Zero Comment Spam
After my quest to ease the bandwidth load on my site the other day with Spam Fighting, I’ve also managed to kill my comment spam on this site to zero for the past 12 hours, which considering there’s usually 200+ in a day, that’s not bad going. I’m still working on the bandwidth consumption issues but I definitely think I’ve helped it, of course the bandwidth usage at the end of this month will tell the full story.
Just before I go any further, I do use Akismet. However Akismet doesn’t stop your bandwidth consumption, it merely blocks the spam from displaying and from you getting loads of notifications about it. I’m trying to take this one step further, and prevent the comments piling up in the first place and ideally stop the spammers from hitting the server altogether.
So what have I done? Just a few little tweaks really:
Renamed the comment script.
A simple change which I’d seen in the past but thought it was too complicated to do. It actually isn’t! Simply go into your Comments template file and look for the form action for submitting a new comment. You’ll see the action points to wp-comments-post.php, change this to any filename you like (providing it ends with .php). Then go into the root of your blog and find the wp-comments-post.php file and change this filename to be the same as the one you just entered as the action of the comment form. And that’s all there is to it. Of course, remember, on upgrading WordPress you’ll need to rename the wp-comments-post.php file again, but that’s a two second job.
What does this mean? Most spam scripts/bots have been programmed to go straight to your wp-comments-post.php file, so when they don’t get it they can’t submit anything. I’ve gone one step further and set up a 410 on this file now in my .htaccess ie.
RedirectMatch 410 ^/wp-comments-post.php
This way it won’t even show as a 404 in your stats. I’m not sure if a 410 is a good choice or whether to boot the script to another server using a 301. If bots follow the path they’re sent on then the 301 would be a better choice. I’m still looking into this.
Renamed a comment input box
Just incase changing the script name didn’t fully work I went one step further and changed one of the input box names in my comment form too. Again, a very simple trick which fools any assuming bots. Open up your comments template file, choose one of the required fields in the form and change the following (I’ve used author/name as an example):
<p><input type="text" name="author" id="author" value="<?php echo $comment_author; ?>" size="22" />
<label for="author"><small>Name <?php if ($req) _e('(required)'); ?></small></label></p>
and change the input name, input id and the label for attribute values (originally ‘author’ for this example) to your chosen new name. Of course your comments file won’t be exactly like mine but if you’re not sure, let me know of your site in the comments below and I can take a look and let you know what to change 🙂
After you’ve changed this you need to update your comment script file, originally called wp-comments-post.php. Open the file up in a text editor and look for line 21 (approximately). You should find the following code:
$comment_author = trim($_POST['author']);
$comment_author_email = trim($_POST['email']);
$comment_author_url = trim($_POST['url']);
$comment_content = trim($_POST['comment']);
Now, depending on which input name you changed will depend on which line you edit. Taking my example into account, change the first line to
$comment_author = trim($_POST['newauthorname']);
Save the file and upload it to overwrite the original. Again on upgrading you’ll need to alter this line in the new upgrade.
What does this do? It kills assumption. Bot scripts are programmed to post the variables and values, so if you’ve changed the variable name then it won’t successfully post to that variable. Of course the variable name changed needs to be a required field. So changing the url field won’t make much impact besides the bot not being able to submit their link.
Prevent Trackback Spam
After doing the above I had one spammer left and it took me a while to realise they weren’t actually submitting to my site but using the trackback link ie. postname/trackback/. So I don’t think much bandwidth is used with this method but of course it still meant my comment spam was building up which means another record in the database. Now I don’t publicise my trackback links. If you link to a post of mine with a legitimate post of your own, the trackback is automatically created without the need for the trackback link (to be honest I don’t fully understand the point of trackbacks!). So with this in mind I did a few searches on the web and came across the WP Hardened Trackback. Simply a plugin that dynamically changes the trackback address of the post on every request so if a person is trying to send a trackback with the wrong URL it’ll just be ignored.
Whether this will affect people simply posting and linking to a post of mine, I don’t know. I hope it doesn’t but until it happens I won’t know.
My Reading Material
There should be a shout out to whoever blogged about changing the input name but unfortunately I haven’t a clue where I read that!