Today’s blog post is guest authored by Janice Schwarz of GeekArtist Web Solutions, DrakNet’s affiliated Web Design Company.

In the 10 years I’ve been designing websites, I’ve seen good, bad, and ugly situations when it comes to website ownership. Today, we’re going to talk about the ugly.

When I take on a new web design client, one of the first pieces of information I ask for are the logins to the client’s web host. The responses I frequently get range from “OK, here they are” to “I don’t have those, my last web designer/employee/my cousin has them and I don’t know what they are or how to reach them” to “what’s a web host?”.

Many of my clients do not have the basic information they need as a website owner. It does not matter who you hire to handle your website affairs, if you signed up for and pay for the hosting and domain, then it is still your hosting and domain. All account logins are yours and you should have a copy of them stored somewhere. If you have a website made for you, you should have your own copy of the website too. A copy stored on YOUR computer and/or a CD, DVD, or portable hard drive. You don’t want your only copy of your website to live on the web server. This is a handy backup in case there is a problem that causes you to lose your entire website. And that can and does happen on occasion.

One thing to bear in mind though is if you need a domain (your own .com), be mindful of whose name it is in when purchased. For example, if you hire someone else to get it for you, did they pay for it and put their name on it, or your name? Because if they put their name on it as account owner, they own it. Did you have them sign up for your web hosting? If so, when they signed up, did they put your name on the account or theirs? If theirs, then they own it.

It does not matter if you are paying for it regularly. The domain registrar and web host MUST assign the account to whoever’s name is on the account. If your name is not on there and your web designer disappears, it is possible you may not be able to regain access to that information.

So remember: any time you have anyone handle your website needs for you, make sure that
1. Everything is in your name
2. You have all logins for those accounts
3. You have backups of your website.

Even if you host with my business, GeekArtist Web Solutions, LLC, and have us handle everything for you, we’re still going to make sure you have this information. If you tell me you’ll never need it and don’t want it, I’m going to tell you, “I have to send this to you anyway.”

It is YOUR website. So you are entitled to all the account information and should always keep that data somewhere you can easily retrieve it.

A number of folks have asked for alternatives to Soholaunch since we announced that we would cease offering licenses. For non-ecommerce sites, one of the best simple CMS’s out there is WordPress.

Yes, WordPress is the most popular blog software out there – but in reality, it does a whole lot more.

Setting WordPress to Serve a Static Page

Once you’ve installed WordPress from Fantastico or Softaculous, you log in to your dashboard (wp-admin) and scroll down to the menu on the left that says “Settings”. Within settings, you’ll want to click the link that brings you to the settings for “reading”.

After you get into the settings on reading, you’ll see a setting called “Front page displays”. Since WordPress defaults to showing posts because it assumes that it is going to be a blog, you simply need to change the settings to a static page that you have created.

If you are not going to have a blog at all, you can entirely ignore the Posts submenu – you can use WordPress and choose not to have a blog at all. If you want to have a site and a blog on a sub-page, you would create a main page, and then go into reading and set that page as the Static Page you wish to serve first.

If you want to have a blog as well, create a blank page under “Pages” with the Title “Blog” or “Company Blog” or something similar, and set that as the posts page so that it’s a sub-menu part of your site.

Why Use WordPress as a CMS?

WordPress does not tend to have the steep learning curve of most CMS’s like Joomla, and a site can usually be created, installed with a template, and launched by cutting and pasting content in very little time.

Because of the sheer obsessive popularity of WordPress, you can find a significant amount of very high quality templates, plugins, on wordpress.org explaining how to do this or that with WordPress, and if you don’t want to get too crazy/fancy, tweaks can often be implemented very, very easily. There are also a number of themes coming out now that are specifically designed to be used as CMS’s, and not strictly as blogs.

And another nifty feature – all those tweaks like caching and keyword plugins and so on that you would use on a blog can be used on the pages (your main site) as well.

Because so many people are using WordPress, the sheer amount of information being written about it, and how to use it, is enormous bordering on staggering. There are many bloggers that just blog about WordPress use on WordPress installations, and solely focus their blogging endeavors to explaining in simple terms how to get the most out of WordPress.

If you’re looking for a simple CMS to use that will produce a slick, XHTML/CSS site in little time with a huge amount of plugins and templates available for you to use at no charge, don’t count out WordPress.

