WordPress Ideas » Topic: Nonces for comment submission

Ipstenu on "Nonces for comment submission"

Ipstenu — Wed, 07 Mar 2012 02:02:39 +0000

The easiest way to punt people hitting your comments file directly would be htaccess.

# Stopping refferer spam
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

Also you can use the plugin Cookies fo Comments, which checks to make sure the visitor has a cookie before comment :)

LoneWolfMuskoka on "Nonces for comment submission"

LoneWolfMuskoka — Sun, 06 Jun 2010 00:51:24 +0000

@mrclay

I can see the performance issue being a problem. I wonder if there is a way get around that.

Also, I'm curious as to how the spambots would get around the nonces. I imagine that it would at least force them to go to the post page first to figure out the nonce.

If you could put a minimum time before submitting then you could probably catch out most of them or force them to run more slowly.

But you've raised 2 very valid points and given me more stuff to think about 8=)

mrclay on "Nonces for comment submission"

mrclay — Thu, 03 Jun 2010 13:06:17 +0000

-1 But good idea. For performance purposes you want to serve identical HTML to most visitors (this WP-Super-Cache). Plus the nonces would be no problem to work around for the next wave of spambots.

LoneWolfMuskoka on "Nonces for comment submission"

LoneWolfMuskoka — Tue, 18 May 2010 15:40:12 +0000

It seems that a great deal of comment spam comes from robots that seem to be hitting the wp-comments.php file without ever going to the site itself.

I think it would be good to add nonces to the submission process so that you would have to actually submit from the comment form. This should eliminate the robotic spam.