Eliminate Wordpress Comment Spam Without A Plugin!

Everton | Jan 01, 2007 | Comments


Prior to identifying that the reason why my site was so slow, I contacted a couple of Wordpress experts to try and find out what was causing the problem.

Once I told Viper007Bond what was causing the problem, he gave me what is probably the simplest and best way to stop comment spam before it even hits your chosen spam filter (I’m using SK2, rather than Akismet at the moment as it gives me more control).

Viper007Bond’s tip was to change the name of the comment submission page:

You can actually rename wp-comments-post.php or whatever it’s called to something else and then edit your theme’s comments.php to point at the new file. I don’t believe it’ll cause any problems and it’ll result in bots that are hard coded to POST being blocked

I decided to give it a go and it worked perfectly and my 350 spam messages a minute has gone down to nearly 0 per hour!

Here’s what I did:

  1. I made a copy of my wp-comments-post.php file, which is in the the root of all Wordpress installations
  2. I renamed this file wp-nospamcomments-post.php and uploaded it to the Wordpress root directory
  3. I then removed all the content from wp-comments-post.php and left a message for spammers
  4. I then opened comments.php in my theme folder (wp-content/THEME FOLDER) and changed the following line:

< form id=”commentform” method=”post” action=”/wp-comments-post.php”>

to:

< form id=”commentform” method=”post” action=”/wp-nospamcomments-post.php”>

Now, robots, which are responsible to about 95% of spam, that are setup to automatically post spam messages to ‘wp-comments-post.php’ are failing!

This has allowed me to dispense with using Bad Behaviour, which is good news, as I’m not a big fan of spam solutions that don’t allow mistakes to be rectified in real-time. Bad Behaviour may have been blocking a lot of spam, but it was also blocking genuine commentators (I’d already had two people contact me with problems). My spam solution now consists of:

  • Firewall rules on my server: – Blocks IP addresses of known spammers
  • Math Protection Spam Plugin: – Checks to see if commentators are human (and whether they can add up!)
  • Changed The name of Comment Submission Form: – Stops robots coded to use wp-comments-post.php
  • SK2: – Great spam protection plugin
  • Me: – Last line of defence correcting any errors

I recommend that all Wordpress users give this method a go. If you do, don’t forget to come back and let me know how you get on. Also, please choose a random name for your new post file, otherwise if everyone uses the same name, then all the spammers will have to do is point their robots at the new name.

Update: I want to do the same for wp-trackback.php to change the link for my trackbacks but I can’t find all references to wp-trackback.php. So far I’ve found the following, but I must still be missing one:

  1. One reference to wp-trackback.php in comment-functions.php
  2. Two references in wp-include/template-loader.php

Read Related Posts

  1. Guide To Reducing WordPress Trackback Spam And Comment Spam Guide To Reducing WordPress Trackback Spam And Comment Spam
  2. WordPress 2.2 - Problems With Comment Preview? WordPress 2.2 – Problems With Comment Preview?
  3. Testing New Beta Comment Guard Plugin - Please Help Testing New Beta Comment Guard Plugin – Please Help
  4. Reduce Trackback Spam Reduce Trackback Spam
  5. Is Akismet The Best Tool To Block WordPress Comment Spam? Is Akismet The Best Tool To Block WordPress Comment Spam?



««
»»

Latest Posts

Filed Under: Tools & Tips

Tags:

About the Author: Everton is based in London and has worked in the internet and mobile space for over ten years now, and before that worked in corporate strategy and consulting. He has a degree in Economics from Cambridge University.He also writes for Windows 7 News, Windows 8 News and One Tip A Day.

  • Terrific article, Everton. But you don't need to rename the form processing script periodically if you're willing to rely on JavaScript to do it.

    I've written an explanation of how to hide the URL of the script in an external JavaScript file, and then write the URL only when a human visitor wants to submit a comment. The bots never see the URL.

    Defeating WordPress comment spam

    Thanks, and good luck.
  • Joe Dill
    I got it, where can I se a working plugin?

    Joe
  • LoL It's a nice trick.But renaming to sadas87.php will be better i think :)
  • Here's WP 2.1's instances of wp-trackback.php:

    Searching for: wp-trackback.php
    wp-includes\comment-template.php(226): $tb_url = get_option('siteurl') . '/wp-trackback.php?p=' . $id;
    wp-includes\template-loader.php(11): include(ABSPATH . '/wp-trackback.php');
    wp-includes\template-loader.php(68): include(ABSPATH . '/wp-trackback.php');
  • This sounds great. I will try it.
  • its
    tesing
  • #Andy - have you tried it yet?

    After a couple of weeks some spammers might catch on - just change the name again. I've changed mine once so far.
  • You star! This is amazing - simple, effective, absolutely brilliant! x
  • I'll just change it again when they catch on - takes 2 mins.
  • billg
    Whatever name you give it, that name will be in your files. Spammers will scan the code, find it, and have at it.
blog comments powered by Disqus