In computing, an iNode is a data structure on a file system that stores basic information about a regular file, directory, or other file system object. Each iNode has an number to identify it, and whenever you create a file or a folder you’re creating an iNode. Even if the file is really, really, really small.

For example, a fresh install of Joomla uses around 5683 iNodes – and that’s before you do anything else to it.

To set limits on “unlimited” hosting (don’t get me started), many hosts created iNode limits, and when you hit them, your host can take various actions like not doing backups for you all the way to kicking you off or forcing you to a VPS.

Disk limits didn’t really ever go away – they simply shifted from easily understood disk space space to not so easily understood iNode limitations.

Like almost anything else in shared hosting, 98% of you don’t hit this, and it’s not a concern. For those that do, though, it’s a big concern, especially on sites that tend to create a lot of files. Since people are starting to discover this hidden little clause in the “unlimited” offerings that abound, we’re starting to get questions about it, like:

With the higher disk space allotments, are you still going to do backups?

Are there new inode restrictions?

My other host limits inodes instead of disk space, and after a certain number they won’t do backups.

We do not, and do not plan to have, iNode restrictions as we don’t actually offer unlimited hosting and don’t have to put other restrictions on your site to keep you from actually using the “unlimited” space.

iNode numbers are also not a concern with regard to backups here at the moment.

Most cPanel hosts tend to do compressed backups – this means the entire site is packaged every single time it’s backed up (along with your email, your system files, and everything else), and that backup is stored somewhere.

Compressing huge web sites is incredibly resource intensive and can take hours for a full server, so shared hosts with clients that have huge and enormous sites taking up huge and enormous amounts of space run into an issue compressing those sites not just because they are huge, but because they have thousands upon thousands upon thousands of files.

DrakNet made a choice several years ago to cease doing compressed backups because of just how resource intensive they were, and we switched to incremental backups. What that means is that we compare the backup with your site and bring over only what’s changed – this is far more efficient from a resource perspective, though obviously it takes up far more disk space.

And so there you have it – no hidden inode restrictions, and due to the way we take backups, we do not plan to have inode restrictions on our accounts.

Joomla is an awesome CMS and lots of people use it. It’s also one of the most commonly exploited pieces of software we see.

Securing Joomla can be a chore, and telling you how to do it completely is beyond the scope of one single blog post – but like WordPress, one of the most common Joomla issues that we see are people downloading and installing plugins that are vulnerable.

As with WordPress Plugins, Joomla plugins can open up holes on your software and your site that exploiters can drive a truck through.

Check Before You Download

Joomla does it’s best to let you know about these plugins that can decimate your site – but you’ll only find that information if you go look for it. Just like folks who don’t read the blog likely have no idea we were at HostingCon, got new stuff, and are making major changes, folks that don’t bother to ever look at Joomla’s documentation but who actively use Joomla have no idea that there are plugins being offered that can cause real havoc with their site.

http://docs.joomla.org/Vulnerable_Extensions_List

Joomla lists extensions that are being offered which are (1) Vulnerable and obviously (2) you should not use if they are on that list. One of the extensions we’re seeing being exploited repeatedly is:

RSMonials

http://www.rswebsols.com/downloads/category/14-download-rsmonials-all?download=23%3Adownload-rsmonials-component

XSS Exploit
190610
Believed to be 1.5.1 version

It’s on that list, and it’s highlighted in a really nasty red so you comprehend this is a real problem, there is no patch, and you shouldn’t use it. Ok, so what if you do use it?

What is an XSS Exploit?

http://www.cgisecurity.com/xss-faq.html

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website.

Remember that anything you install is your responsibility to secure. Finding the holes and patching them are considered your responsibility and can usually be dealt with by simply making upgrades a part of your site maintenance. In Joomla’s case, they provide a current list of those plugins considered dangerous and exploitable for you. If what you want to use is not on there or if you want wider information, searching for your software or plugin and the word “vulnerability” will give you an idea what the issues are.

For example, the search RSMonials vulnerability brings up an enormous amount of information on the problems with this plugin:

http://www.google.com/search?q=RSMonials+vulnerability

and this “security technique” (i.e. the simple Google Search on what you are using with the word vulnerability) is, again, a cross-platform technique that can be used on and is applicable to any software or plugin, not just Joomla.

This technique can also be used by web site novices who can’t install anything that doesn’t come with a button.

