- How to Stop WordPress Comment Spam Permanently (for FREE)
- Table of Contents
- Background Info
- How WordPress Processes Comments
- How Bots Post Spam
- Why Bots Post Spam
- Why Most Solutions Fail
- Method 1: Restrict wp-comments-post.php unless a query string is appended
- How it Works
- Getting Started
- Restrict wp-comments-post.php with Cloudflare
- Important
- Step 1. Create a Cloudflare Firewall Rule
- 2. Configure Your Firewall Rule Expressions
- 3. Set the Action
- 4. Deploy Your Rule
- Restrict wp-comments-post.php on Nginx
- 1. Create a Custom Nginx Config
- 2. Add your Block Spam Configuration
- 3. Check and Reload Nginx
- Restrict wp-comments-post.php on OpenLiteSpeed
- Step 1. Edit your rewrites.conf
- Step 2. Add the rewrite rule
- Step 3. Rebuild your vhconf
- Method 2: Restrict wp-comments-post.php with a Cloudflare JS Challenge
- Important
- Step 1. Create a Cloudflare Firewall Rule
- 2. Configure Your Firewall Rule Expressions
- 3. Set the Action
- 4. Deploy Your Rule
- Method 3: Restrict wp-comments-post.php if referrer doesn’t equal your website’s URL using Cloudflare
How to Stop WordPress Comment Spam Permanently (for FREE)
GridPane comes with a handy security measure that can easily be activated for any sites where you don’t use WordPress comments. Chances are, this is the majority of your websites and you can easily block posting comments from being possible, automatically eliminating any potential spam.
However, for those sites that do use comments, the constant barrage of spam can be a continual nuisance. Sure, it’s easy to make sure that never get’s published on the frontend (this article assumes you know how to disable trackbacks, set moderation rules, etc inside the WordPress Dashboard > Settings > Discussion), but it’s still there and needs to be dealt with. Fortunately, there are a few easy ways to solve your comment spam problem once and for all – and they’re all 100% FREE. In this article, we’ll take a look at these options and how to implement them on your websites.
Table of Contents
You may also be interested in this article on dramatically reducing contact form spam:
How to Reduce Eric Jones Spam (and all the other Contact Form Spam)
Background Info
To create an effective strategy for dealing with comment spam, it’s important to know the basics of how the WordPress comment system works, and how spammers use bots to mass post spam comments on autopilot.
How WordPress Processes Comments
WordPress processes comments using the wp-comments-post.php file, and comments are submitted to this file using the POST method. WordPress then parses this POST data and hands it off to the wp_handle_comment_submission function.
How Bots Post Spam
Bots post spam in a completely automated way. This goes for all types of spam submissions – comments, contact forms, fake Woo orders, etc.
This doesn’t require a visit to a specific blog post, it can all be sent directly to the site using automated CURL/WGET commands. All this requires is a post ID, name, email address, and the spam to be sent.
Why Bots Post Spam
Almost all WordPress comment spam has one direct goal: Post a link to somewhere. That’s it.
Why Most Solutions Fail
Most solutions such as firewalls, honey pots, blacklists, data analysis, email validation, removing the URL field, etc, don’t prevent the root cause, i.e. they don’t deny ALL bot traffic access to the wp-comments-post.php file.
If a bot can’t access this file, it can’t post spam. This is what most solutions fail to address, and why they fail.
Method 1: Restrict wp-comments-post.php unless a query string is appended
This method was created by Gulshan Kumar, and can be implemented in 2 different ways. The first is using his free, lightweight Forget Spam Comment WordPress plugin which is a simple set-and-forget solution.
The other is a 2 part process that requires adding a little PHP and JS to your site and then using either a Cloudflare rule, Nginx config, or OLS config to deny access to the wp-comments-post.php file unless the set query string is appended.
I highly recommend you check out his blog post and YouTube video here:
Now Forget about Spam Comment in WordPress by Gulshan Kumar
How it Works
First, direct access to the wp-comments-post.php is denied unless it’s accessed via a query string.
Next, when a real visitor views a post/page that has comments enabled, a tiny JS script adds a query string to /wp-comments-post.php when the user first scrolls. Now with the query string appended, real users can post comments.
Almost all comment spam comes from automated bot traffic that is specifically looking for the wp-comments-post.php file. This method completely denies access to this file unless it’s accessed with a specific query string appended, which no bot can do.
Getting Started
Option 1: If you’re using Gulshan’s free plugin, none of the steps below are necessary. Simply install and activate it, and then clear your website’s cache and you’re all set.
Option 2: If implementing code directly and then blocking on Nginx or OpenLiteSpeed you will need to connect to your server.
Please see Gulshan’s blog post linked above for the PHP/JS code for WordPress. You have a few options (including one that’s specific to the GeneratePress theme), and you can add the PHP/JS directly to your theme functions.php , or add the JS directly to the appropriate page template/s.
