Support » Fixing WordPress » Reduce comment spam and php processing

  • This enrty isn’t a question. I’m reposting a copy of a blog enrty I wrote in hopes that it may be useful to someone else who is having the same trouble I was. For anyone who is interested, my original post can be found here.


    This post is slightly about fighting comment spam, but for me, it’s more about reducing php processing, and server load. It comes as a result of my recent trouble with my (former) web host.

    I use the Akismet wordpress plugin / service to reduce comment spam. It works extremely well. Very rarely does comment spam actually get posted to this site.

    Currently, Akismet prevents about 3,000 spam comments a day from entering my site. Even though the spam never gets posted, every comment is still processed, and written to the database, resulting in a much larger database file and higher server load.

    Once I realized just how many times a day comments were being written to the database, I began to look for a way to reduce it. The answer was surprisingly simple.

    How Comments Work:

    Lets start with how comments work in WordPress. Inside you theme’s folder, there are 2 files, comments.php, and comments-popup.php (your theme probably only uses one of them). Those are the forms that a visitor to your site fills out when leaving a comment. But, they don’t handle the actual posting of the comment. They pass the data to a core wordpress file called wp-comments-post.php, which in turn processes the comment and writes it to the database.

    What I did:

    All I did to reduce the amount of comment spam being written to the database was change the name of the file, wp-comments-post.php. You can change it to whatever you want, like die-punk-ass-spammers-die.php. Then open up either comments.php, or comments-popup.php (whichever file your theme uses), and replace the reference to wp-comments-post.php, with the new name of that file. That’s it!

    In the last 24 hours, instead of 3,000 spam comments being written to the database, I only had 64 !

    This method is by no means a permanent fix, and it won’t work for everyone. I’ll address these issues in just a minute.

    I didn’t come up with this approach, I found it online. Everywhere that I found it, some people said it worked great for them, and others said it didn’t work at all. If you think about it, that makes total sense, because it all depends on how your site is being attacked.

    There are two basic ways for spammers to leave comments on your blog:

    #1 They send out their little spambots to crawl your site, and interact with your comment form.

    #2 At some point in the past, their spambots crawled your site, determined the location of wp-comments-post.php, and now they are hitting that file directly… bypassing your form all together (this is how I was being attacked).

    Changing the filename of wp-comments-post.php will do little to nothing for option #1. Any half-witted spambot can crawl your site, and interact with your comment form. But for option #2, this method can have a dramatic effect, as seen by my results.

    As I mentioned, this method is not a permanent fix. As time goes by, those freakin spambots will log the location of your newly renamed file, and begin hitting it directly again. You’ll have to monitor the traffic pattern, and change the filename again every so often. I’ve only been doing it for one day, so I can’t say how long it will last. As an added layer of protection, I placed a blank file on my server, and gave it the name of the original file, wp-comments-post.php, in hopes that anyone already hitting that file will not get a 404 error, and re-crawl the site. I’m hoping this will extend the longevity of my new file.

    When looking at this approach, I started wondering if a plugin could be written to dynamically rename the file? Are there any wordpress gurus out there willing to pick up the challenge?

    One other thing to keep in mind if you try this approach, is future WordPress upgrades. The next time you upgrade, you’ll get a new files called, wp-comments-post.php. You’ll need to rename that new file when you get it, and ditch your current file.

Viewing 5 replies - 1 through 5 (of 5 total)
  • This enrty isn’t a question.

    You submitted it as a support question.

    Try Bad Behavior (with Akismet).

    if your intent on fighting spam without the use of plugins that are a lot of things you can do in addition to merely renaming wp-comments-post.php

    1. Only allow access to wp-comments-post IF the referer is coming from your domain (Yes the domain can be spoofed, thats not the point, and 99% of the scripts are not going to spoof the referer; theyre not that smart (yet).)

    2. rename the variables inside wp-comments-post.php to something other than the default ones. You will also need to make adjustments to your themes comments.php as that actually does the submitting of the variables based on the default fields.

    3. Use mod_security (if you have it available) to scan post payloads.

    theres more yet.. and I’ve blog about those ways extensively on my own site.

    I recently helped someone that was using 3-4 additional plugins on top of BB to manage spam. Last time i checked he had gotten one spam comment in a week after making some rather simple changes that I reccommended. Without askimet, without spam-karma.

    I get 0 spam, and I use one plugin to manage it: bad behaviour. The rest is all my own doing.

    My comments do go into moderation though, just to be on the safe side.

    Thread Starter Paul


    Thanks for the info, whooami. A couple of questions…

    1. Does Bad Behavior prevent the spam from being written to the databse (not just prevent it from being posted), and does it add much additional php processing?

    2. Can you provide more information on limiting access to my domain only?


    1. Yes, and no, not really. least not that I notice.

    2. yes, do this, in your .htaccess:

    RewriteCond %{HTTP_REFERER} "!^*$" [NC]
    RewriteCond %{REQUEST_URI} ".*commentwhatever.php$"
    RewriteRule .* - [F]

    where is your domain name and where commentwhatever.php is the name of the file youve renamed.

    Thread Starter Paul


    very cool, thanks! I’lll give that a try.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Reduce comment spam and php processing’ is closed to new replies.