Die Spammers! Die!
written by John Chow
Akismet has caught 21,857 spam for you since you first installed it.
That was the message I got after I deleted the last round of comment spams. The figure doesn’t include the 2,557 spams caught by Spam Kamma 2 (my old spam killer before I switched to Akismet). If you run a Wordpress blog, or any blog, you will get hit by comment spammers eventually. The more popular your blog, the more spam you’ll get. With the increasing number of spams each day, I’ve decided it’s time to stop the spammer before Akismet does.
Each day, Akismet will catches over 500 spam comments, which is great if they were all spam. However, some of those spams are legit comments so I have to manually go through them before deleting the entire batch. That means filtering through pages after pages of comments. This is time wasted that could go to more productive use. By reducing the number of spams Akismet has to catch, I reduce the time it takes me to check for legit comments. Here is what I did.
Rename The wp-comments-post.php File
Every spammer knows that Wordpress comments are handled by the wp-comments-post.php file. This is the file they target for their spam. By simply renaming the file to say wp-comments-die-spammers-die.php you will kill off every spambot that targets the wp-comments-post.php file. This one change will drastically reduce the number of spams you get.
After renaming your wp-comments-post.php file, you will need to edit your template files to point to the new file name. Depending on the template you’re using, this task can range from very straight forward to “Where the hell is it?” If you’re running the Threaded Comments Plugins like me, then it’s very easy.
With Brians Threaded Comments, all you need to do it enter the name of the new file into the Custom Comments Target field and hit Update Options. You’ll find the above page in the Wordpress Options, Threaded Comments.
Now that you have rename the comment file you should upload a new wp-comments-post.php so spambots won’t encounter a 404 error/page. This will save your server logs from filling up with 404 errors. You can make the page blank, or leave a message for the spammers like I did.
Deny Access to No Referer Requests
I got this trick from Shoemoney. When a real person comments on your blog he leaves the referral from your blog. An easy way to block spammers is to check for the referral. No referral, no comments allowed. Copy and paste the lines below into your .htaccess file in the root of your webserver.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*johnchow.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://www.thetechzone.com/$ [R=301,L]
You will need to edit the referer to your domain and if you change the name of your wp-comments-post file, you need to change it to the new name. The last line redirects the spambot to a site of your choice. Since automated bots won’t follow a redirect, the site you send them to doesn’t really matter.
Use A Challenge Question
I credit Justin from My PC Rig for helping me find this is twist on the captcha. Instead of having a commenter retype of bunch of letters/numbers that are hard to read, I ask a challenge question that only a human can answer. The Challenge Wordpress Plugin asks a bunch of random math questions (like 10×6+4=?) but you can edit it to ask whatever question you want. Right now, the question is what year is it?
I guess if I wanted to be evil I can ask some really hard questions like the following;
- John Chow is the root of all what?
- What cars are on the header?
- What car used to be on the header?
- Which serial killer did I provoke?
- How many baby pandas died by my hands?
- Do you like sex?
Die Spammers! Die!
Since implementing the above spam countermeasures, comment spam has been reduced from a flood to a trickle. So far, only one spam has gotten through and Akismet killed it. Gotta love that! 
Find out what I am doing right now by following me on Twitter! If you like this post then please consider subscribing to my full feed RSS. You can also subscribe by Email and have new posts sent directly to your inbox.
Make Money Online with John Chow's Ad Network - Join TTZ Media Now!
(2 votes, average: 4.5 out of 5)
Loading ...
Here's A Few More Related Posts
I like the what year is it better than the math. I think the root of all what question would be excellent as well (though new readers of your blog wouldn’t know).
Hi John
that was a nice little trick. I have seen that on some other blogs too.
It’s the first time I’ve seen this…I can really use this..thank John!
Nice trick John
Good tips John. I’ve seen the math captcha trick before but I like the idea of the plugin approach.
I would Digg this post, but, well…
You should have some sort of voting feature on your posts John, similar to being dugg, or voted (netscape). That’ll show some of the most popular posts and topics. Who needs digg, make your own
Sometimes you can find some very interesting new niches in your comment spam if you look carefully.
Great tips as always. I’ve been reading your blog since you posted those pictures of a Chinese restaurant in richmond and have been hooked ever since! I don’t know if its your witty humor or the fact that you like beef tendons in your wonton soup, but I’m glad I found this blog, keep up the great work!
Sorry but the no-referer thing isn’t 100% great since anyone using Norton Internet Security will not be able to post comments since it is blocking the referer.
Just a thought.
I also blocked tor anonymous proxies from commenting as well.
The whole enter “what year is it?” thing keeps throwing me off…
You seem to know alot about spam? Can you teach me how to spam so I can make ze big bux like you?
Thanks for the tip, John! It is ironic to say, but I hope my blog gets popular enough so I can block spam!
I like these non-CAPTCHA questions pretty much, but to be serious; it’s just a matter of time till bots will figure the most basic questions/answers out; most sites use basic math ones which shouldn’t be too hard to script, only limited possibilities.
