Die Spammers! Die!

Akismet has caught 21,857 spam for you since you first installed it.

That was the message I got after I deleted the last round of comment spams. The figure doesn’t include the 2,557 spams caught by Spam Kamma 2 (my old spam killer before I switched to Akismet). If you run a WordPress blog, or any blog, you will get hit by comment spammers eventually. The more popular your blog, the more spam you’ll get. With the increasing number of spams each day, I’ve decided it’s time to stop the spammer before Akismet does.

Each day, Akismet will catches over 500 spam comments, which is great if they were all spam. However, some of those spams are legit comments so I have to manually go through them before deleting the entire batch. That means filtering through pages after pages of comments. This is time wasted that could go to more productive use. By reducing the number of spams Akismet has to catch, I reduce the time it takes me to check for legit comments. Here is what I did.

Rename The wp-comments-post.php File

Every spammer knows that WordPress comments are handled by the wp-comments-post.php file. This is the file they target for their spam. By simply renaming the file to say wp-comments-die-spammers-die.php you will kill off every spambot that targets the wp-comments-post.php file. This one change will drastically reduce the number of spams you get.

After renaming your wp-comments-post.php file, you will need to edit your template files to point to the new file name. Depending on the template you’re using, this task can range from very straight forward to “Where the hell is it?” If you’re running the Threaded Comments Plugins like me, then it’s very easy.

thread.jpg

With Brians Threaded Comments, all you need to do it enter the name of the new file into the Custom Comments Target field and hit Update Options. You’ll find the above page in the WordPress Options, Threaded Comments.

Now that you have rename the comment file you should upload a new wp-comments-post.php so spambots won’t encounter a 404 error/page. This will save your server logs from filling up with 404 errors. You can make the page blank, or leave a message for the spammers like I did.

Deny Access to No Referer Requests

I got this trick from Shoemoney. When a real person comments on your blog he leaves the referral from your blog. An easy way to block spammers is to check for the referral. No referral, no comments allowed. Copy and paste the lines below into your .htaccess file in the root of your webserver.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*johnchow.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://www.thetechzone.com/$ [R=301,L]

You will need to edit the referer to your domain and if you change the name of your wp-comments-post file, you need to change it to the new name. The last line redirects the spambot to a site of your choice. Since automated bots won’t follow a redirect, the site you send them to doesn’t really matter.

Use A Challenge Question

I credit Justin from My PC Rig for helping me find this is twist on the captcha. Instead of having a commenter retype of bunch of letters/numbers that are hard to read, I ask a challenge question that only a human can answer. The Challenge WordPress Plugin asks a bunch of random math questions (like 10×6+4=?) but you can edit it to ask whatever question you want. Right now, the question is what year is it?

I guess if I wanted to be evil I can ask some really hard questions like the following;

  • John Chow is the root of all what?
  • What cars are on the header?
  • What car used to be on the header?
  • Which serial killer did I provoke?
  • How many baby pandas died by my hands?
  • Do you like sex?

Die Spammers! Die!

Since implementing the above spam countermeasures, comment spam has been reduced from a flood to a trickle. So far, only one spam has gotten through and Akismet killed it. Gotta love that! 😀


45 thoughts on “Die Spammers! Die!”

  1. Michael Kwan says:

    I like the what year is it better than the math. I think the root of all what question would be excellent as well (though new readers of your blog wouldn’t know).

  2. Ajith says:

    Hi John
    that was a nice little trick. I have seen that on some other blogs too.

    1. Jane says:

      It’s the first time I’ve seen this…I can really use this..thank John!

  3. Nik Agarwal says:

    Nice trick John 😉

  4. Robert says:

    Good tips John. I’ve seen the math captcha trick before but I like the idea of the plugin approach.

    I would Digg this post, but, well… 🙂

    1. Jane says:

      You should have some sort of voting feature on your posts John, similar to being dugg, or voted (netscape). That’ll show some of the most popular posts and topics. Who needs digg, make your own 🙂

  5. Hawaii SEO says:

    Sometimes you can find some very interesting new niches in your comment spam if you look carefully.

  6. Bryan Wong says:

    Great tips as always. I’ve been reading your blog since you posted those pictures of a Chinese restaurant in richmond and have been hooked ever since! I don’t know if its your witty humor or the fact that you like beef tendons in your wonton soup, but I’m glad I found this blog, keep up the great work!

  7. A says:

    Sorry but the no-referer thing isn’t 100% great since anyone using Norton Internet Security will not be able to post comments since it is blocking the referer.

    Just a thought.

    1. John Chow says:

      I also blocked tor anonymous proxies from commenting as well. 🙂

      1. Jane says:

        The whole enter “what year is it?” thing keeps throwing me off…

  8. mubin says:

    You seem to know alot about spam? Can you teach me how to spam so I can make ze big bux like you?

