WordPress: prevent comment spam on wordpress


on wordpress based websites comment spam is all around.

If you are hosting WordPress on a apache webserver there is a simple but effective way to refuse automatically created comment spam from bots:
Redirect all HTTP Post requests directed to the wordpress comment form (wp-comments-post.php) and which do not have a referer from your site or has an empty User-Agent string away from your site. For example to the bots localhost 🙂

The only requirement is the apache module mod_rewrite and a .htaccess file in the root folder of your blog.

If not exists, create a .htaccess file within the root directory of your blog, or add the following directive to an already existing .htaccess file. Replace “www.yourdomain.com” with the address of your website.

<IfModule mod_rewrite.c>

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_REFERER} !.www.yourdomain.com.*

RewriteRule ^.*$ http://localhost [R=301,L]

Check it. Open wp-comments-post.php with a HTTP POST request. I use wget. wget is a command line webclient. It is available for UNIX(Linux, Solaris, BSD) and Windows.
michl@dev:~# wget --post-data=TEST http://www.yourdomain.com/wp-comments-post.php
--2013-09-10 21:55:52-- http://www.yourdomain.com/wp-comments-post.php

Resolving www.yourdomain.com...
Connecting to www.yourdomain.com||:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://localhost [following]

--2013-09-10 21:55:52-- http://localhost/
Resolving localhost...
Connecting to localhost||:80... failed: Connection refused.

09/12/2013 Update

It seems the current bots uses a webcrawler like script for its spam wave. Means it do not call the wp-comments-post.php script directly. It is, like a valid user session, opening a post and then filled out the comment form. Hence there is a valid REFERER and a valid User-Agent string. Ok. Analyzing of the spam comments shows that there is always a html <a> tag inside the comment and this can be filtered out:-)

Modify the wp-comments-post.php and insert the blue lines after the parameter check(search for $comment_content, see below). This rejects all attempts to insert a link in a comment if the user is not logged in.

# Line 103 in WordPress 3.9
			kses_init_filters(); // set up the filters
} else {
    // Not logged on, check for links
    if (preg_match('/<\s*a\s*href\s*=|http\:\/\//i', $_POST['comment'])) {
        wp_die( __('<strong>ERROR</strong> No links allowed in comment.') );

    if ( get_option('comment_registration') || 'private' == $status )

Additionally, I also hide the URL field in comments by using the “Guest Comments” plugin  and adding a check to wp-comments-post.php if the URL is really empty.

        wp_die( __('<strong>ERROR</strong> No URL allowed.') );



Leave a Reply Cancel reply