Block WordPress comment spam with no plugin

We know that there are great spam plugins like Akismet to prevent comment spam, but some user has reported that some genuine comments get filtered out by the plugin, and other plugins don’t do a good job at all. WordPress has provided a few tips on how to prevent spam in Combating Comment Spam. I will provide alternative and simple ways to stop spam.

In a quick note, I have implemented all of these solutions, don’t have any spam plugin installed and I have not had any spam for a long time.

Comment form nonce

If you are not going to implement all the solutions shown here, this is the single most important item that you want to implement in your blog.

One of the Security features that WordPress uses to protect forms in the administration area is the use of nonce fields. We are going to use this feature to protect our comment form also. If you want to learn more about nonces visit the WordPress website WordPress Nonces, wp_nonce_field .

Add this code to your functions.php file, the code will add the nonce field to your comments form and will check the value when the form is submitted.

function add_comment_form_nonce_field( ){
  wp_nonce_field( 'anti_spam_nonce_field' );
}
add_action( 'comment_form', 'add_comment_form_nonce_field' );

function check_comment_form_nonce_field(){
  if( !wp_verify_nonce( $_REQUEST['_wpnonce'], 'anti_spam_nonce_field') )
    die('Security check failed');
}
add_action( 'pre_comment_on_post', 'check_comment_form_nonce_field');

Comment Blacklist and Moderation

Something that will take about a minute is to add a few words in your comment blacklist and moderation list located under setting > discussion. These are the most common words used by spammers, if you are not sure about some of the words used in the blacklist move them into moderation, unless you selling viagra, cell phones or jordan’s shoes you should be fine.

Moderation

iphone
cellulite
several web links
 topic

Blacklist

url=
insurance 
useless traffic
nofollow 
cellular phones
article=
bing.com/
yahoo.com/
google.com/
facebook.com/
moncler 
penis 
viagra
.in/
Pinterest Posting
Pinterest Friending
Jordan shoes
Jordan's
anabolics steroids
saclvuitton.com
mesbags.com
gfashionstyle.com
akb48
Runescape gold
couture uk
Soccer Jersey
phentermine
buyprovigil
buynolvadex
buyeffexoronline
buydoxycycline
buysomaonline
buydiazepam
buytestosterone
buyhydrocodone
buyvaltrex
buytramadolonline
buyamoxicillin
/buy
43yearold
vicodin
line/#
tramadol
louboutin
louis vuitton
gmbal.com/
nemw.org/
goowork.co.jp
testosterone
make money online
make money from home
ccfn.com
alprazolam
renom.com/
sweetspringsalmon.com/
concorso-dsga.it/
marcedeslewis.com/
westchestersquash.com/
theyflyblog.com/
anabolic steroids
goldendolls.com/
kineticorept.com/
mths.org/
affiquetlingerie.com.br
silvertoncustomhomes.com/
maywoodfinearts.org/
howtomakefriedrice-recipes.blogspot.com/
fashiononlinebuy.com/
duudder.com/
mulberrybagsxsalesonline.
squidoo.com/
itbagonline.com/
notoverthehill.com/
naprzegladarkegry.blogspot.com/
china90ccatvgoggles.atvpartsbest.com/
heatherandheidi.com/
myteendating.com/
ccccccd.com
wetoldtwofriends.com/
mortalpath.com/
reconquistar2.com/
parassuominetticasino.com/
minecraft
Cigarettes
fauccinia
sheexiscehaxy
free betting
abercrombie 
Nike Free 
/converse-japan-
/jimmychoo/
/lv-japanese-
/chloe-jp-
/rimowa-xr-
/jimmychoo-yu-
/louisvuitton-
/nikeshoes-
/jerseys-
/chrome-japanese-
/pradasale
Nike Air Max
Zapatillas 
KareemEi
jp/chanel-
cheap real jordans
/menu/chanel
nhl-jerseys
/rolex/
グ
ネ
チ
ャ
ブ
イ
ザ
ベ
ル
マ
ラ
-jersey
michael-kors
beats-
jordan-
-kensington

htaccess file

Restricting submission to the comment-post.php to requests coming from your domain, is another simple thing that you can do to stop spam. Login into your server and located the .htaccess file and add the following code. The code will work with your subdomains too. Replace YOURDOMAIN with your site’s domain.

RewriteEngine On
RewriteCond %{REQUEST_URI} /(comments-post|setup)\.php$
RewriteCond %{HTTP_REFERER} !.*YOURDOMAIN.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Cloudflare

Another feature that you can implement in your site to stop spam is Cloudflare . This is a bit more complicated to implement, because it requires to change your nameservers. Cloudflare has security services built-in like treat detection, SQL injection and DOS protection, and excessive robot crawling prevention plus it will improve your sites performance.

Your domain namesaevers will have to point to Cloudflare and you will manage your DNS using the Cloudflares administration interface. Implement only If you are comfortable working with DNS.

 

2 Comments on “Block WordPress comment spam with no plugin

  1. Hunter Satterwhite says:

    Great post and simple solution, but will the addition of a nonce field interfere with a plugin solution, like Automattic’s IntenseDebate?

  2. Hax says:

    In you are using a plugin like IntenseDebate, it is already using nonce fields to validate submissions and you don’t need to add it. Other plugins are probably not using nonce fileds but if they are well written there should not be any conflicts.

Comments are closed.