This post is slightly about fighting comment spam, but for me, it’s more about reducing php processing, and server load. It comes as a result of my recent trouble with my (former) web host.
I use the Akismet wordpress plugin / service to reduce comment spam. It works extremely well. Very rarely does comment spam actually get posted to this site.
Currently, Akismet prevents about 3,000 spam comments a day from entering my site. Even though the spam never gets posted, every comment is still processed, and written to the database, resulting in a much larger database file and higher server load.
Once I realized just how many times a day comments were being written to the database, I began to look for a way to reduce it. The answer was surprisingly simple.
How Comments Work:
Lets start with how comments work in WordPress. Inside you theme’s folder, there are 2 files, comments.php, and comments-popup.php (your theme probably only uses one of them). Those are the forms that a visitor to your site fills out when leaving a comment. But, they don’t handle the actual posting of the comment. They pass the data to a core wordpress file called wp-comments-post.php, which in turn processes the comment and writes it to the database.
What I did:
All I did to reduce the amount of comment spam being written to the database was change the name of the file, wp-comments-post.php. You can change it to whatever you want, like die-punk-ass-spammers-die.php. Then open up either comments.php, or comments-popup.php (whichever file your theme uses), and replace the reference to wp-comments-post.php, with the new name of that file. That’s it!
In the last 24 hours, instead of 3,000 spam comments being written to the database, I only had 64 !
This method is by no means a permanent fix, and it won’t work for everyone. I’ll address these issues in just a minute.
I didn’t come up with this approach, I found it online. Everywhere that I found it, some people said it worked great for them, and others said it didn’t work at all. If you think about it, that makes total sense, because it all depends on how your site is being attacked.
There are two basic ways for spammers to leave comments on your blog:
#1 They send out their little spambots to crawl your site, and interact with your comment form.
#2 At some point in the past, their spambots crawled your site, determined the location of wp-comments-post.php, and now they are hitting that file directly… bypassing your form all together (this is how I was being attacked).
Changing the filename of wp-comments-post.php will do little to nothing for option #1. Any half-witted spambot can crawl your site, and interact with your comment form. But for option #2, this method can have a dramatic effect, as seen by my results.
As I mentioned, this method is not a permanent fix. As time goes by, those freakin spambots will log the location of your newly renamed file, and begin hitting it directly again. You’ll have to monitor the traffic pattern, and change the filename again every so often. I’ve only been doing it for one day, so I can’t say how long it will last. As an added layer of protection, I placed a blank file on my server, and gave it the name of the original file, wp-comments-post.php, in hopes that anyone already hitting that file will not get a 404 error, and re-crawl the site. I’m hoping this will extend the longevity of my new file.
When looking at this approach, I started wondering if a plugin could be written to dynamically rename the file? Are there any wordpress gurus out there willing to pick up the challenge?
One other thing to keep in mind if you try this approach, is future WordPress upgrades. The next time you upgrade, you’ll get a new files called, wp-comments-post.php. You’ll need to rename that new file when you get it, and ditch your current file.
UPDATE: I posted this same entry over at the WordPress support forums, with the hopes that it may help someone else having this same problem. There are a couple of good responses so far with alternate suggestions, including using your .htaccess file to limit access to wp-comments-post.php from anywhere other than your domain. Link