Zero Comment Spam

After my quest to ease the bandwidth load on my site the other day with Spam Fighting, I’ve also managed to kill my comment spam on this site to zero for the past 12 hours, which considering there’s usually 200+ in a day, that’s not bad going. I’m still working on the bandwidth consumption issues but I definitely think I’ve helped it, of course the bandwidth usage at the end of this month will tell the full story.

Just before I go any further, I do use Akismet. However Akismet doesn’t stop your bandwidth consumption, it merely blocks the spam from displaying and from you getting loads of notifications about it. I’m trying to take this one step further, and prevent the comments piling up in the first place and ideally stop the spammers from hitting the server altogether.

So what have I done? Just a few little tweaks really:

Renamed the comment script.

A simple change which I’d seen in the past but thought it was too complicated to do. It actually isn’t! Simply go into your Comments template file and look for the form action for submitting a new comment. You’ll see the action points to wp-comments-post.php, change this to any filename you like (providing it ends with .php). Then go into the root of your blog and find the wp-comments-post.php file and change this filename to be the same as the one you just entered as the action of the comment form. And that’s all there is to it. Of course, remember, on upgrading WordPress you’ll need to rename the wp-comments-post.php file again, but that’s a two second job.

What does this mean? Most spam scripts/bots have been programmed to go straight to your wp-comments-post.php file, so when they don’t get it they can’t submit anything. I’ve gone one step further and set up a 410 on this file now in my .htaccess ie.

RedirectMatch 410 ^/wp-comments-post.php

This way it won’t even show as a 404 in your stats. I’m not sure if a 410 is a good choice or whether to boot the script to another server using a 301. If bots follow the path they’re sent on then the 301 would be a better choice. I’m still looking into this.

Renamed a comment input box

Just incase changing the script name didn’t fully work I went one step further and changed one of the input box names in my comment form too. Again, a very simple trick which fools any assuming bots. Open up your comments template file, choose one of the required fields in the form and change the following (I’ve used author/name as an example):

<p><input type="text" name="author" id="author" value="<?php echo $comment_author; ?>" size="22" />
<label for="author"><small>Name <?php if ($req) _e('(required)'); ?></small></label></p>

and change the input name, input id and the label for attribute values (originally ‘author’ for this example) to your chosen new name. Of course your comments file won’t be exactly like mine but if you’re not sure, let me know of your site in the comments below and I can take a look and let you know what to change 🙂

After you’ve changed this you need to update your comment script file, originally called wp-comments-post.php. Open the file up in a text editor and look for line 21 (approximately). You should find the following code:

$comment_author = trim($_POST['author']);
$comment_author_email = trim($_POST['email']);
$comment_author_url = trim($_POST['url']);
$comment_content = trim($_POST['comment']);

Now, depending on which input name you changed will depend on which line you edit. Taking my example into account, change the first line to

$comment_author = trim($_POST['newauthorname']);

Save the file and upload it to overwrite the original. Again on upgrading you’ll need to alter this line in the new upgrade.

What does this do? It kills assumption. Bot scripts are programmed to post the variables and values, so if you’ve changed the variable name then it won’t successfully post to that variable. Of course the variable name changed needs to be a required field. So changing the url field won’t make much impact besides the bot not being able to submit their link.

Prevent Trackback Spam

After doing the above I had one spammer left and it took me a while to realise they weren’t actually submitting to my site but using the trackback link ie. postname/trackback/. So I don’t think much bandwidth is used with this method but of course it still meant my comment spam was building up which means another record in the database. Now I don’t publicise my trackback links. If you link to a post of mine with a legitimate post of your own, the trackback is automatically created without the need for the trackback link (to be honest I don’t fully understand the point of trackbacks!). So with this in mind I did a few searches on the web and came across the WP Hardened Trackback. Simply a plugin that dynamically changes the trackback address of the post on every request so if a person is trying to send a trackback with the wrong URL it’ll just be ignored.

Whether this will affect people simply posting and linking to a post of mine, I don’t know. I hope it doesn’t but until it happens I won’t know.

My Reading Material

There should be a shout out to whoever blogged about changing the input name but unfortunately I haven’t a clue where I read that!

4 Responses

  1. Rutty says:

    I’ve been meaning to change my comment script too, but the recommendations for my platform (Movable Type) suggest that any change might only provide a temporary respite. The spammers will quickly learn your new script name and start using that, as their software is quite resilient and better written than the dumb bots they had in the past.

    Still, got to be worth a go. Hope it holds them off for a while 😉

    Like the new template by the way – very classy

  2. Sarah says:

    Oh I realise it’s a temp measure, but when it seems to start up again, I’ll just change it again! I think these bots rely on certain assumptions such as the comment form structure, the general urls etc. I think if you used a completely random set of numbers and letters then I think if anyone recodes a bot to work with that then clearly they have too much time on their hands! Especially when it doesn’t show on the site anyhow and is merely an annoyance!

    Cheers for the mention on the template, am very happy with it 😀

  3. Sarah says:

    Just an update. I had 3 spam emails in 48 hours. A major decrease from what it was before. Now to make these changes across all WordPress sites I administer!!

  4. Sarah says:

    I wrote about a revisit to spam issues at Spam Fighting Revisited