How to Stop WordPress Comment Spam in Its Tracks


I’m about to say one of the very few things I have ever posted here which probably every one of my (legitimate human) readers will be able to agree with:

Spam sucks!

And to be quite honest, I’m getting sick of it. I think a lot of people simply get sick of dealing with the spam, but it’s getting to the point that having to look at comment spam here and on the other blogs I maintain is sickening.

I log in to my spam filter knowing that there’s going to be at least some comments that need purging, but I do so hoping that they are of the variety, “Great blog post. Check my link. Happy Thursday,” and so on. At least those I can scan over and not feel as though my eyes need bleaching. Rarely are those the only bits of garbage in the can. It’s the large chunks of fetid, festering filth that have motivated me to think about better spam protection here on the blog.

And I wanted to do this with as little fuss as possible:

  • Plugins which simply send spam to the moderation queue are pointless here — I don’t want to have to deal with it at all; a moderation queue requires, well, some moderation in order to prevent spam (read: legitimate comments) from being blocked.
  • WordPress offers built in moderation and blacklist lists within which common spam words can be added. Comments which match something in the moderation list will be held for moderation, while comments which match anything in the blacklist will be deleted on the spot. I like this idea, but maintaining such a list has got to be a pain in the butt, and I can imagine all sorts of discussions — such as comments concerning anti-spam solutions — which may make use of any number of spam words. I don’t want to hurt legitimate users!

So what to do?

I’ve heard it mentioned many times before, and it suddenly started sounding like a good idea: simply rename the /wp-comments-post.php file to something else, and spam bots will no longer be able to post.

So that’s what I did. There was only one line of code which I had to change as well. In the /comments.php of my theme, I had to adjust the address for the commenting form. The bit of code that needed changed looked like this:


So I edited that to match the new filename I had chosen, saved it, and uploaded. After a test comment to make sure everything was kosher, I breathed a sigh of relief, thinking everything would be smooth sailing — though I’d still receive trackback spam, I’m sure, but that’s another subject for another time.

Still the spam comes in. Evidently, spam bots are being more intelligently written; I checked my host’s access logs and noticed that the spammers are loading posts first and submitting the spam in a very legitimate looking way. That sucks.

Perhaps my change will slow the influx of spam. I can hope, right?

I’m curious if anyone else has any ingenious little antispam tweaks in place on their sites? It doesn’t have to be specific to WordPress; I don’t have access to my Apache httpd.conf, but I certainly can tweak around in .htaccess.

8 thoughts on “How to Stop WordPress Comment Spam in Its Tracks”

  1. I’ve been using Spam Karma 2 for about a year and haven’t had any problems with spam. Every now and then, I’ll have a comment that needs moderation, but that’s rare. It hasn’t had any false positives that I’m aware of either.

    My concern is that the database and server are still getting hit by the spam bots. The spam comments aren’t appearing on my blog, but they’re still taking up space in the database and when the spam bots decide to all hit the site at once, they slow it down.

    I tried that hack of renaming wp-comments-post.php a while back and had similar results – it temporarily slowed down the bots, but ultimately they got around it. That was a while back, though, when they weren’t as intelligent.

    It you find any anti-spam measures that stop spam from getting to the database, I’d definitely be interested in trying it out.

  2. Chris — I used to be a huge fan of Raven’s Antispam, and it worked fantastically.

    The unfortunate part of it was that for some reason, spam comments still make it into the database — when Raven’s Antispam detects spam, it makes three additional database queries — deleting the spam post, recounting the number of legitimate comments on the spammed blog entry, and resetting the number of comments on that entry to the proper number.

    Seems all a bit much, and I would imagine there’s a way to catch the post before it gets saved to the database.

    I ported Raven’s Antispam to phpBB 2 and had great success with it without ever having to touch its database.

    Revisiting Raven’s Antispam might be something into which I need to look.*

    * Yeah, that reads funny; I’ve been randomly experimenting with rearranging sentences so that prepositions aren’t at the end. As Winston Churchill supposedly said, “Ending sentences with prepositions is something up with I will not put!”

  3. Chris — I’ve poked around Raven’s Antispam as well as the /comment.php file in WordPress’ include folder, and I’ve come to these realizations:

    1) I can very easily modify Raven’s Antispam in such a way as to be just as effective but without the need for any added database queries.

    2) Doing #1 would require blocking all trackbacks & pingbacks completely.

    Unfortunately, WordPress doesn’t have a hook which fires after a comment has been processed but before it has been saved. The closest I could find was the wp_blacklist_check() action, but it doesn’t have access to the variable which reveals the type of feedback (comment, trackback, pingback), which is a requirement for this type of solution.

  4. Rick,

    The plugin combo of Askismet and Spam Karma 2 eliminates 100% of my comment and trackback spam and even does a good job of handling pingback spam after some tweaking to eliminate splogs. I also added the SK2-specific plugin for talking with Akismet and that pumped up my blog’s ability to reject splog content. Now it catches about 95% of splog pingbacks.

    With those two in concert, why use anything else?

    Asfor the issue of the database getting jammed with logs and stuff from SK2, regularly clear out and reset SK2 by clicking on its reset button every couple months. Could not be simpler.

  5. Dan — I’ve thought about using Spam Karma again, but if I can get away with a more lightweight solution, it’d be so much more preferable.

    I have taken the leap and reinstalled Bad Behavior, after having been burned by it a few minor versions ago when one of its checks caused me to be banned from my own admin panel.

    I’m also using a fairly comprehensive block on known malicious bot user agents, thanks to the magic of .htaccess.

  6. I’m curious about your Raven’s modifications. I really love the idea, but I use k2 for the theme/framework and I couldn’t get it to work with or without AJAX (which I thought was a culprit at first). Even when I turned off AJAX, I’ve found that for a month no one could post a comment, cause it would just throw blank page at visitors.

    P. S. By the way, why would Raven’s Antispam delete the post, if it should prevent the spam from being posted? IF I am not mistaken, all it does it shows the text captcha for users with JS off.

  7. theUg — I haven’t figured out how to modify Raven’s Antispam to be what I want it to be; it worked fine on K2 when I was using both here and on

    If you read the source of Raven’s Antispam, you’ll see that it does in fact have to delete the post if the antispam conditions are not met; the reason is that Raven’s Antispam does not have access to checking the data until after the post has already been saved in the database. This is a limitation in WordPress itself, which does not seem to have a plugin hook which fires after the plugin is submitted yet before it is saved.

  8. I think the database was preventing me from using Raven’s plug-in before. I have my original WP installation on the MySQL 4.0.27 (at the time, GoDaddy didn’t even offer 4.1). Now I installed English version using WP 2.3.3 and K2 RC4 on top of MySQL 5.0, and it seems to work with AJAX and everything.

    * * *

    the reason is that Raven’s Antispam does not have access to checking the data until after the post has already been saved in the database. This is a limitation in WordPress itself, which does not seem to have a plugin hook which fires after the plugin is submitted yet before it is saved.

    Didn’t they redesigned plug-in system with the latest versions? I think I’ve heard something to that effect, but I’m not sure.

Leave a Comment

Your email address will not be published. Required fields are marked *

Use your Gravatar-enabled email address while commenting to automatically enhance your comment with some of Gravatar's open profile data.

Comments must be made in accordance with the comment policy. This site uses Akismet to reduce spam; learn how your comment data is processed.

You may use Markdown to format your comments; additionally, these HTML tags and attributes may be used: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

the Rick Beckman archive
Scroll to Top