docwhat's avatardocwhat's blog

WordPress anti-spam recipe

Here’s a simple recipe to cut down on comment spam in WordPress. I assume you have basic understanding of Unix commands or can translate them to windows.

  1. Make a directory in the root of your WordPress file system called post.

  2. Create a file in the directory called index.php with the following contents:

    < ?php
    include("../wp-comments-post.php");
    ?>
  3. Modify the form comments.php in your theme to point to /post/ instead of /wp-comments-post.php

  4. Add the following RewriteRule to your “.htaccess” files to block “wp-comments-post.php”:

    RewriteRule ^/wp-comments-post.php - [F,L]

Is this a perfect solution? No, it isn’t; spammers will work around it, using scripts that read your blog posts first to get the correct page to post to. But it does slow down a spammer. To a spammer, time is money, so a mass-spammer will be less likely use it. For an unpopular blog like my own, it isn’t worth it for a spammer to work around this problem (or even notice it is a problem). However, if you own a super popular blog, this won’t add much protection because the reward to the spammer is high enough that the extra cost is worthwhile.

I hope this helps you. :-)

BTW: If you use the Permalink-Redirect plugin, then you can change that RewriteRule to:

RewriteRule ^/(wp-comments-post|wp-trackback).php - [F,L]

Why? Because nobody parsing your HTML will ever get a link to /wp-trackback.php!

Ciao!

Comments

Gravatar for docwhat
docwhat

So, the downside to this is that you need to add exceptions for things like wp-amazon (ttancm version).

In addition, if you have rewrite rules for using wp-admin-ssl, you’ll have to modify them so that wp-content/plugins/wp-admin.php is accessible via https.

Finally, there is a thread on the wp-hackers mailing list about the idea of hiding /wp-content files. Specifically, Otto has several good reasons why hiding wp-contents makes no difference, since it hackers won’t scan for a plugins, they scan for vulnerabilities.

Except for inactive plugins, it doesn’t matter if someone can scan for a plugin.

Ciao!

Submit a Comment

docwhat

The personal blog of Christian Höltje.
docwhat docwhat contact