kind of a read-only mode until I figure out what to do next. I believe static content is a bit underrated these days so I might go with something like that.