Help creating a comment filtering script to stop spammers

The anti-spam plugin industry is rather over-saturated these days. If you haven’t found something to stop spam yet, I’d suspect another problem elsewhere.

I have been Akismet since it launched and haven’t seen a single spam comment make it through.

Also, there’s a very extensive constantly updated blacklist at https://github.com/splorp/wordpress-comment-blacklist which might help.

Have you tried either of those?

Forgot to add in, I have also heard great things about https://www.ads-software.com/plugins/avh-first-defense-against-spam/ from folks who needed more than Akismet.

I was wondering if what I was describing could be implemented without adding another plugin. I’m on a shared server box, and I’m already really at the limits of how much RAM I can use, so unless I switch to some minimalist theme, I’m leery of additional add-ons. I also can’t afford commercial plugins.

Well, Akismet doesn’t use very much RAM at all, neither does the comment blacklist. I’m not sure about AVH.

Adding https://perishablepress.com/5g-blacklist-2013/ to your .htaccess file can also protect against several bot attacks before they even reach WordPress. As it’s an Apache process, it’s similarly light on RAM.

Basically, anything that filters and stops incoming traffic or actions will use CPU and RAM.

I implemented the blacklist a while ago and that hasn’t had much impact.

The comment blacklist or the .htaccess blacklist?

The .htacccess list. I didn’t know there was a separate comment list.

Yep, I linked to it in my first reply.

If you decide to give my comment blacklist a try, you might want to use one of the following plugins which automatically update your blacklist settings using the most recent version from the GitHub repository.

• Blacklist Auto Updater by Sergej Müller
• Comment Blacklist Manager by Andrew Norcross

Please let me know if you run into any issues or have any suggestions to improve the blacklist. And thanks for the mention, James.

And thanks for the mention, James.

My pleasure, and thank you for maintaining such an extensive blacklist!

Grant,

Does the WP blacklist affect comments that are submitted using some kind of script that bypasses the contact form?

Again, a big part of the problem I’m having is that spam bots are somehow able to execute a comment POST operation that doesn’t use the comment form at all. As I mentioned in my original post, the way I can tell is that they include a value in the website URL field, which my comment form intentionally omits, so if a comment contains anything other than a null set in that field, there is a 100 percent chance it’s spam.

(What I want to do is filter comments on that basis — I just don’t know how because I’m not a programmer.)

Does the WP blacklist affect comments that are submitted using some kind of script that bypasses the contact form?

Yes, it inspects all comments received, whether via a human who posts in the comment form, or a bot which accesses the script directly.

Again, a big part of the problem I’m having is that spam bots are somehow able to execute a comment POST operation that doesn’t use the comment form at all.

Try adding this to your .htaccess file:

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*(example.com|jetpack.wordpress.com).* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

Replace “example.com” with your domain, and remove “|jetpack.wordpress.com” if you aren’t using Jetpack comments.

This will block all bots from accessing the commenting and login scripts directly, they will need to go through the actual forms if they want to submit comments or log in.

Via: https://halfelf.org/2013/wp-login-protection-htaccess/

I believe WordPress Hashcash is already doing that. When it works (which is about 90 percent of the time — useful, but not enough), it puts comments with a blank referrer field directly in the trash.

However, some of the spam bots are somehow able to “spoof” the system, submitting a POST request that includes the site domain as the referrer even though the presence of a non-null value in the website URL field makes it clear they didn’t actually use the comment form. (The comment form doesn’t include that field.) I don’t know how they’re doing it, but it’s very obnoxious.

James, thanks for pointing out that .htaccess trick.

Ate Up With Motor, the .htaccess bit and WP HashCash are two very different things. Try the .htaccess code.

Grant Hutchinson, you’re welcome!