WordPress, comment spam, and php processing

wp-comments-post

This post is slightly about fighting comment spam, but for me, it’s more about reducing php processing, and server load. It comes as a result of my recent trouble with my (former) web host.

I use the Akismet wordpress plugin / service to reduce comment spam. It works extremely well. Very rarely does comment spam actually get posted to this site.

Currently, Akismet prevents about 3,000 spam comments a day from entering my site. Even though the spam never gets posted, every comment is still processed, and written to the database, resulting in a much larger database file and higher server load.

Once I realized just how many times a day comments were being written to the database, I began to look for a way to reduce it. The answer was surprisingly simple.

How Comments Work:

Lets start with how comments work in WordPress. Inside you theme’s folder, there are 2 files, comments.php, and comments-popup.php (your theme probably only uses one of them). Those are the forms that a visitor to your site fills out when leaving a comment. But, they don’t handle the actual posting of the comment. They pass the data to a core wordpress file called wp-comments-post.php, which in turn processes the comment and writes it to the database.

What I did:

All I did to reduce the amount of comment spam being written to the database was change the name of the file, wp-comments-post.php. You can change it to whatever you want, like die-punk-ass-spammers-die.php. Then open up either comments.php, or comments-popup.php (whichever file your theme uses), and replace the reference to wp-comments-post.php, with the new name of that file. That’s it!

In the last 24 hours, instead of 3,000 spam comments being written to the database, I only had 64 !

This method is by no means a permanent fix, and it won’t work for everyone. I’ll address these issues in just a minute.

I didn’t come up with this approach, I found it online. Everywhere that I found it, some people said it worked great for them, and others said it didn’t work at all. If you think about it, that makes total sense, because it all depends on how your site is being attacked.

There are two basic ways for spammers to leave comments on your blog:

#1 They send out their little spambots to crawl your site, and interact with your comment form.

#2 At some point in the past, their spambots crawled your site, determined the location of wp-comments-post.php, and now they are hitting that file directly… bypassing your form all together (this is how I was being attacked).

Changing the filename of wp-comments-post.php will do little to nothing for option #1. Any half-witted spambot can crawl your site, and interact with your comment form. But for option #2, this method can have a dramatic effect, as seen by my results.

As I mentioned, this method is not a permanent fix. As time goes by, those freakin spambots will log the location of your newly renamed file, and begin hitting it directly again. You’ll have to monitor the traffic pattern, and change the filename again every so often. I’ve only been doing it for one day, so I can’t say how long it will last. As an added layer of protection, I placed a blank file on my server, and gave it the name of the original file, wp-comments-post.php, in hopes that anyone already hitting that file will not get a 404 error, and re-crawl the site. I’m hoping this will extend the longevity of my new file.

When looking at this approach, I started wondering if a plugin could be written to dynamically rename the file? Are there any wordpress gurus out there willing to pick up the challenge?

One other thing to keep in mind if you try this approach, is future WordPress upgrades. The next time you upgrade, you’ll get a new files called, wp-comments-post.php. You’ll need to rename that new file when you get it, and ditch your current file.

UPDATE: I posted this same entry over at the WordPress support forums, with the hopes that it may help someone else having this same problem. There are a couple of good responses so far with alternate suggestions, including using your .htaccess file to limit access to wp-comments-post.php from anywhere other than your domain. Link

17 thoughts on “WordPress, comment spam, and php processing”

  1. Rasmus, that’s a little off-topic… but I’m using the built-in screen capture capabilities of OS X, then I rotated it in Photoshop.

  2. You should take a look at the plugin called “Bad Behavior”. It is a wonderful plugin, and reduces a TON of spam problems.

    Basically, it works by examining the incoming request before anything else occurs. It uses a fairly sophisticated system to determine if the request is from a spammer or not, and if it determines that its spam, it drops it and stops processing. The upshot is that the spam never makes it to your blog’s PHP at all.

    The result is a dramatic drop in the amount of spam that you need to have Akismet catch, and an overall reduction in processing time. It also blocks other kinds of malicious behavior, not just spam (although spam is the main focus). It gives you the capability to block the site from other things as well. All in all, a very comprehensive plugin. Works very, very well.

  3. Thanks Otto. I used to use Bad Behavior a long time ago, but the effectivness of it kind of dropped off, so I stopped using it. I haven’t tried v2. I’ll probably give it another try.

  4. Can you tell me how this “redirection” that made author can without assistance decide what is spam and what is not? Or you mean only that all comments are not add to database before moderation?

  5. One solution i’ve implemented on a number of publicly accessible forms is to have all of the form fields change their name every so often based on a daily key, and post from an array, so my fields are in the format:

    and I obtain the results in PHP from:

    $_POST[‘todaysrandomkey’][’email’];

    This seems to be working so far.

  6. this is exactly what’s happening to my wpmu site.
    i use sk2 + badbehavior.
    they both work great reducing spam.

    yet, as you pointed out, they do not help much in reducing server loads caused by wp-comment-post.php still being attacked by spambot.

    bad thing is, renaming the file will cause big works for wpmu, especially when you have a dozen of themes used.

    any other ‘better’ solution??

    rgds,
    dny

  7. Nice idea. You inspired me to finally edit wp-comment-post.php and add code to check if the commenter is following a link…a link from somewhere in my domain. If they aren’t, then they ain’t using my comment form and therefore they ain’t leaving a comment.

  8. hi
    just read your article
    i am facing a 405 http web crawl error at wp-comments-post.php
    i ve seen it in the google webmaster tools and don’t have a little idea how to fi x it ….can you tell me what this error is about..
    thanks
    shashank

  9. Hi shashank,

    I took a quick peak at your site. It looks like your comments are working, so it doesn’t appear as though anything is broken.

    Are you see this error listed in some kind of report that google is generating for you? Or, are you trying to generate a sitemap.xml file? If so, you can probably ignore the error message. The wp-comments-post.php file isn’t something that google needs to crawl. It sounds like google is just telling you that their crawler couldn’t interact with the form, which is OK. It sounds like one of those error messages that is simply for information purposes, but doesn’t really need to be fixed.

  10. ya i am seeing this report under google webmaster tools under http crawl errors where it says 405 error for wp-comments-post.php.

    got it very much thanks for clearing the doubt ..

    Best Regards
    Shashank

Leave a Comment