“Detect spambots posting comments” option is blocking all comments.
-
Hi @jlmwp,
According to me it should be cache issue that the spam bot to detect the keys do not match in comment form with database.
WP security > Spam prevention > Comment spam
You may set the Spam comments detected should be: Marked as spam instead the Discarded
WP security > Spam prevention > Comment spam IP monitoring
Enable auto block of spam comment IPs: disable it right now.
I can not see the pastebin url you sent it shows 404 for me.
We have worked on the fix for the cache plugin issue where the cache page have older spam detection key than in DB but what you have issue without the Cache plugin so have to cross check.
If you can share that url again and make sure the antibot keys are added.
Hello
Thank you for you answer. I’ll add some captures of what I did this time.
I changed the settings as you described.
On the site, I checked the comment form for the antibot keys. They were added.
I added two comments. This time my IP was not blocked, but both comments were marked as spam.
I tried this same test on a brand new installation. The comment was also marked as spam.
This is my dev site which is a clone of the production site with all others plugins disabled and the default theme: https://dev2.bicicosas.cl/cuales-son-los-accesorios-basicos-para-mi-bici-nueva/
This is another dev site which is the new instalation: https://dev3.bicicosas.cl/2024/09/25/hello-world/
Thank you.
Hi @jlmwp
Do you have Akismet Anti-Spam plugin active ?
I am asking though you mentioned that not any other plugin installed. As if it is active it may create problem and it is default installed.
I cross checked installing fresh setup the latest WordPress 6.6.2 and AIOS 5.3.3 and storefront as theme activated it do not mark as spam in my local
https://snipboard.io/T9dysY.jpg
I have posted comment on the below comment form page but it might be in spam Please cross check there..
https://dev3.bicicosas.cl/2024/09/25/hello-world/
HTTP_REFERER and HTTP_USER_AGENT are blank or the keys for form hidden field and set cookies if do not match it is marked as posted from bot.
Regards
Hello
I checked and only this this plugin is active
Your posted comment was indeed marked as spam. I also tested with my admin user while logged, and a test from a mobile device. All were marked as spam.
These are the headers I recovered from the last test.- GENERAL
Request URL: https://dev3.bicicosas.cl/wp-comments-post.php
Request Method: POST
Status Code: 302 Found
Remote Address: 200.73.115.33:443
Referrer Policy: no-referrer - RESPONSE
cache-control: no-cache, no-store, must-revalidate, max-age=0
content-length: 0
content-type: text/html; charset=UTF-8
date: Tue, 08 Oct 2024 14:48:50 GMT
edit: Set-Cookie (.*) “$1;HttpOnly;Secure”
expires: Wed, 11 Jan 1984 05:00:00 GMT
location: https://dev3.bicicosas.cl/2024/09/25/hello-world/#comment-6
referrer-policy: no-referrer
server: LiteSpeed
set-cookie: comment_author_05523445a92ef4e351aef48dc345c80b=%20; expires=Mon, 09-Oct-2023 14:48:50 GMT; Max-Age=0; path=/; secure
set-cookie: comment_author_email_05523445a92ef4e351aef48dc345c80b=%20; expires=Mon, 09-Oct-2023 14:48:50 GMT; Max-Age=0; path=/; secure
set-cookie: comment_author_url_05523445a92ef4e351aef48dc345c80b=%20; expires=Mon, 09-Oct-2023 14:48:50 GMT; Max-Age=0; path=/; secure
setifempty: Referrer-Policy: same-origin
strict-transport-security: max-age=300; includeSubDomains; preload
vary: User-Agent
x-content-type-options: nosniff
x-frame-options: sameorigin
x-permitted-cross-domain-policies: none
x-powered-by: PHP/8.1.29
x-redirect-by: WordPress
x-xss-protection: 1; mode=block - REQUEST
:authority: dev3.bicicosas.cl
:method: POST
:path: /wp-comments-post.php
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
accept-encoding: gzip, deflate, br, zstd
accept-language: es,en-US;q=0.9,en;q=0.8
cache-control: no-cache
content-length: 172
content-type: application/x-www-form-urlencoded
cookie: jeost9tk=wkdl0i0lu65v; dea3ct95=9q3qcnx7c6ui; le67hezg=harnpbrxk5r7
origin: null
pragma: no-cache
priority: u=0, i
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1
According to your suggestions. I dont know if i’m undestanding this right, but i’ll try.- “HTTP_REFERER and HTTP_USER_AGENT are blank”
I could not find the “HTTP_REFERER” header, but on the “General” headers, the “Referrer Policy” is set to “no-referrer” and on the Request Headers, the “user-agent” is set to “Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1”
- ” or the keys for form hidden field and set cookies if do not match”
This is the html code for the antibot-keys
<p class="comment-form-aios-antibot-keys">
<input type="hidden" name="n5aip6c1" value="ha25m2vs4aa1">
<input type="hidden" name="ffqu9qt4" value="lodm1911pb2x">
</p>And on the Request headers, i only found this header
“cookie: jeost9tk=wkdl0i0lu65v; dea3ct95=9q3qcnx7c6ui; le67hezg=harnpbrxk5r7”
I dont know if any of this could be the reason.
One thing. Our hosting has very strict rules for Modsecurity. Could this be related somehow?
Thanks.
Hi @jlmwp,
We have worked on improvement to cache-related issue for comment spam.
Can you please uplaod the below zip as Add new plugin to replace existing AIOS plugin.
It has option “Use cookies to detect comment spam” you may uncheck it so cookies are not used.
https://snipboard.io/PbwS81.jpg
Then you cross-check adding comment, It is still in the spam, If not then it is cookie issue.
