Joomla! extensions frequently publish links submitted by users. Spammers leverage on these features to take advantage of the extensions to generate spam, and commenting extensions are mainly a target. 

We have been recently contacted by Giacomo Gnecchi from Google to share the following best practices with the community. The following techniques help to reduce the interest of spammers in attacking the extensions.

Understanding comment spam

Webmasters provide comment sections on their web pages to build community and foster discussion. Malicious third parties often target these sections to insert links that point back to their sites, hoping this will improve their sites’ ranking in search engines. For example, please see the screenshot below. These two commenters don’t care about adding to the conversation. Instead, they’ve left generic text, likely autogenerated, that only serves the purpose of including a link back to their site.

Best practices: Deter spammers from targeting your extension

How it can hurt your clients

Links are an important signal that most search engines use to determine the quality and relevancy of a page. Comment spam has been around for a while but we still occasionally see this method being used by popular CMS providers, including Joomla! As you might know, spammers go as far as creating automated bots that can post thousands of spam comments on these popular CMS providers, taking advantage of the fact the comment sections are open to be spammed.

Our algorithms aim to devalue spam links, but that hasn’t deterred persistent spammers that experiment and target sites that lack proper safeguards against this type of abuse. These sections are the target of an automated page and link creation software.

This type of spam can be harmful to a site in several ways including:

  1. Low-quality content on some parts of a website can impact the whole site’s rankings
  2. Spam can distract and annoy users and lower the reputation of your client’s site. It affects the experience of users that want to engage in meaningful discussions that website owners want to foster.
  3. Google might remove or demote pages overrun with user-generated spam to protect the quality of our search results
  4. Content posted by spammers can lead to malicious sites that can negatively affect users

How can you help as an extension developers

There are several ways website owners can protect their website against spam comments, see this blog post we published a year ago that offers a good list of preventive tips:

One of the easiest ways is to use the default rel=”no-follow” attribute for links in comment sections throughout the site. So the suggestion to you, extension developers, is to set this option as a default for users. This won't prevent spam, but it will deter spammers from targeting your site. By default, many blogging sites (such as Blogger and Wordpress) automatically add this attribute to any posted comments.

So for example, if a spammer included a link in a comments section that looked like this:

<a href="">This is a nice site!</a>

it should get converted to:

<a href="" rel="nofollow" >This is a nice site!</a>


As detailed in the previous technique, it is relatively simple to change how links are generated in an extension to reduce the surface of attack of spammers. From the JED team, we recommend taking into account this tweak and apply it to your extensions to improve the quality of the source code.