Hi,
on wordpress based websites comment spam is all around.
If you are hosting WordPress on a apache webserver there is a simple but effective way to refuse automatically created comment spam from bots:
Redirect all HTTP Post requests directed to the wordpress comment form (wp-comments-post.php) and which do not have a referer from your site or has an empty User-Agent string away from your site. For example to the bots localhost 🙂
The only requirement is the apache module mod_rewrite and a .htaccess file in the root folder of your blog.
If not exists, create a .htaccess file within the root directory of your blog, or add the following directive to an already existing .htaccess file. Replace “www.yourdomain.com” with the address of your website.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_REFERER} !.www.yourdomain.com.*
RewriteRule ^.*$ http://localhost [R=301,L]
</IfModule>
Check it. Open wp-comments-post.php with a HTTP POST request. I use wget. wget is a command line webclient. It is available for UNIX(Linux, Solaris, BSD) and Windows.
michl@dev:~# wget --post-data=TEST http://www.yourdomain.com/wp-comments-post.php
--2013-09-10 21:55:52-- http://www.yourdomain.com/wp-comments-post.php
Resolving www.yourdomain.com... 192.168.187.21
Connecting to www.yourdomain.com|192.168.187.21|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://localhost [following]
--2013-09-10 21:55:52-- http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... failed: Connection refused.
09/12/2013 Update
It seems the current bots uses a webcrawler like script for its spam wave. Means it do not call the wp-comments-post.php script directly. It is, like a valid user session, opening a post and then filled out the comment form. Hence there is a valid REFERER and a valid User-Agent string. Ok. Analyzing of the spam comments shows that there is always a html <a> tag inside the comment and this can be filtered out:-)
Modify the wp-comments-post.php and insert the blue lines after the parameter check(search for $comment_content, see below). This rejects all attempts to insert a link in a comment if the user is not logged in.
# Line 103 in WordPress 3.9
kses_init_filters(); // set up the filters
}
}
} else {
// Not logged on, check for links
if (preg_match('/<\s*a\s*href\s*=|http\:\/\//i', $_POST['comment'])) {
wp_die( __('<strong>ERROR</strong> No links allowed in comment.') );
}
if ( get_option('comment_registration') || 'private' == $status )
Additionally, I also hide the URL field in comments by using the “Guest Comments” plugin and adding a check to wp-comments-post.php if the URL is really empty.
if(isset($_POST['url'])){
wp_die( __('<strong>ERROR</strong> No URL allowed.') );
}
Enjoy
Michael