This trick has been discussed in the WordPress Codex and the Support forums but I’d like to echo it here again for those who haven’t had the chance to learn about it and still suffering from comment, track-back and referral spam.
If you’re using the WP ShortStats plugin, you’d have noticed by now that you’re getting referrals from sites that targets your wp-comments-post.php which shouldn’t be the case because they’re internal WordPress files. This is an indication that your blog is being targetted for referral spam or trackback spam.
One of the earlier fixes I added in my .htaccess was a rewrite rule to supposedly block the referral spam:
RewriteCond %{HTTP_REFERER} “!^http://www.yugatech.com/blog/.*$” [NC]
RewriteCond %{REQUEST_URI} “.*wp-comments-post.php$”
RewriteRule .* – [F]
That seemed to help stop it by about 90% or so which is quite effective IMO. Still there’s the trackback spam to consider, so here’s one tip you can implement in your WP theme:
1) Find the file wp-comments-post.php and rename it to something else (e.g. i-get-no-spam.php). This file can be found in your root WP folder.
2) Next, look for the file comments.php in your active WP theme folder and edit instances of the term “wp-comments-post.php” to match that of what you renamed it to.
If you’re running some other comments related plugin, like Paged Comments, there might be some slight changes in the steps but that’s the general idea.
That’s it. Now them spam bots that have bookmarked your wp comment form would get a 404 error next time.
you might need to rename the “comments.php” within the code of the template file too because it’s part of the conditional statement. It’s actually on secode line of the code in comments.php (when you open it up in Notepad).
heaven sent tip! thanks!
wordpress comes with security fixes and are updated every time a new issue arises. even so, every now and then problems do came up.., this discourages me to came up with my own version of php-mysql powered blog.. I am poor when it comes to security consideration — I don’t even know how spammers could destroy my site =(
I’d like to implement this fix, but I’m afraid I might end up messing up my WP installation, hehehe
Will probably do it on a test blog first. Great how-to by the way.
great timing…been having problems with that lately. salamat!
[...] Having been bitten in the past on other projects, I have been careful not to post TechnoCloud’s email address in machine-readable format. However, as sure as death and taxes spam found a way, most likely through some kind of Whois data spider. It took all of 4 days for the first emails to come through. I’m hardly alone on this one. [...]
my blog is actually not using the Akismet Technology to avoid such spam comments. However, I successfully avoid these things by installing the Mathematics comment plugin, which is not capable of controlling spam pings for trackbacks.
Thanks for echoing this topic. this hack willl really help.
[...] there have been lots of discussion on protecting wp-comments-post.php file to prevent comment spams. because, this is the one and only file ‘attacked’ by spambots to post their spam comments. i just checked my log and see there’re only 2 IPs that each ’suck’ about 5meg of my server bandwidth every day and they only ‘attack’ 6 files. and i know wp-comments-post.php is the no.1. i’ve blocked both these IPs. [...]
Hi! Very nice site! Thanks you very much! mwLJFRdz2PKhXF
[...] have been lots of discussion on protecting wp-comments-post.php file to prevent comment spams. because, this is the one and only file [...]
Who can help me with .httpaccess ?
where i can fined full information about .httpaccess file syntaxis?
Improves erectile function no side effect medicine