Fight Back Against WordPress Comment Spam with a HTTP_REFERER Check

Fight Back Against WordPress Comment Spam with a HTTP_REFERER Check

For those that use WordPress, comment spam is a huge problem. There are lot of good ways to combat comment spam, and many plugins that help with the issue; however, they don’t always stop the spammer before they submit the comment, and generally rely on categorization into appropriate areas for further moderation or removal.

This web site currently leverages the Antispam Bee plugin to analyze and determine whether or not submitted comments are valid. It does quite well, but I still receive and end up having to moderate numerous amounts of spam comments.

I wanted to find a way to fight those that are submitting spam comments before they ever submit a comment, to filter out and help reduce the number of spam comments that are actually submitted. I decided to leverage the following Apache rewrite directives that take advantage of the HTTP_REFERER header to ensure that comment submissions are actually originating from my web site.

By default, when a visitor visits a WordPress web site and leaves a comment, those comments are submitted and processed through the wp-comments-post.php file. When a valid user on your web site leaves a comment, the wp-comments-post.php file generally receives a referrer header from your own web site as part of the POST request.

However, when a spam-bot submits a comment to your web site, they generally skip visiting your web site, and submit directly through the wp-comments-post.php file. As this occurs, a fake referrer header or even no referrer header is sent along with the request. This allows for detection of the spam-bot by analyzing the referrer header that is sent along with the POST request.

The following code snippet can be placed in the .htaccess file of your WordPress installation, or directly in the Apache httpd.conf if you so choose, to help eliminate comments that don’t originate from your web site.

NOTE: You will need to modify the *.mydomain.com.* section of the directive below to use your domain name. Do not add a “www” or any prefix to your domain name.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*mydomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

This rewrite directive will in practice:

  1. Detect when a POST request is being made.
  2. Check to see if the post is being made on the wp-comments-post.php file.
  3. Check to see if the referrer originates from your domain or if there is no referrer provided.
  4. Redirect the spam-bot to post back to its originating IP address, causing it to fail and causing unexpected traffic on its own server.

Basically what you’re doing with this rewrite directive is forcing the spam bot to post a request back to itself. Simple, yet effective and will help cut down on the number of spam comments your web site is actually seeing.

NOTE: This is not a fool-proof solution, and you may still encounter spam comments; however, it is meant to be part of a a bigger solution that can be leveraged to help combat comment spam.

Author: daharveyjr

I’m a solution architect responsible for the design, development, implementation, testing, and maintenance of e-commerce operations and applications using the Hybris and WebSphere Commerce product suites and other web technologies such as Java, J2EE/JEE, Spring, PHP, WordPress and more. Twitter | Facebook | LinkedIn

3 thoughts on “Fight Back Against WordPress Comment Spam with a HTTP_REFERER Check

  1. Anne Marie Reply

    Hi Drew. I’ve recently joined this fight. Thanks for the artillery. I’ve been getting ~50 per day for the last 4 days. I know that’s a piddling amount compared to some, but it takes focus away from the actual “work” of blogging. We’ll see if this does the trick. Thanks for sharing.

Leave a Reply

Your email address will not be published.