So far it’s been working really great! Not one new spam yet! I did add two more countermeasures however. I’ll blog about those tomorrow.
My god.. spam. I’m at 6 spams so far.. i might do that files witching scheme if it gets bad.
THe only good spam is the canned ones.
I’ll probably try to implement this if the spam ever gets really bad. But for us smaller sites, plain Akismet works pretty well so far.
Great idea though
(side note: Do you have two boxes to subscribe to comments? Or is one for all comments and one for this particular thread?)
I am definately gonna try this. I am getting more and more spam everyday. Its gotta stooooooooop!! Thanks John
Thanks for the tip John. How do you like WP 2.1?
FT
http://www.MillionDollarJourney.com
Nick tricks! I just explained this excellent post to my blog as Lao language, it would be very useful
Akismet’s been doing a fantastic job for me. around 1400 caught with only 2 false positives and one that slipped through the cracks, but in Akismet’s defence, I think it was a person just trying to plug their thing.
I think the renaming of the comment file is a fantastic idea.
I do disagree with the challenge question. Anything like that acts as a barrier to users. Not a huge barrier, but a barrier still. I personally prefer to try and stick with the stuff that’s invisible to users. I wonder what the spam difference would be without the challenge question.
Thanks for the discussion on the topic though, it’s much appreciated.
VERY GOOD INFO JOHN!
Employ all these tactics and you will get almost no spam ever no matter how large you blog is.
Akismet has blocked over 3,000 spam by itself. It rarely let’s one by and when it does it puts it straight into moderation.
Yes I agree with you, the mentioned spam protection is working very fine for me too. I like the easyness of this software very much, because it is very clean coded.
Thank you for sharing this story with me !
An older blog I have used to receive a crap ton of spam, but Akismet kills it all.
Thankfully I haven’t had the issue (yet) of people commenting and being caught by Akismet, so all is good (for now). Definately going to keep this post in mind if things start to get out of hand.
Can’t wait to see what other counter measures you put in place.
PS: Did I mention it would be nice if you added a JavaScript alert box for the user if the captcha isn’t filled out?
Good tips John. I’m plannign to move to wordpress myself… I just need to read up on it and make sure I can properly set my permalinks to be identical to my current links.
Watch out with the referrer fix. Some people like myself turn off referrer info in firefox when browsing the web.
I just got my first comment spam the other day, so I feel like I have joined “the club”. I want to switch from blogger to wordpress soon, so these are some great tips on how to defeat the unwieldy comment spam. Perhaps one day I really will have enough comment spam to justify blocking it…
A trick I’ve used on a large forum I run is to use client-side JS to fill in a constantly changing verification code and make that field required to post. Spam bots don’t use JS aware browsers to do their posting. The other is to change the form field names to something other than what they were shipped as.
Running almost 5 years now and I have not had one automatic registration or post.
Do you like sex?
Would that be some sort of trick question?
it would be funny if john made it “who’s your daddy” and the answer would be john chow.
Or better yet: I don’t know
Does anyone have any idea of what the best way to switch content from an old domain to a new domain using different hosts?
I just bought a new domain for my site and want to switch without losing readers, information, and rankings…Any ideas would be GREATLY appreciated.
excellent post
[...] Akismet caught to see if there were any false positives. However, thanks to the implementation of yesterday’s spam countermeasures, there was just one new spam to delete! Shortly after making last night’s post, I added two [...]
Clever trick John.
I might refer back to this article when spam comments on my blog start to increase… (so far: 0 spam comments).
By the way, it’s 2007, right? I put 2007 into the box but I still got a “You don’t know year it is?” message…
Yes the answer is 2007. I guess you finally got it right since your comment is here.
[...] few readers have commented that my new Challenge Question Plugin, while great, was causing a problem when you forget to answer the question before submitting the [...]
Wordpress is open source at its finest. Akismet is a result. A mighty fine one at that.
[...] OneDigitalLife, JohnChow, Shoemoney Technorati Tags: Tech Stuffs [...]
thanks for the tip Mr.Chow
I liked the idea of putting time limit on comments, however i think it won’t work for every blog. I think it depends on the stuff being published, some info doesn’t really depend on time(ex; your post about adsense alternatives), for them relevant comments may come even a year or two later and if you leave comments on it’ll be an easy way to keep posts uptodate.
[...] my war against spammers I installed a Challenge Question Plugins that ask you for the year before it will post your comments. This Plugin has helped to reduce the [...]
[...] so it doesn’t actually get any spam, but I thought it best to be proactive. First I read Die Spammers Die and Die Spammers Die Part 2 by John [...]
[...] I just read an interesting post by John Chow about how to curb your comment spam. Using a wordpress plugin and changing a WP file’s name will bring your spam to a screeching halt. Check it out, he calls it Die Spammers! Die! [...]
John, I noticed that you removed the little love note from your wp-comments-post.php file - any reason why?
[...] I’ll take it as a compliment! Actually, I read John Chow’s article Die Spammers! Die! a few weeks ago, but didn’t think I really needed any of his tips. Today I changed my [...]