How to Stop WordPress Comment Spam in Its Tracks


I’m about to say one of the very few things I have ever post­ed here which prob­a­bly every one of my (legit­i­mate human) read­ers will be able to agree with:

Spam sucks!

And to be quite hon­est, I’m get­ting sick of it. I think a lot of peo­ple sim­ply get sick of deal­ing with the spam, but it’s get­ting to the point that hav­ing to look at com­ment spam here and on the oth­er blogs I main­tain is sickening.

I log in to my spam fil­ter know­ing that there’s going to be at least some com­ments that need purg­ing, but I do so hop­ing that they are of the vari­ety, “Great blog post. Check my link. Hap­py Thurs­day,” and so on. At least those I can scan over and not feel as though my eyes need bleach­ing. Rarely are those the only bits of garbage in the can. It’s the large chunks of fetid, fes­ter­ing filth that have moti­vat­ed me to think about bet­ter spam pro­tec­tion here on the blog.

And I want­ed to do this with as lit­tle fuss as possible:

  • Plu­g­ins which sim­ply send spam to the mod­er­a­tion queue are point­less here — I don’t want to have to deal with it at all; a mod­er­a­tion queue requires, well, some mod­er­a­tion in order to pre­vent spam (read: legit­i­mate com­ments) from being blocked.
  • Word­Press offers built in mod­er­a­tion and black­list lists with­in which com­mon spam words can be added. Com­ments which match some­thing in the mod­er­a­tion list will be held for mod­er­a­tion, while com­ments which match any­thing in the black­list will be delet­ed on the spot. I like this idea, but main­tain­ing such a list has got to be a pain in the butt, and I can imag­ine all sorts of dis­cus­sions — such as com­ments con­cern­ing anti-spam solu­tions — which may make use of any num­ber of spam words. I don’t want to hurt legit­i­mate users!

So what to do?

I’ve heard it men­tioned many times before, and it sud­den­ly start­ed sound­ing like a good idea: sim­ply rename the /wp-comments-post.php file to some­thing else, and spam bots will no longer be able to post.

So that’s what I did. There was only one line of code which I had to change as well. In the /comments.php of my theme, I had to adjust the address for the com­ment­ing form. The bit of code that need­ed changed looked like this:


So I edit­ed that to match the new file­name I had cho­sen, saved it, and uploaded. After a test com­ment to make sure every­thing was kosher, I breathed a sigh of relief, think­ing every­thing would be smooth sail­ing — though I’d still receive track­back spam, I’m sure, but that’s anoth­er sub­ject for anoth­er time.

Still the spam comes in. Evi­dent­ly, spam bots are being more intel­li­gent­ly writ­ten; I checked my host’s access logs and noticed that the spam­mers are load­ing posts first and sub­mit­ting the spam in a very legit­i­mate look­ing way. That sucks.

Per­haps my change will slow the influx of spam. I can hope, right?

I’m curi­ous if any­one else has any inge­nious lit­tle anti­spam tweaks in place on their sites? It does­n’t have to be spe­cif­ic to Word­Press; I don’t have access to my Apache httpd.conf, but I cer­tain­ly can tweak around in .htaccess.

8 thoughts on “How to Stop WordPress Comment Spam in Its Tracks”

  1. I’ve been using Spam Kar­ma 2 for about a year and haven’t had any prob­lems with spam. Every now and then, I’ll have a com­ment that needs mod­er­a­tion, but that’s rare. It has­n’t had any false pos­i­tives that I’m aware of either.

    My con­cern is that the data­base and serv­er are still get­ting hit by the spam bots. The spam com­ments aren’t appear­ing on my blog, but they’re still tak­ing up space in the data­base and when the spam bots decide to all hit the site at once, they slow it down.

    I tried that hack of renam­ing wp-comments-post.php a while back and had sim­i­lar results — it tem­porar­i­ly slowed down the bots, but ulti­mate­ly they got around it. That was a while back, though, when they weren’t as intelligent.

    It you find any anti-spam mea­sures that stop spam from get­ting to the data­base, I’d def­i­nite­ly be inter­est­ed in try­ing it out.

  2. Chris — I used to be a huge fan of Raven’s Anti­spam, and it worked fantastically.

    The unfor­tu­nate part of it was that for some rea­son, spam com­ments still make it into the data­base — when Raven’s Anti­spam detects spam, it makes three addi­tion­al data­base queries — delet­ing the spam post, recount­ing the num­ber of legit­i­mate com­ments on the spammed blog entry, and reset­ting the num­ber of com­ments on that entry to the prop­er number.

    Seems all a bit much, and I would imag­ine there’s a way to catch the post before it gets saved to the database.