If you are a programmer, you can always sanitize and plug the hole after reading about the vulnerability. If you’re of the button-click software user variety, this technique will tell you what you should absolutely not use. Vulnerable software is not something anyone should gamble on.

What does this all mean for my DrakNet Site?

While we let you know after your site has been compromised, that’s truly not the way you want to find out because the moment we find the exploit, your clock starts ticking.

Repeated exploits will cause your site to be suspended and/or terminated, and if it’s an active exploit returning daily reports and re-infections, you’ll have only four days to get up to speed before it becomes a risk of you losing your site – as a host, we cannot knowingly let a site continue to serve things we know puts people at risk. The fourth exploit in a week, and we will take the site offline, and potentially not allow it back on again.

Any site running dynamically (forums, wordpress) on software is susceptible to attacks, but Joomla particularly so – especially in the realm of released plugins by independent people not associated with the Joomla project.

If you’re going to offer dynamic sites, always be aware of the things that can go dynamically wrong, and take some extra steps before you install your own welcome mat for site exploiters. Security experts put a lot of effort into getting the word out, so make sure you take advantage of the work they put in to try and keep your sites and your visitors safe.

Most web hosting companies won’t tell you about this little tool, and we are – which likely makes us either totally confident, or totally crazy.

http://loadimpact.com/ is a site that offers stress testing for sites with a graphical output so that you can see how your site handles simultaneous connections from a number of visitors.

While a large part of a site under stress has to to with the server, site stress isn’t only based on server resources available – it also has to do with scripting, coding, whether a CDN is used, caching, and a whole host of factors. Poor coding can double or triple the stress on the server of a massive rush of visitors vs. the same number of visitors on a well coded and streamlined site.

http://loadimpact.com/ has serious testing of up to 50,000 users for $9.00 a day (yes, we said per day), but they have a taster stress testing offering called “Load Test Light” that will graph the load of 50 simultaneous users at no charge to you. (50,000 simultaneous users, by the way, will likely crash the server – if you’re getting that many simultaneous users on a shared hosting account, you shouldn’t be on a shared hosting account. Seriously.)

Since drak.net has its own server all to itself, we’ll stress test my personal site, jenlepp.com, which is actually housed on one of our shared servers Espeon (the box that we are currently doing new installs on). It’s a WordPress site with caching, though it’s fairly static without a blog.

And this is what we come up with:

Which is a nice, even line with barely any fluctuation between 10 clients (1.5 second load time) and 50 clients (1.6 second load time), and for us, this is what we want to see. From “How to interpret graphs?”

What if my graph is completely flat?
This usually means you are nowhere near being able to stress the target system. If you try to run a load test on google.com you will get a flat curve. Their site is powerful enough that any change in response times as a result of the load we generate is all but impossible to measure. If your site runs on powerful servers, with lots of Internet bandwidth, or if your system is very efficient you can also get a fairly flat curve.

So, we want to see a nice fairly flat curve when testing a shared hosting site – it means with 50 people slamming our site at the same time, everyone loads relatively quickly, the system isn’t stressed and our code isn’t causing any kind of bottlenecks, though we could likely shave a few fractional seconds off that response time with a CDN.

We’ll try one more time on an older box that’s been around – Espeon’s a pretty behemoth server, and it’s our newest, while Blastoid is a bit older. We’ll test my husband’s site, mrlepp.com, which lives over on Blastoid.

This is also a great way to demonstrate the difference caching can make on a WordPress blog, because while my nearly identical single-page WordPress site is running W3 Total Cache, my husband’s site is being generated from the PHP and database calls with no caching in use whatsoever so each visitor launches a number of requests and processes.

and as I suspected:

at 20 visitors is starts to go up a smidge, and at 40 to 50 you start to see a bit of a slow down of a full half a second and it’s creeping up at a fairly steady rate.  Initially, the response is relatively the same as on the larger server and with caching, but as more people pile on, the site starts to work a little harder and slow down by almost a full second, though this is still somewhat of good result as an extra second is not going to tend to be that noticeable. I’ve seen shared test results where sites slowed down to 20 seconds at 20 visitors, so there’s a yikes for you.