  9. Nate W. says:

    Thanks for the tip, John! It is ironic to say, but I hope my blog gets popular enough so I can block spam!

  10. Leftblank says:

    I like these non-CAPTCHA questions pretty much, but to be serious; it’s just a matter of time till bots will figure the most basic questions/answers out; most sites use basic math ones which shouldn’t be too hard to script, only limited possibilities.

    1. John Chow says:

      So far it’s been working really great! Not one new spam yet! I did add two more countermeasures however. I’ll blog about those tomorrow.

  11. Jeff says:

    My god.. spam. I’m at 6 spams so far.. i might do that files witching scheme if it gets bad.

    THe only good spam is the canned ones.

  12. Crys says:

    I’ll probably try to implement this if the spam ever gets really bad. But for us smaller sites, plain Akismet works pretty well so far.

    Great idea though 🙂

    (side note: Do you have two boxes to subscribe to comments? Or is one for all comments and one for this particular thread?)

  13. Scott Howard says:

    I am definately gonna try this. I am getting more and more spam everyday. Its gotta stooooooooop!! Thanks John

  14. Thanks for the tip John. How do you like WP 2.1?

    FT
    http://www.MillionDollarJourney.com

  15. au8ust says:

    Nick tricks! I just explained this excellent post to my blog as Lao language, it would be very useful 🙂

  16. Marc says:

    Akismet’s been doing a fantastic job for me. around 1400 caught with only 2 false positives and one that slipped through the cracks, but in Akismet’s defence, I think it was a person just trying to plug their thing.

    I think the renaming of the comment file is a fantastic idea.

    I do disagree with the challenge question. Anything like that acts as a barrier to users. Not a huge barrier, but a barrier still. I personally prefer to try and stick with the stuff that’s invisible to users. I wonder what the spam difference would be without the challenge question.

    Thanks for the discussion on the topic though, it’s much appreciated.

  17. Geiger says:

    VERY GOOD INFO JOHN!
    Employ all these tactics and you will get almost no spam ever no matter how large you blog is.

    Akismet has blocked over 3,000 spam by itself. It rarely let’s one by and when it does it puts it straight into moderation.

  18. Yes I agree with you, the mentioned spam protection is working very fine for me too. I like the easyness of this software very much, because it is very clean coded.

    Thank you for sharing this story with me !

  19. Ryan says:

    An older blog I have used to receive a crap ton of spam, but Akismet kills it all.

    Thankfully I haven’t had the issue (yet) of people commenting and being caught by Akismet, so all is good (for now). Definately going to keep this post in mind if things start to get out of hand.

    Can’t wait to see what other counter measures you put in place.

    PS: Did I mention it would be nice if you added a JavaScript alert box for the user if the captcha isn’t filled out?

  20. HMTKSteve says:

    Good tips John. I’m plannign to move to wordpress myself… I just need to read up on it and make sure I can properly set my permalinks to be identical to my current links.

  21. Watch out with the referrer fix. Some people like myself turn off referrer info in firefox when browsing the web.

  22. Dan Zupancic says:

    I just got my first comment spam the other day, so I feel like I have joined “the club”. I want to switch from blogger to wordpress soon, so these are some great tips on how to defeat the unwieldy comment spam. Perhaps one day I really will have enough comment spam to justify blocking it…

  23. -gary says:

    A trick I’ve used on a large forum I run is to use client-side JS to fill in a constantly changing verification code and make that field required to post. Spam bots don’t use JS aware browsers to do their posting. The other is to change the form field names to something other than what they were shipped as.

    Running almost 5 years now and I have not had one automatic registration or post.

  24. Alex Becker says:

    Do you like sex?
    Would that be some sort of trick question?

    1. it would be funny if john made it “who’s your daddy” and the answer would be john chow.

      1. Alex Becker says:

        Or better yet: I don’t know

  25. Jane says:

    Does anyone have any idea of what the best way to switch content from an old domain to a new domain using different hosts?

    I just bought a new domain for my site and want to switch without losing readers, information, and rankings…Any ideas would be GREATLY appreciated.

  26. Clever trick John.

    I might refer back to this article when spam comments on my blog start to increase… (so far: 0 spam comments).

    By the way, it’s 2007, right? I put 2007 into the box but I still got a “You don’t know year it is?” message…

    1. John Chow says:

      Yes the answer is 2007. I guess you finally got it right since your comment is here. 🙂

  27. bryan says:

    WordPress is open source at its finest. Akismet is a result. A mighty fine one at that.

  28. aibek says:

    thanks for the tip Mr.Chow
    I liked the idea of putting time limit on comments, however i think it won’t work for every blog. I think it depends on the stuff being published, some info doesn’t really depend on time(ex; your post about adsense alternatives), for them relevant comments may come even a year or two later and if you leave comments on it’ll be an easy way to keep posts uptodate.

  29. John, I noticed that you removed the little love note from your wp-comments-post.php file – any reason why?

Comments are closed.