    I port­ed Raven’s Anti­spam to phpBB 2 and had great suc­cess with it with­out ever hav­ing to touch its database.

    Revis­it­ing Raven’s Anti­spam might be some­thing into which I need to look.*

    * Yeah, that reads fun­ny; I’ve been ran­dom­ly exper­i­ment­ing with rear­rang­ing sen­tences so that prepo­si­tions aren’t at the end. As Win­ston Churchill sup­pos­ed­ly said, “End­ing sen­tences with prepo­si­tions is some­thing up with I will not put!”

  3. Chris — I’ve poked around Raven’s Anti­spam as well as the /comment.php file in Word­Press’ include fold­er, and I’ve come to these realizations:

    1) I can very eas­i­ly mod­i­fy Raven’s Anti­spam in such a way as to be just as effec­tive but with­out the need for any added data­base queries.

    2) Doing #1 would require block­ing all track­backs & ping­backs completely.

    Unfor­tu­nate­ly, Word­Press does­n’t have a hook which fires after a com­ment has been processed but before it has been saved. The clos­est I could find was the wp_blacklist_check() action, but it does­n’t have access to the vari­able which reveals the type of feed­back (com­ment, track­back, ping­back), which is a require­ment for this type of solution.

  4. Rick,

    The plu­g­in com­bo of Ask­ismet and Spam Kar­ma 2 elim­i­nates 100% of my com­ment and track­back spam and even does a good job of han­dling ping­back spam after some tweak­ing to elim­i­nate splogs. I also added the SK2-spe­cif­ic plu­g­in for talk­ing with Akismet and that pumped up my blog’s abil­i­ty to reject splog con­tent. Now it catch­es about 95% of splog pingbacks.

    With those two in con­cert, why use any­thing else?

    Asfor the issue of the data­base get­ting jammed with logs and stuff from SK2, reg­u­lar­ly clear out and reset SK2 by click­ing on its reset but­ton every cou­ple months. Could not be simpler.

  5. Dan — I’ve thought about using Spam Kar­ma again, but if I can get away with a more light­weight solu­tion, it’d be so much more preferable.

    I have tak­en the leap and rein­stalled Bad Behav­ior, after hav­ing been burned by it a few minor ver­sions ago when one of its checks caused me to be banned from my own admin panel.

    I’m also using a fair­ly com­pre­hen­sive block on known mali­cious bot user agents, thanks to the mag­ic of .htaccess.

  6. I’m curi­ous about your Raven’s mod­i­fi­ca­tions. I real­ly love the idea, but I use k2 for the theme/framework and I couldn’t get it to work with or with­out AJAX (which I thought was a cul­prit at first). Even when I turned off AJAX, I’ve found that for a month no one could post a com­ment, cause it would just throw blank page at visitors.

    P. S. By the way, why would Raven’s Anti­spam delete the post, if it should pre­vent the spam from being post­ed? IF I am not mis­tak­en, all it does it shows the text captcha for users with JS off.

  7. theUg — I haven’t fig­ured out how to mod­i­fy Raven’s Anti­spam to be what I want it to be; it worked fine on K2 when I was using both here and on

    If you read the source of Raven’s Anti­spam, you’ll see that it does in fact have to delete the post if the anti­spam con­di­tions are not met; the rea­son is that Raven’s Anti­spam does not have access to check­ing the data until after the post has already been saved in the data­base. This is a lim­i­ta­tion in Word­Press itself, which does not seem to have a plu­g­in hook which fires after the plu­g­in is sub­mit­ted yet before it is saved.

  8. I think the data­base was pre­vent­ing me from using Raven’s plug-in before. I have my orig­i­nal WP instal­la­tion on the MySQL 4.0.27 (at the time, GoDad­dy didn’t even offer 4.1). Now I installed Eng­lish ver­sion using WP 2.3.3 and K2 RC4 on top of MySQL 5.0, and it seems to work with AJAX and everything.

    * * *

    the rea­son is that Raven’s Anti­spam does not have access to check­ing the data until after the post has already been saved in the data­base. This is a lim­i­ta­tion in Word­Press itself, which does not seem to have a plu­g­in hook which fires after the plu­g­in is sub­mit­ted yet before it is saved.

    Didn’t they redesigned plug-in sys­tem with the lat­est ver­sions? I think I’ve heard some­thing to that effect, but I’m not sure.

Leave a Comment

Your email address will not be published. Required fields are marked *

Use your Gravatar-enabled email address while commenting to automatically enhance your comment with some of Gravatar's open profile data.

Comments must be made in accordance with the comment policy. This site uses Akismet to reduce spam; learn how your comment data is processed.

You may use Markdown to format your comments; additionally, these HTML tags and attributes may be used: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Rick Beckman