Here’s a simple recipe to cut down on comment spam in WordPress. I assume you have basic understanding of unix commands or can translate them to windows.
- Make a directory in the root of your WordPress file system called “post”.
- Create a file in the directory called “index.php” with the following contents:
<?php include("../wp-comments-post.php"); ?> - Modify the form “comments.php” in your theme to point to “/post/” instead of “/wp-comments-post.php”
- Add the following RewriteRule to your “.htaccess” files to block “wp-comments-post.php”:
RewriteRule ^/wp-comments-post.php - [F,L]
Is this a perfect solution? No, it isn’t; spammers will work around it, using scripts that read your blog posts first to get the correct page to post to. But it does slow down a spammer. To a spammer, time is money, so a mass-spammer will be less likely use it. For an unpopular blog like my own, it isn’t worth it for a spammer to work around this problem (or even notice it is a problem). However, if you own a super popular blog, this won’t add much protection because the reward to the spammer is high enough that the extra cost is worthwhile.
I hope this helps you. 
BTW: If you use the Permalink-Redirect plugin, then you can change that RewriteRule to:
RewriteRule ^/(wp-comments-post|wp-trackback).php - [F,L]
Why? Because nobody parsing your HTML will ever get a link to “/wp-trackback.php”!
Ciao!
So, the downside to this is that you need to add exceptions for things like wp-amazon (ttancm version).
In addition, if you have rewrite rules for using wp-admin-ssl, you’ll have to modify them so that wp-content/plugins/wp-admin.php is accessible via https.
Finally, there is a thread on the wp-hackers mailing list about the idea of hiding /wp-content files. Specifically, Otto has several good reasons why hiding wp-contents makes no difference, since it hackers won’t scan for a plugins, they scan for vulnerabilities.
Except for inactive plugins, it doesn’t matter if someone can scan for a plugin.
Ciao!