Mod security rules, Please ask the hosting provider do they have any such comment spam feature. I see less chance.
Regards
Hello.
Thank you for the update.I downloaded the file you sent. I uninstalled and deleted the installed version. Then I uploaded and installed the new file.
I applied the configuration you sent and re tested the comment.
The comment was marked as spam.
Regards.Hello
I asked to my hosting about this. They say that the only blocking made by ModSecurity in the test domain, is to the file xmlrpc.php, and none of the IPs match the ones of the comments.This is a capture they sent me
The web server we use is Litespeed. Could this be the cause?
Regards.
Hi @jlmwp
Thanks for installing that so we know that it is not the session issue.
And as per hosting provider also mod seucurity issue.
Can you please enable the debug log by adding below in wp-config.php , If below is too much technical also let me know.
// Enable WP_DEBUG mode define( 'WP_DEBUG', true );
// Enable Debug logging to the /wp-content/debug.log file define( 'WP_DEBUG_LOG', true );
And if possible change the
is_comment_spam_detected
in below mentioned file as per below code to have two error log entries to know if spam bot detection is by one of that reasons. Once you change the function try add the comment it will be marked spam but wp-content/debug.log will have one of below entries so we may know what is the issue,/wp-content/all-in-one-wp-security-and-firewall/classes/wp-security-comment.php
public static function is_comment_spam_detected() {
$return = false;
if (!is_user_logged_in()) {
if (empty($_SERVER['HTTP_REFERER']) || false === stristr($_SERVER['HTTP_REFERER'], parse_url(home_url(), PHP_URL_HOST)) || empty($_SERVER['HTTP_USER_AGENT'])) {
error_log("comment spam due to referrer and user agent issue");
$return = true;
} elseif (self::is_bot_detected()) {
error_log("comment spam due to bot detected for antibot keys do not match");
$return = true;
}
}
return apply_filters('aiowps_is_comment_spam_detected', $return);
}Hello. I changed the code as you described. This is the file.
After the test, the debug.log file was created. It only has this line: “[11-Oct-2024 14:52:31 UTC] comment spam due to referrer and user agent issue”
Regards
Hi @jlmwp,
Ok, it seems http referer or user agent issue as per log.
Can you please add the code below to the function after the error log for comment spam due to the referer and user agent to get more details? which is the making problem. After adding that code to the file function and saving it. you have to add again the comment and check the wp-conent/debug.log
error_log("HTTP_REFERER >> " . $_SERVER['HTTP_REFERER'] . " >> home_url >> ". home_url() . " >> HTTP_USER_AGENT >> " . $_SERVER['HTTP_USER_AGENT']);
public static function is_comment_spam_detected() {
$return = false;
if (!is_user_logged_in()) {
if (empty($_SERVER['HTTP_REFERER']) || false === stristr($_SERVER['HTTP_REFERER'], parse_url(home_url(), PHP_URL_HOST)) || empty($_SERVER['HTTP_USER_AGENT'])) {
error_log("comment spam due to referrer and user agent issue");
error_log("HTTP_REFERER >> " . $_SERVER['HTTP_REFERER'] . " >> home_url >> ". home_url() . " >> HTTP_USER_AGENT >> " . $_SERVER['HTTP_USER_AGENT']);
$return = true;
} elseif (self::is_bot_detected()) {
error_log("comment spam due to bot detected for antibot keys do not match");
$return = true;
}
}
return apply_filters('aiowps_is_comment_spam_detected', $return);
}So is_comment_spam_detected will be like above so we know exact issue is.
Regards
Hello
After the last test, I looked for information about the http referer and WordPress. I found this link https://www.malcare.com/blog/referrer-policy-wordpress/
Following this information, I added these lines to the begining of the .htaccess
# Set Referrer-Policy
<IfModule mod_headers.c>
Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>I tested and the comments where added correctly! The debug.log file did not change.
I still need to test this on a full working installation, but looks like a posible workaround.Regards
Hi @jlmwp,
Please contact your hosting provider if possible might be server behind proxy do not pass that info.
Also I can see in request header you sent have so it might be some thing at server blocking at sending info to browser.
Referrer Policy: no-referrer
If it can not be solved. We may apply the
aiowps_is_comment_spam_detected
and try to solve the issue.Regards
- This reply was modified 2 weeks, 6 days ago by hjogiupdraftplus.
Hello
Adding those lines to the .htaccess file solved the problem. The option is now working correctly.
Thank you for your support.
Hi @jlmwp
Glad to know it works now after “Header set Referrer-Policy” set correct in .htaccess.
Can you please let me know which hosting did you use? In general, this is not required to be set.
Regards
- GENERAL
- You must be logged in to reply to this topic.
(@jlmwp)
3 weeks, 5 days ago
Hello
I was checking the Comments on my site, and decided to make a test. Using Chrome, I went to my “contact” page and added a legitimate commentary by filling the form.
The commentary was not added, and my IP got blocked.
I checked the “Permanent block list” and my IP was added with the motive “spam_discard”
After checking the settings, I noticed it was enabled the option “Detect spambots posting comments” on the “Spam Prevention” section.
I disabled the option, saved the settings and tested again. This time the commentary was added correctly.
I tested this for conflicts. I disabled all others plugins (cache included) and used the Twenty Twenty-Four theme. I also got blocked.
I dont understand why it blocked the commentary. For now I’ll keep this option off.
There is a similar topic here: https://wordpress.org/support/topic/detect-comment-from-spambots-marks-all-comments-as-spam/, but in my case, all the others plugins are disabled.
You can try it at this link https://pastebin.com/1HuUgnhF
Thank you.