Last month I started getting regular email notifications telling me I had new followers, but the followers’ email addresses were all outlook.com and quite spammy-looking. Even more suspicious was the fact the follows started after I had stopped posting regularly, and there were new follows everyday but no new page views on my site–meaning they were following without having been to my site.
I already felt iffy about sharing anything on the Internet, so needless to say daily reminders that there were bots out there aware of my online existence looking to… do something nefarious only compounded my nervousness. Since I had hit a lull in posting anyway, I started thinking about ending this little blogging experiment.
Anyway, today I finally googled the issue and found this Support Forum. I skimmed through all 23 pages of posts (as of today) and gleamed a few helpful points from the Staff responses (links included).
Are they armed and dangerous? And whyyyyy is this happening?
I know this is incredibly annoying, but I also want to reassure you that that’s all it is – annoying. There is no way these spam followers can put your site, your content, or your private account data in any danger. It just increases the number of email notifications WordPress.com needs to send out for each new post, so if anything it’s an attempted attack on us trying to overload our email servers, not on your sites or accounts.
You can remove the spam followers under My Site ->People, but that won’t prevent new follows from coming in. You might also consider temporarily disabling email notifications of new followers in your account settings until we manage to get these blocked. You’ll still see a notification each time in the WordPress.com admin bar, but at least you won’t have your inbox flooded with emails from fake subscriptions.
Please don’t email these addresses back – another potential reason for this is that someone is fishing for emails which they can then use to try and spam directly, and emailing them back will only provide them with your personal email address – something they cannot get hold of by merely following your site.
How come I get the email notification of new spam followers, but they don’t show up on my site’s followers list?
WordPress is automatically removing them as they find them. And they seem to be pretty thorough. I’ve gotten about 25 of these spam followers over the past month, and when I checked today only one was listed in my Email Followers.
What can I do?
For the notifications, you can uncheck your email notifications for site follows or set a filter in your email so they’re archived away from your inbox to prevent the daily aggravation.
As for the followers, no way to prevent email followers.
There isn’t a way to prevent email followers without removing the option all together.
If you wanted to go that route I’d suggest maybe using a contact form in place of the follow by email widget.
I did remove the Follow by Email widget from my sidebar to see if that would make a difference. (I doubt it will since somehow they are following without actually having visited my site.)
What about stricter verification/privacy measures?
We use a verification link – if someone enters their email on the form they need to verify the subscription by clicking on a link we send them. Only after that link is clicked does the site owner get a notification of a new follower. That process blocks most, possibly all bots, so there’s likely a human element involved here which won’t be stopped by a Captcha.
Besides that, Captcha has many accessibility problems and can make it very hard for people with poor or no eyesight to use any service. We don’t use Captcha anywhere on WordPress.com or Jetpack, relying on a two-step opt-in process instead.
Or in general limit my site’s exposure to the bots of the world?
While I understand why you feel that way, it’s not really practical. If your site is public it means any one on the internet is able to view it, and via the site’s public RSS feed people can also follow it in any RSS reader (including Google Flipboard), via blog aggregation services like Bloglovin’, or they can even build their own app and follow your site via our API if they wanted to.
You likely have many followers you don’t even know about as they subscribe directly to your site’s RSS feed rather than via WordPress.com, and adding the ability to approve followers would only add a false sense of security.
For now the only options on WordPress.com is to have your site completely public, or completely private (invitation only and completely undiscoverable otherwise). What you want is essentially something like a private Instagram, where your account is discoverable, but your posts can only be seen by people you approve. We don’t have such an option on WordPress.com at this time.
I guess it will always be a trade-off. Sharing online opens up possibilities for more connection and exchange, but also opens you up to more risk. Reading through the forum did assuage some of my fears about the shadowy spam followers, so I won’t be deleting this little space just yet. It was nice to see I am not alone, and for some reason it made me smile to see how others described the spammy addresses of our common enemy: bogus, dodgy, gibberish and even disturbing.