Generally, most shared sites don’t see 50 people at once, but it’s always good to get an idea of what your site could tolerate, and to make changes that are in your control (like caching) to help prepare for unexpected sudden popularity. This is also a great way to get a gauge of the server you’re on, and how much it can handle – if that line rockets up, there’s a problem somewhere (whether with the server, or the code) and it’s a good idea to address it before it takes you by surprise.

I have a personal blog that I don’t blog on much, but I randomly thought today I might decide to change that. I don’t have much time to devote to it so I wasn’t very interested in creating my own theme but I knew wanted something techy, dark, and simple, and I really liked this one:

So even though I didn’t get it from the WordPress site, I downloaded it out of curiosity. Things almost immediately started to look suspicious – all the PHP files were password protected, so I couldn’t extract the files from the zip file.

Well, that’s ok – I can just upload the zip file to WordPress. Maybe they just don’t want people messing with their design. It uploads fine, and it loads…wait, what’s that in the footer?

Oh my gosh – I don’t want to advertise an overseas pharmacy! People get arrested for that stuff in the U.S.! Crimeny! I’ll just take that link off…

Hmm. I guess not.

And of course, if you delete the entire encrypted footer code, the entire design breaks – and on top of that you really have no idea what code these folks have put on your site, or what else it may be capable of doing besides selling Viagra because it’s encrypted.

Just another reminder of precisely how you, sometimes, can thwart your own site’s security.

I really liked that theme, too.

And no, we don’t mean Google Image Search. Janice told ya’ll about that.

http://morguefile.com is a site on the web that has hundreds of free images available for you to use at absolutely no cost whatsoever.

Why is it called MorgueFile?

A morgue file is a place to keep post production materials for use of reference, an inactive job file. This morgue file contains free high resolution digital stock photography for either corporate or public use.

The term “morgue file” is popular in the newspaper business to describe the file that holds past issues flats. Although the term has been used by illustrators, comic book artist, designers and teachers as well. The purpose of this site is to provide free image reference material for use in all creative pursuits. This is the world wide web’s morguefile.

MorgueFile’s license is extremely open with regards to what you can do with the photos without payment or even attribution:

You are free:

• Remix — to adapt the work.
• Commercial — to use this work for commercial purposes.
• Without Attribution — to use without attributing the original author.

Under the following conditions:

• Stand alone basis — You can not sell, license, sublicense, rent, transfer or distribute this image exactly as it is without alteration.

• Ownership — You may not claim ownership of this image in its original state.

• Any of the above conditions can be waived if you get permission from the contributor.
• Nothing in this license impairs or restricts the author’s moral rights.

Which helps with bloggers often limited space issues on a post for credit, as well as aiding frequent bloggers with finding accent images to go with a blog post at no cost whatsoever – something that’s often fairly hard to do. While some of the photos can be a bit amateurish, some are surprisingly well done for a “free site”.

So if you’re running out of time to create your own accent graphics or are just looking for new accent images on your blog, try out http://morguefile.com – it’s free, and there’s no requirement to sign up to download.

Hope everyone had an awesome July 4th! Back to the grindstone…

Forums.

Most people don’t realize when they install software in Fantastico that even though the operations of the software isn’t generally directly supported by us (or most hosting companies, if you’re not with us), you’re not completely out in the cold without any place to learn.

Most software developing companies, groups and individuals have forums that allow you to jump in and talk to others that are using the software, ask questions, and search for common problems and solutions.

There are also web hosting forums not tied to any particular company where you can compare notes on your host, look for a new one, or get an overview on hosting specific issues as well as software issues.

General Web Hosting Forums

Web Hosting Talk

Probably the grand-daddy of all web hosting forums, Web Hosting Talk has thousands of members, is always busy, and is the web hosting industry in full display (both good and bad). Skip a day of reading web hosting talk, click “new posts”, and you’ll find dozens of subjects you missed.

Web Hosting Talk tends to be brash and a little sassy – in addition to being a place where both hosting owners and web hosting buyers come together in one place to chat, it acts quite a bit like the hosting industry’s BBB as unhappy hosters come in to vent about their issues and those in the industry on both sides take sides as the discussion goes on.

Likewise, when hosters are pleased with their hosting company they often write an in depth review letting everyone know precisely why they are happy with their hosting and it may be the best place to get a true understanding of a hosting company. Due to the nature of Web Hosting Talk, these reviews are generally much more in depth than “Hey, Company A is awesome cool!” and give you a very good overview of the hosting company’s service.