If using this method, you can implement a block in one of the following 3 ways:
See the following guides on connecting to your server to get started with the Nginx and OpenLiteSpeed sections below:
Restrict wp-comments-post.php with Cloudflare
Cloudflare firewall rules are an easy way to block any requests that break the rule we create at the DNS layer, before it ever gets the chance to even reach your server.
Important
The Cloudflare proxy must be active on your website for the firewall rules you set to take place. Please ensure that you set orange clouds for your A and CNAME records.
Step 1. Create a Cloudflare Firewall Rule
Inside your Cloudflare account choose your website and then click through to the Security > WAF page. Here click the Create a Firewall Rule button.
2. Configure Your Firewall Rule Expressions
First, give your rule a name that’s easy to identify. Here is what the rule looks like (note that you can change “45jpfAY9RcNeFP” to something different): This states that if:
- the URI contains /wp-comments-post.php
- but the query string isn’t appended
- then perform ACTION (in this case Block)
3. Set the Action
Cloudflare can block all requests that break the rule outright.
4. Deploy Your Rule
When ready, click the Deploy button to set your new firewall rule live.
Also, ensure that you have orange clouds active on your A and CNAME records so that traffic to your site is passing through Cloudflare’s system.
Cloudflare will now block a ton of comment spam for you, and you can also include this in the block contact form rule in this article if you’ve already created it.
Restrict wp-comments-post.php on Nginx
On Nginx we can make use of the *-main-context.conf include.
1. Create a Custom Nginx Config
On Nginx you can create a server-wide config that will apply to all sites or a site-specific config.
To create a server-wide config, run the following command:
/etc/nginx/extra.d/blockspam-main-context.conf
To create a site-specific config, run this command (replace site.url with your site’s domain name):
nano /var/www/site.url/nginx/blockspam-main-context.conf
2. Add your Block Spam Configuration
Paste the following, and edit as necessary to target the correct URI for your website:
# You may change 45jpfAY9RcNeFP to something else
location = /wp-comments-post\.php if ($query_string !~ "45jpfAY9RcNeFP") return 404;
>
>
Save the file with CTRL+O followed by Enter, and then CTRL+X to exit nano.
- the URI matches /wp-comments-post.php
- but does not include this specific query string
- then return a 404 response.
3. Check and Reload Nginx
Check the Nginx configuration file with:
If no errors are returned, reload Nginx with:
Nginx will now comment form spam, and you can also use this alongside the block contact form rule in this article if you’ve already created it.
Restrict wp-comments-post.php on OpenLiteSpeed
When adding your rewrites, we recommend that you use the rewrites.conf instead of your .htaccess file.
Step 1. Edit your rewrites.conf
To edit the config file, use the following command (switching out site.url with your site URL):
nano /var/www/site.url/ols/rewrites.conf
Step 2. Add the rewrite rule
Add your rewrite as follows:
# If Query string doesn't matches return 404
RewriteCond % .wp-comments-post\.php
# You may change 45jpfAY9RcNeFP to something else
RewriteCond % !^45jpfAY9RcNeFP
RewriteRule (.*) - [R=404,L]
Next, save the file with CTRL+O and then Enter, and exit nano with CTRL+X.
Step 3. Rebuild your vhconf
As the rewrites.conf file has been modified, a specific OpenLiteSpeed command has to be executed in order for the changes to take effect (replace “site.url” with your domain name):
gpols site site.url
Method 2: Restrict wp-comments-post.php with a Cloudflare JS Challenge
Denying bot traffic access to the wp-comments-post.php file can be done at the DNS level with a Cloudflare JS challenge.
Unlike contact form spam, which can be a little more complex to deal with, blocking this traffic for comments is a simple matter. Automated spam submissions can’t process JS and thus fail Cloudflare’s JS challenge, which then blocks this traffic at the DNS layer before the request can even reach your server.
This is the easiest option to implement and Cloudflare’s free firewall rules offer a quick and simple way to accomplish this.
Important
The Cloudflare proxy must be active on your website for the firewall rules you set to take place. Please ensure that you set orange clouds for your A and CNAME records.
Step 1. Create a Cloudflare Firewall Rule
Inside your Cloudflare account choose your website and then click through to the Security > WAF page. Here click the Create a Firewall Rule button.
2. Configure Your Firewall Rule Expressions
First, give your rule a name that’s easy to identify.
Here is what my rule looks like:
3. Set the Action
Cloudflare offers two methods that could be utilized here. One is their “Managed Challenge” and the other is their JS challenge. As the JS challenge only takes place after a visitor has browsed the page and submitted their comment, the very brief Cloudflare challenge page that pops up doesn’t interfere with the users actions beforehand.
4. Deploy Your Rule
When ready, click the Deploy button to set your new firewall rule live.
Also, ensure that you have orange clouds active on your A and CNAME records so that traffic to your site is passing through Cloudflare’s system.
Cloudflare will now block a ton of comment spam for you, and you can also include this in the block contact form rule in this article if you’ve already created it.
Method 3: Restrict wp-comments-post.php if referrer doesn’t equal your website’s URL using Cloudflare
The following can be used as an alternative to the above two rules. It blocks submissions that aren’t made directly from your website.