Reducing comment spam on WordPress sites by editing wp-comments-post.php

0.00 avg. rating (0% score) - 0 votes

Despite implementing various measures such as removing the link field from WordPress comment form as well as adding Google reCAPTCHA, thousands of spam comments continue to hit my blog daily. And what’s more, all of them still contain link to various questionable websites, as if the restrictions I implemented never existed. Disabling comment functionality or allowing comments only for registered users is not an option for me as I have always wanted to provide users with an easy way to submit their feedback without having to go through the hassle of registering for an account.

A quick Google search quickly revealed that automatic WordPress spammers actually do not use the comment form but instead send data via HTTP POST directly to wp-comments-post.php, so my so-called security measures are actually meaningless. A better alternative is to rename wp-comments-post.php, which will help to stop the automatic spammer but will also require some efforts to update the link in various WordPress template files. An easier way is to edit wp-comments-post.php and add the following check:

if (strlen($comment_author_url) > 0)
{
	wp_die( __( '404 Not Found' ), 404);
}

around line 95, after the reading of various POST variables

$comment_author       = ( isset($_POST['author']) )  ? trim(strip_tags($_POST['author'])) : null;
$comment_author_email = ( isset($_POST['email']) )   ? trim($_POST['email']) : null;
$comment_author_url   = ( isset($_POST['url']) )     ? trim($_POST['url']) : null;
$comment_content      = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;

With this check, any comment that goes through the website comment form without the author URL field will be accepted. Automatic comments posted directly with links in the author URL field will be rejected with HTTP error 404. As most spammers will put links in this field, the modification will reject the majority of spam comments. Ever since this modification, my spam list has been empty most of the time:

wordpress_empty_spam_comments

Obviously this doesn’t prevent an attacker from modifying his script not to include the author URL field and continue to attack your site, but as the main motivation behind spam comments is to add links, the above modification will hopefully be enough to reduce the number of spammers attacking your blog.

0.00 avg. rating (0% score) - 0 votes
ToughDev

ToughDev

A tough developer who likes to work on just about anything, from software development to electronics, and share his knowledge with the rest of the world.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>