In addition to the reviews and occasional flames, you can purchase inexpensive web designs, get advice on almost anything with regard to a website, get security opinions, and much more. Anyone who is a host, or hosts, should definitely give it a look over.

Hosting Discussion

Similar to in Web Hosting Talk its scope, Hosting Discussion is less trafficked and a bit calmer hosting discussion forum, and seems to focused a little more towards hosts than host-ees, but its still a worthwhile forum for anyone with a web site, especially resellers.

Software Specific Forums

Software Specific Forums are designed to provide people using a particular software a place to compare notes, get opinions, get help, or post fixes that may be of use to other people.  If you ever uttered:

“How do I do ____________ in ___________?”

you likely should have been searching that question in a software forum, but someone probably asked it before you and if they didn’t, you should post it because someone probably has the answer.

Some of the most popular software (and likewise the most popular forums) are listed below. (And they are in no particular order as I am just sticking them on here as they flit into my head).

http://wordpress.org/support/

http://www.simplemachines.org/community/index.php

http://www.vbulletin.com/forum/

http://forum.soholaunch.com/

http://forums.cpanel.net/

http://forum.joomla.org/

http://drupal.org/forum

http://forum.coppermine-gallery.net/

If we didn’t list yours, just put your software name and “forum” in a search engine, and you’ll most likely find one for the software you are using.

This one’s a little trickier, and there have practically been dissertations written on what a “good social media citizen” is, what you should do, and what you shouldn’t do. For small businesses, this can be even more confusing.

Facebook

Facebook really boils down far more to privacy concerns than spam because Facebook tends to do really good on the emailed spam to message inboxes. “Spammy” things that you come into contact with usually have to do with advertisements and enticements that are attached to quizzes, games, and the like.

Your friends are usually the spammers on Facebook – Farmville, MafiaWars and all these games post a torrent of things to Facebook streams. While the posts are usually beneficial to other players of the same game, to those uninterested in adopting the 17th lost cow of the day are usually ready to tie their friends up and throw them in their Farmville Hay Wagon.

While un-friending your friends may be tempting, you can clean up your News Feed in a few days by hiding applications (or people, if they’re really getting on your nerves). This post from the SocialPMChick.com Blog tells you how.

While this is about spam and not privacy, keep in mind not every link or every application on Facebook is “clean” – there are Facebook viruses, so be careful.

Youtube

Ah, YouTube…

The comments section in YouTube is a little slice of the world on display, and sometimes, that little slice of the world is downright scary. Whether it’s spam in the form of what we traditionally think as spam or the famous YouTube trolls, a YouTube comments area can be an interesting place and has become notorious.

YouTube Comments sections are pretty much like blog sections – what you can control is what people can do. You have a multitude of choices when you upload a video regarding whether to make it private or public, allow or disable comments, and for YouTube your choices are really just how much access to give the public and whether or not you want to moderate comments.

While everyone wants their 15 minutes of fame these days, think very carefully about the possible reactions your video can get, any other people in the video that may be unhappy with it being posted, and especially consider how any children in the video would react to negative commentary before blowing an embarrassing video wide open to the world.

Twitter

Twitter is an interesting social media tool with its own inherent spam issues that are somewhat unique to the service. Twitter is home to a number of different types of spammers. Spammers on Twitter is also a bit of a misnomer because Twitter is a service that is designed to blow open engagement – some may see what I outline as spam, some may see it as good marketing.

They tend to drive me nuts, personally, so I outlined ‘em. Feel free to argue with me.

1. 24-7 Spam Account – these are accounts that may have hardly any followers and follow hardly anyone, but they exist to repeatedly spew a marketing message into the Twitterverse so that when people search, it’ll be picked up. They don’t engage, they don’t talk, they just spew. If they start following you, they’re pretty easy to avoid – just don’t follow them back.
2. Ambulance Chasing Spammers – these accounts pop out of nowhere when you are complaining about their competitors and offer to solve all your problems. It may be a follow and a reply, or just a reply, but they hang out on Twitter looking to jump into potential sales and drop you/stop following the moment they can’t sell you something.
3. Broadcasters -  they talk to only a few people (if any at all), but they constantly follow new people using automated software not to meet new people, but to get more people to listen to them and pump those follower numbers so they look like a Big Deal(tm) and hopefully sell you stuff. These people almost always have a Page Rank of 2 on their site, but offer to tweet pearls of wisdom that will get you a PR 7 if you just follow them. These folks often tweet quotes from other people just to fill their stream.
4. Follow Back DMs – Automated DMs drive me crazy – I have yet to get one that wasn’t selling me something and didn’t have a spammy feel.

