I am so tired of getting spam comments on some of my sites. I’ve also tried many anti-spam plugins.
- Spam-Free Plugin
- Comment Math Questions
- Comment Quiz
- Comment Captcha
- Double Opt-in
- Change default comment page name from wp-comments-post.php to something else.
Guess what? None of them work so far. There are company in India hiring real people to crack the CAPTCHA code for spammers. The SPAM-Free plugin only blocks those from your blacklist or known SPAMMERS. Comment Math isn’t working when it always easy to calculate.
Most WordPress spam comments are submit from automated script running on anonymous servers with random forged IPs. So the spammer never visit your website. That really sucks out of my valuable time to fight spam and delete spam comments.
One of my site just post a new article. Within few hours, I got over 100 spam comments with ZERO visit and page view.
What can I do about it?
One of the best solutions I found so far is to change the comment form field, so the spam comment will fail. So no spam comment need to be cleaned or marked. You can find the instruction on Block Remote Comments on a WordPress site.
Guess what again? It is still not 100% working. Here is my improved solution based on the above method.
We need to understand how the Comment Spam Bots work these days. So we can find a better way to block them.
- Comment Spam Bots search for WordPress blog that have new blog post indexed on Search Engines.
- Comment Spam Bots use GET Method to scrapping a copy of your post page
- Comment Spam Bots parse out your HTML code and find out the comment field name, ID and attributes.
- Comment Spam Bots also find out where the comment form submit to.
#3 and #4 is the main reasons why all the anti-spam plugin or code change doesn’t work. Really! I haven’t really figure out the perfect way to prevent remote comment spam, but I haven’t getting any spam comment for 6 days now on the victim site after I made just one line of code change. I did however getting 200 hits on the wp-comments-post.php page and many GET request on the post page. In other words, none of those 200 remote spam comments went into my blog. That is what I am looking for.
The comment field name changing method isn’t working 100% due to the fact that SPAM BOT is also looking into the id attributes of the comment field. Here is how it look like after I change the comment field name.
<textarea id="comment" cols="58" rows="10" name="cm_23423safasfa"></textarea>
You see the id attribute is still saying “comment”. This give SPAM BOT hint that the comment field is still there. In general, you will never customize your comment form in stylesheet or CSS file. So this id field is useless. We need to change it. You will notice I also changed the tabindex to 99.
<textarea id="u23412asdfasa34234" cols="58" rows="10" name="cm_23423safasfa"></textarea>
Again, this method is not perfect. If spammer figure out the field name and id of your comment field, they can still submit comment remotely. At least, you give their program more challenge.
The ideal way should be done in the WordPress core. The script should allow admin to configure where and how comment form is handled. It should allow admin to change comment form file name, field name, id and only accept the comment submitted from the same domain as the website.
Anyway. Since I made this modification, I haven’t got any remove comment spam so far. Good luck to you all!
One very important thing I forgot to mentions is this.
If you ever update your WordPress version, theme file or template, the code may be updated and erased as well. You will need to change them again.