Please eliminate wp-comments.php!

How would that help? A spammer would be a visitor as well, wouldn’t it?

The same logic you’d use to detect if a visitor was a spam-bot OR a real human would suffer the same problems it does if the file exists or not.

A spammer which is a human perhaps. Most comment spam is not generated by humans. Bots target wp-comments.php specifically by name. Any security done client-side is pointless when this file exists. Randomize the file name with each visitor and you eliminate the ability to find a specific file on the server.

I’ve done it. It eliminated 100% of my spam.

However, the comment form’s action attribute always reveals the location of the processing script. This is where I use JavaScript and cookies to remedy that issue. I store the location of the comment processing script in a cookie and use javascript to retrieve it. The location is then never revealed in the source code.

Actually, the processing script doesn’t even have to exist until the form is submitted. This allows you to perform security client-side. Otherwise a bot can simply bypass the form by directly accessing the processing script on the server. You know, all they have to do is @file(“https://remotesite.hmm/wp-comments.php”) to see if it exists. How secure is that? A spammer can hit it all day long until they find the right crack because the file name is always so easily accessible. That accessibility is a definite weakness.

When the button is pressed a new file is generated named [security-hash].[visitor-ip].[timestamp].php. That file is then used for the form action. Once the form is successfully submitted, the file can be deleted.

In the processing script, use the filename to compare to the visitor’s ip.
If the ip does not match the filename, you know it’s a bad visit.
Use the timestamp to expire the script.

The file then cannot be re-used by bots. = Happy Admin

Achilles’ heel too. >:\

I really intended to say wp-comments-post.php , but I think you know what I meant.

Bots target wp-comments.php specifically by name.

Well sure but it’d be easier to just protect that with .htaccess. If someone comes to that file directly (that is NOT referred by your domain), then they’re a spammer.

I use this to stop splogs. Maybe it could be used for that instead:

RewriteCond %{REQUEST_METHOD} POST
 RewriteCond %{REQUEST_URI} .wp-signup.php*
 RewriteCond %{HTTP_REFERER} !.*domain.com.* [OR]
 RewriteCond %{HTTP_USER_AGENT} ^$
 RewriteRule (.*) https://lmgtfy.com/?q=spammer [R=301,L]

From https://www.darcynorman.net/2009/05/20/stopping-spamblog-registration-in-wordpress-multiuser/

By the way. Next time consider EDITING your post rather than posting over and over so soon ??

Whatever. I’m not going to hash it out about efficient ways to do it. Referrer can be spoofed. Point is, something can be done to fix it.

Whatever. I’m not going to hash it out about efficient ways to do it. Referrer can be spoofed. Point is, something can be done to fix it.

Sounds like you’re the guy… write it up and submit it.

What Clayton said ?? If you can code it, please do and submit it to trac.www.ads-software.com! We’d appreciate it!

Sounds like you’re the guy… write it up and submit it.

I only know a little bit about everything. ??

Seriously though, I’ll work on it.

Yeah, but you said:

I’ve done it. It eliminated 100% of my spam.

So .. y’know, share details on trac. Can’t promise they’ll pick it up, but y’know, giving back is a wonderful thing. It will save the jungles and bunnies. ??

Honestly, once I changed my website I no longer need any CAPTCHA or similar devices. I’m not saying a human can’t manually submit a spam message, but automation is very difficult if not impossible. Banning an individual is much easier than banning a bot which works from multiple IP addresses.

Please see https://www.ads-software.com/support/topic/comment-spam-improvements-needed?replies=3 for my ideas on the subject.