I'm a big fan of WordPress. I know a lot of people disagree but it works very well for me. It allows me to maintain a nicely laid out blog without spending a lot of time with administration. I do almost everything from Emacs and seldom have to go to the administration panel of the blog. Except to deal with spam.
After I reluctantly installed nucaptcha, comment spam ceased to be a problem until the spammers started injecting their links via trackbacks. Once again, I reluctantly reduced the user experience by turning off trackbacks but I noticed that I was still getting occasional trackback spam. Lately, the number of trackback spams have increased so I spent a little time tracking down the problem.
It turns out that when you turn off trackbacks it affects only future posts but leaves it enabled for existing posts. The spammers, of course, don't care because the point is to get the links into the posts for Google to see not for anyone to read. Thus they were simply adding trackbacks to my older posts.
There are a couple of problems here. First, to my way of thinking, the principle of least surprise dictates that when you turn off trackbacks, WordPress should, you know, turn off trackbacks. There's no indication that only new posts will be affected, just a check box to enable or disable them. I understand why it works the way it does (WordPress can simply set each post to allow or disallow trackbacks as they're posted) but it isn't really that more difficult to spin through the database and turn it off for all posts.
Instead, it has to be done by hand1. First of all, it isn't easy to figure out how to do that because the option is hidden by default (I know, I know, RTFM but again I use WordPress so I don't have to spend a lot of time reading manuals or doing administrative things). Then for each old post you have to disable trackbacks and then update the post. No big thing for a single post but a significant amount of work for 300 posts.
I'm working my way through the old posts so in a few days the blog should be spam-free again—at least until the spammers introduce their next trick. I just wish it were easier.
1 Yes, I know about plugins to do this sort of thing but every plugin is another potential security vulnerability and it's more administrative effort ongoing.