For the most part on Twitter, you follow and unfollow and block as you go.

If you are trying to pump your follower count (hopefully not by being one of the above) and don’t want to drop even the spammy, ambulance chasing, broadcasting auto-DMers, we recommend you use a Twitter client that has the ability to hide Tweeters, like Yoono.

And if you have another social media spam example I overlooked (or haven’t been the victim of yet), chime in and let us know what makes you crazy on social media.

Three of the most popular forums are PHPBB, SMF, and VBulletin. VBulletin comes with a hefty fee so generally people running hobby forums will be using SMF and PHPBB since they’re open source and come at no cost to use.

So, what we learned about dofollow and nofollow links back in the blog spam post begins to actually come into play here – SMF allows dofollow by default, as does PHPBB, as does VBulletin (at least as far as I could check when digging a bit), though all appear to have plugins and hacks that can make links in forums and signatures “nofollow”.

Obviously, since the most popular blogging software default to “nofollow” and the most popular forums appear to default to “do follow”, you would probably guess the forums are going to be targeted heavily form spamming to get SEO juice and are they going to see an enormous amount of spam.

Your guess would be correct.

What We Do

Again, going back to the blog spam post, we can filter some signatures that are prevalent.

But again pointing out the resource issue, we have to hit a balance because while we probably could filter out a lot more, it will cost both in resources, and in inconvenience for you all.

Wanna do a blog post on Viagra! Ha! Can’t because you can’t post it the word Viagra through your browser! Not only does it become a resource issue, it becomes a censorship issue, so we try and walk a very fine line.

What You Can Do

This again falls on you – how you configure your software, what plugins you use, how you manage your forum.

Out of the box for anything, even Fantastico software, is generally never the greatest idea, and you should always spend some time checking out your options. Since we’re dealing with forums in general and not specific software, we’ll give you a general idea of options usually available that you should look for and utilize.

1. Don’t Rely on Captcha – Captcha, the generated image of random letters and numbers that has to be input, has long since been cracked. While you should still use it, don’t rely on it because it won’t stop everything by a long shot.
2. Humans are still smarter than machines, most of the time – use human validation. Many forums and plugins for forums can set up a question that has to be answered using actual thought like “What doesn’t belong: a car, a boat, a bus, a leaf?” These type of human validation questions are still very difficult for automated spammers to crack and so you should use them whenever possible and there is an option to do so.
3. Email Validation – A lot of spammers do still use fake or throwaway addresses, so you should still make them validate before you let them post anything, even a profile.
4. “No follow” links – personally, I’d do no follow links with a plugin or hack – if you get popular, and get a good page rank, someone will find you and list you on a list of “do follow” forums and you will be pummeled with spammers. Do a search for “do follow” forums on a search engine and you’ll see what I mean.
5. Limit Post Edit Time – Those spammy spammers know all the tricks – you may let someone in, see a perfectly legitimate post, and come back a day or a week later to see that they edited it into the spam.
6. Watch Your Member List – memberlist spamming is a technique where the spammers don’t even bother to spam a post, they simply sign up for a large number of profiles and put the spamvertised URL in their profile. Look especially at those user names with punctuation, numbers, or the letter a as the first character as they often sign up for these to rank higher on the member listing page. To help reduce memberlist spamming you can tell your forum to not display the memberlist at all to guests or only to guests with a certain number of posts.
7. Block, block, block – block words, IP addresses, and members that behave badly. If someone puts a spammy post on your forum, don’t just delete it – delete it, then ban them, then ban the IP that signed up for the account.
8. Get a good group of moderators – Nothing replaces a team of vigilant, eagle-eyed human beings. Spam is much like porn – you may not be able to define the difference between an ad and spam in the same way it may be hard to actually define the difference between Michelangelo’s David and some naked guy, but human beings know the difference when they see it.

There are more suggestions, but this is a good group to get you started. Check your specific software’s site and their forums for plugins, tips and tricks, and hacks that can help you keep the spammers off your forum and your visitors happily chatting away.