Eliminate WordPress Comment Spam Without A Plugin!

Prior to identifying that the reason why my site was so slow, I contacted a couple of WordPress experts to try and find out what was causing the problem.

Once I told Viper007Bond what was causing the problem, he gave me what is probably the simplest and best way to stop comment spam before it even hits your chosen spam filter (I’m using SK2, rather than Akismet at the moment as it gives me more control).

Viper007Bond’s tip was to change the name of the comment submission page:

You can actually rename wp-comments-post.php or whatever it’s called to something else and then edit your theme’s comments.php to point at the new file. I don’t believe it’ll cause any problems and it’ll result in bots that are hard coded to POST being blocked

I decided to give it a go and it worked perfectly and my 350 spam messages a minute has gone down to nearly 0 per hour!

Here’s what I did:

  1. I made a copy of my wp-comments-post.php file, which is in the the root of all WordPress installations
  2. I renamed this file wp-nospamcomments-post.php and uploaded it to the WordPress root directory
  3. I then removed all the content from wp-comments-post.php and left a message for spammers
  4. I then opened comments.php in my theme folder (wp-content/THEME FOLDER) and changed the following line:

< form id=”commentform” method=”post” action=”/wp-comments-post.php”>

to:

< form id=”commentform” method=”post” action=”/wp-nospamcomments-post.php”>

Now, robots, which are responsible to about 95% of spam, that are setup to automatically post spam messages to ‘wp-comments-post.php’ are failing!

This has allowed me to dispense with using Bad Behaviour, which is good news, as I’m not a big fan of spam solutions that don’t allow mistakes to be rectified in real-time. Bad Behaviour may have been blocking a lot of spam, but it was also blocking genuine commentators (I’d already had two people contact me with problems). My spam solution now consists of:

  • Firewall rules on my server: – Blocks IP addresses of known spammers
  • Math Protection Spam Plugin: – Checks to see if commentators are human (and whether they can add up!)
  • Changed The name of Comment Submission Form: – Stops robots coded to use wp-comments-post.php
  • SK2: – Great spam protection plugin
  • Me: – Last line of defence correcting any errors

I recommend that all WordPress users give this method a go. If you do, don’t forget to come back and let me know how you get on. Also, please choose a random name for your new post file, otherwise if everyone uses the same name, then all the spammers will have to do is point their robots at the new name.

Update: I want to do the same for wp-trackback.php to change the link for my trackbacks but I can’t find all references to wp-trackback.php. So far I’ve found the following, but I must still be missing one:

  1. One reference to wp-trackback.php in comment-functions.php
  2. Two references in wp-include/template-loader.php

, , , , ,

18 Responses to Eliminate WordPress Comment Spam Without A Plugin!

  1. Matt January 1, 2007 at 1:06 am #

    People thought of this years ago, it only works for a little while.

  2. Thilak January 1, 2007 at 5:02 am #

    That’s a great tip, I never really tried it, but I’ll give it a shot later today

  3. Thilak January 1, 2007 at 5:04 am #

    Hurray!! Finally I can post my comments here. When I tried to leave my comments last night I got a mysterious error message from Bad Behavior (I guess)

  4. Avatar of Everton
    Everton January 1, 2007 at 11:11 am #

    Yeah I had a few people complain.

    Matt – as soon as the spammers catch on, then I’ll just re-name the file again. Will take me one minute to do, even if I have to do it once per week it’s better than having to clean spams out every couple of hours

  5. Angsuman Chakraborty January 1, 2007 at 3:37 pm #

    That may work initially but spammers very soon catch up. I had my files renamed long time back. Most of my spam are from robots who read the original page to find out the name of the comment file.

  6. billg January 3, 2007 at 8:01 pm #

    Whatever name you give it, that name will be in your files. Spammers will scan the code, find it, and have at it.

  7. Avatar of Everton
    Everton January 3, 2007 at 8:06 pm #

    I’ll just change it again when they catch on – takes 2 mins.

  8. Andy January 16, 2007 at 1:21 pm #

    You star! This is amazing – simple, effective, absolutely brilliant! x

  9. Avatar of Everton
    Everton January 16, 2007 at 2:20 pm #

    #Andy – have you tried it yet?

    After a couple of weeks some spammers might catch on – just change the name again. I’ve changed mine once so far.

  10. its February 16, 2007 at 9:12 am #

    tesing

  11. agnesw.com March 18, 2007 at 7:38 am #

    This sounds great. I will try it.

  12. Simon April 4, 2007 at 11:13 pm #

    Here’s WP 2.1′s instances of wp-trackback.php:

    Searching for: wp-trackback.php
    wp-includes\comment-template.php(226): $tb_url = get_option(‘siteurl’) . ‘/wp-trackback.php?p=’ . $id;
    wp-includes\template-loader.php(11): include(ABSPATH . ‘/wp-trackback.php’);
    wp-includes\template-loader.php(68): include(ABSPATH . ‘/wp-trackback.php’);

  13. John Black August 1, 2007 at 12:07 am #

    LoL It’s a nice trick.But renaming to sadas87.php will be better i think :)

  14. John Black August 1, 2007 at 1:07 am #

    LoL It’s a nice trick.But renaming to sadas87.php will be better i think :)

  15. Joe Dill August 5, 2007 at 3:14 am #

    I got it, where can I se a working plugin?

    Joe

  16. Joe Dill August 5, 2007 at 4:14 am #

    I got it, where can I se a working plugin?

    Joe

  17. ardamis September 17, 2007 at 5:04 am #

    Terrific article, Everton. But you don’t need to rename the form processing script periodically if you’re willing to rely on JavaScript to do it.

    I’ve written an explanation of how to hide the URL of the script in an external JavaScript file, and then write the URL only when a human visitor wants to submit a comment. The bots never see the URL.

    Defeating WordPress comment spam

    Thanks, and good luck.

  18. ardamis September 17, 2007 at 6:04 am #

    Terrific article, Everton. But you don’t need to rename the form processing script periodically if you’re willing to rely on JavaScript to do it.

    I’ve written an explanation of how to hide the URL of the script in an external JavaScript file, and then write the URL only when a human visitor wants to submit a comment. The bots never see the URL.

    Defeating WordPress comment spam

    Thanks, and good luck.