Die Spammers! Die!

Akismet has caught 21,857 spam for you since you first installed it.

That was the message I got after I deleted the last round of comment spams. The figure doesn’t include the 2,557 spams caught by Spam Kamma 2 (my old spam killer before I switched to Akismet). If you run a WordPress blog, or any blog, you will get hit by comment spammers eventually. The more popular your blog, the more spam you’ll get. With the increasing number of spams each day, I’ve decided it’s time to stop the spammer before Akismet does.

Each day, Akismet will catches over 500 spam comments, which is great if they were all spam. However, some of those spams are legit comments so I have to manually go through them before deleting the entire batch. That means filtering through pages after pages of comments. This is time wasted that could go to more productive use. By reducing the number of spams Akismet has to catch, I reduce the time it takes me to check for legit comments. Here is what I did.

Rename The wp-comments-post.php File

Every spammer knows that WordPress comments are handled by the wp-comments-post.php file. This is the file they target for their spam. By simply renaming the file to say wp-comments-die-spammers-die.php you will kill off every spambot that targets the wp-comments-post.php file. This one change will drastically reduce the number of spams you get.

After renaming your wp-comments-post.php file, you will need to edit your template files to point to the new file name. Depending on the template you’re using, this task can range from very straight forward to “Where the hell is it?” If you’re running the Threaded Comments Plugins like me, then it’s very easy.

thread.jpg

With Brians Threaded Comments, all you need to do it enter the name of the new file into the Custom Comments Target field and hit Update Options. You’ll find the above page in the WordPress Options, Threaded Comments.

Now that you have rename the comment file you should upload a new wp-comments-post.php so spambots won’t encounter a 404 error/page. This will save your server logs from filling up with 404 errors. You can make the page blank, or leave a message for the spammers like I did.

Deny Access to No Referer Requests

I got this trick from Shoemoney. When a real person comments on your blog he leaves the referral from your blog. An easy way to block spammers is to check for the referral. No referral, no comments allowed. Copy and paste the lines below into your .htaccess file in the root of your webserver.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*johnchow.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://www.thetechzone.com/$ [R=301,L]

You will need to edit the referer to your domain and if you change the name of your wp-comments-post file, you need to change it to the new name. The last line redirects the spambot to a site of your choice. Since automated bots won’t follow a redirect, the site you send them to doesn’t really matter.

Use A Challenge Question

I credit Justin from My PC Rig for helping me find this is twist on the captcha. Instead of having a commenter retype of bunch of letters/numbers that are hard to read, I ask a challenge question that only a human can answer. The Challenge WordPress Plugin asks a bunch of random math questions (like 10×6+4=?) but you can edit it to ask whatever question you want. Right now, the question is what year is it?

I guess if I wanted to be evil I can ask some really hard questions like the following;

  • John Chow is the root of all what?
  • What cars are on the header?
  • What car used to be on the header?
  • Which serial killer did I provoke?
  • How many baby pandas died by my hands?
  • Do you like sex?

Die Spammers! Die!

Since implementing the above spam countermeasures, comment spam has been reduced from a flood to a trickle. So far, only one spam has gotten through and Akismet killed it. Gotta love that! 😀