Kill Website Comment Spam – From 1,400 to Zero Spam in One Day

If you want to kill comment spam on your WordPress website then you will need to do more than simply changing your discussion in settings. Comment spammers have software that is constantly updated to find every loophole possible in order to get a comment on a website. They are desperate and do not care that they are wasting your precious time with all this extra work.

Sure there are offsite commenting systems that might help but not for me. These comments and content belong to my site and will be stored along side them.

Kill Website Comment Spam in WordPress

Stopping comment spam on a WordPress website is hard work! You cannot possibly do it by yourself as you would be left with no time to build a successful website when you are spending all of your time moderating comments. So, really you have no choice but to take action.

Now taking action with WordPress spam comments can be done the hard way (which may not work) or the easy way. Let’s go through a few different ways to combat spam.

Where is The Comment Being Made?

When someone wants to make a comment on your posts, obviously they must be on your website, but not true with automated software. You can add some code to your .htaccess file that will restrict submission to the comment-post if the comment is not made on your website. Replace YOURDOMAIN with your site’s domain.

RewriteEngine On

 RewriteCond %{REQUEST_URI} /(comments-post|setup)\.php$
 RewriteCond %{HTTP_USER_AGENT} ^$
 RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Another way from RewriteEngine On

 RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
 RewriteCond %{HTTP_REFERER} !.** [OR]
 RewriteCond %{HTTP_USER_AGENT} ^$
 RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

This will:

  1. Detect when a POST is being made
  2. Check to see if the post is on wp-comments-post.php
  3. Check if the referrer is in your domain or if no referrer
  4. Send the spam-bot BACK to its originating server’s IP address.

Comment Form Nonce

A nonce is a “number used once” to protect URLs and forms from being misused. If automated software tries to alter the unique number that is added to a url, the nonce is invalid and the attempt fails.

Adding this code to your functions.php file will add the nonce field to your comments form and will check the value when the form is submitted. You can see more about WordPress Nonces as it is out of my league to explain this.

function add_comment_form_nonce_field( ){
 wp_nonce_field( 'anti_spam_nonce_field' );
 add_action( 'comment_form', 'add_comment_form_nonce_field' );
function check_comment_form_nonce_field(){
 if( !wp_verify_nonce( $_REQUEST['_wpnonce'], 'anti_spam_nonce_field') )
 die('Security check failed');
 add_action( 'pre_comment_on_post', 'check_comment_form_nonce_field');

Add a Checkbox

This method “was” great at first, but I think this sneaky trick to stop spam comments in WordPress has been exposed and no longer useful.

Of course some genius might turn this code into something great one day.

First, you need to add a checkbox to your theme’s comment form (which is most likely in the comments.php file), like this:

Check this box to enable the send button

It’s a good idea to add it right above the submit button. By the way, note the value of the “name” attribute of the submit button and the element. If you don’t have a “name” attribute for the element, add it with the value “commentform”.

Next, add this code to your header.php file, inside the element:

If your comment form is called something other than “commentform” then you will have to change the code to suit your theme. Same with the “submit” value.


Deny Access Referrer Spammers

Many bloggers show referrer’s to their site or links from which people came to visit their site. Spammers exploit this and indiscriminately spam blogs (even bloggers who do not have this feature enabled) with referral links pointing to their spammy sites. They end up wasting your resources, polluting your legitimate referrer’s list and slowing down access for your readers.

In an effort to economize their resources, spammers often send out comment spam bots with their spam referrers for that two-in-one-shot effect. Consequently, you can block quite a few comment spam bots by blocking the referrer spam.

Once you know which referrer URL you’d like to block, and believe me you’ll know, you can keep them out by adding the following into your .htaccess file:

SetEnvIfNoCase Via evil-spam-proxy spammer=yes
 SetEnvIfNoCase Referer spammer=yes
 SetEnvIfNoCase Referer evil-spam-keyword spammer=yes
 SetEnvIfNoCase Via pinappleproxy spammer=yes
 SetEnvIfNoCase Referer spammer=yes
 SetEnvIfNoCase Referer poker spammer=yes

Order allow,deny
Allow from all
Deny from env=spammer

Using PHP Code to Block

You can add this to the top of any PHP page, putting the actual IP address where the xxx or yyy is.


Get A Plugin To Do ALL and More!

This is how I actually put a stop to website comment spam and went from 1,400 spam comments to Zero in one day.

Andy Bailey, the creator of the comment Luv plug-in is one-of-a-kind when it comes to fighting spam. He developed his awesome WordPress plug-in that helps you share the love with other website owners when they comment on your blog or website.

Commentluv (the paid version) came with GASP, which essentially implemented all of the above code for you and some. But recently many sites started to get hit by a new wave of comment spam that was penetrating event the best GASP protection.

So what did Andy do? He added another

More Tech articles from Business 2 Community:

See all articles from Business 2 Community

Friend's Activity