Ryan McDonnell - Pursuing Web Application Zen

Stop comment spam on a Wordpress blog

WordPress
Monday, March 19th, 2007 at 3:42 pm

I originally posted this in the comments on a recent TechCrunch article, TechCrunch has 15,000 Spam Comments Per Day. I thought it was worth archiving here also.

 This is a method I’ve used successfully to bring comment spam to screaching halt on some of my clients’ blogs.

First, rename wp-comments-post.php to something else.

Second, create a blank wp-comments-post.php file (just so that the spammers still get a 200 HTTP status code)

Third, edit the “comments” page in your template. Leave the “action” attribute pointing to the default wp-comments-post.php page. Add some Javascript to the FORM tag’s “onSubmit” method. Something like:

onsubmit="this.action='location-of-new-wp-comments-post.php'; return true;"

Anyone with Javascript enabled (nearly 100%) will be able to post comments but the spam bots (which do not parse Javascript) will not.

You can even obfuscate the Javascript code further by throwing in some random concatenation…

onsubmit="this.action='location' + '-of-new-wp-comments-post.' + 'php'; return true;"

… or setting the URL in a variable and referencing the variable instead.

 Using this technique brings comment spam to near zero. I’ve left Akismet in place to catch the small number of manual spam comments but I only see those maybe once every week, even on highly trafficked sites.

Note: I’ve not implemented this method on this site. This blog gets no comment spam since it gets very low traffic. Someday I’ll eat my own dog food.

Update 7/11/2007: The above process works beautifully to stop spam but it’s a little more complicated than an easier solution that gets 95% of the benefit. The easiest way to stop comment spam is to simply rename the wp-comments-post.php to something else and edit the <form> tag in your theme to reference to the new name. I find it easiest to just throw some random characters at the end of the name. For example, on this site, I’ve renamed it to “wp-comments-post-3m0dw12×35.php”.

The above method using the JavaScript just takes it a step further to combat those bots which actually check the HTML code for the URL the form is posting to.

Related Articles

Leave a Comment

The following tags are allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

About Ryan McDonnell

I am a web application developer living in southern California. Commonly called a “jack of all trades” by collegues, I constantly strive to broaden my knowledge into other fields.
More about Ryan McDonnell »


 Subscribe in a reader

Quick Links & Notes

Categories

Recent Comments

Popular Posts

© 2004-2008 Ryan McDonnell. View my profile on LinkedIn
Some rights reserved under the Creative Commons Attribution-Share Alike 3.0 United States License.