WordPress Comment Spam

Sometimes at Christmas we receive an unwanted gift. Usually this takes the form of a garish sweater, pungent bath salts or socks with a reindeer on them. This year I got a hundred comment spams in my blog.

To combat comment spam before this mindless attack, I had simply renamed my wp-comments-post.php file as described in Molly’s blog. This worked for a while but as predicted the spammers were quick to beat it.

This is a real comment spam that I received:

fahtol ayyjeigol.

A spammer’s test run?

A quick and dirty hack is what’s required. So I added the following code to the WordPress file wp-comments-post.php:

if ( '' == $comment )
	die( __('Error: please type a comment.') );

// begin: anti-spam hack
$safe_referrer = 'http://'.$_SERVER['HTTP_HOST'].'/weblog/';
$referrer = $_SERVER['HTTP_REFERER'];
if (strncasecmp($safe_referrer, $referrer, strlen($safe_referrer))) {
	die( __('Error: Please use the comment form to post comments.') );
// end: anti-spam hack

$now = current_time('mysql');
$now_gmt = current_time('mysql', 1);

I intend to install a comment preview plugin to cure this problem for good.

Comments (12)

Leave a comment

I’m almost afraid to even allow comments on my blog from fear of spam. Those bastards will pay.

I’ve had trouble implementing Simon’s blacklist, but I do have a different feature: I examined some comment spams and looked for common phrases, and banned those phrases. The RegEx looks like this:

$buycrap = preg_match("/buy [viagra|v1agra|tramadol|butalbital|celebrex|vioxx|ultracet|phentermine|candles|levitra|clonazepam|diet pills]/i", $entry);

Not sure how well it will work, though.

Maybe a required preview can stop them some more? I do not have any spam at all. (Admitted, I have a markup validator as well.)

  • Comment by: Anne
  • Posted:

I had no spam at all on WordPress until a few weeks ago when some spammer managed to get through. I started using the Three strikes plugin and haven’t had a single piece of spam since.

  • Comment by: paul haine
  • Posted:

I think modern day spambots only post and don’t look at what they’re getting back… that could explain why Anne and me don’t get spam, as we use a preview which requires valid markup.

(We’re using a slighty different version of the preview script you linked to.)

Note that the $_SERVER[‘HTTP_REFERER’] doesn’t give any guarantees. Spammers mostly use webservers to run their script from, and for example a php-script can easely send a HTTP-HEADER with a fixed HTTP_REFERER to fool your spam-shield.
And on the other hand, sometimes browsers just don’t send the referer header, thus make it impossible to place a comment on your blog.

  • Comment by: Willem
  • Posted:

I have to second Willem. Many personal firewalls offer the option to not send any referrers in order to improve privacy.

There’s an error in the code above. You’re missing a close parentheses after ‘strlen($safereferrer)‘.

OK. In light of the comments above, I’m going to implement the comment preview plugin mentioned in my original post.

  • Comment by: -dean
  • Posted:

Have you tested Exchange’s New Spam Filter?

I just got a very similar one. In this case though, it was trackback spam. Oh joy, andother form of crap to deal with :o(

  • Comment by: Olly
  • Posted:

I’m using blogger and they have a way where they punch in a turnkey code…has anyone seed something simiallar to it for WP?

  • Comment by: Mike Chau
  • Posted:

Hi, I use a think called Bad Behaviour that seems to work great on my WordPress blogs. Has anyone else used this?

Comments are closed.