More SPAM controls
Hey, it looks like the jerks at some online poker 777 crap place are blog-spamming like crazy. They not only call wp-comments-post.php directly, they do if for future posts. So, that means that you immediately get a comment with their spam when you post a new article. I used phpMyAdmin to remove all 25 or 30 of their stinkin’ posts and then set up some Apache mod_rewrite rules. No one can access wp-comments-post.php directly anymore. They must be refered from my site, which makes sence as the only way you should be able to post a comment is if you first see the story. Go figure. We’ll see if this keeps them out….heh heh…
I added this to my Apache httpd.conf file for this blog site:
RewriteEngine On
RewriteCond %{HTTP_REFERER} "!^http://my.site/.*$" [NC]
RewriteCond %{REQUEST_URI} ".*wp-comments-post.php$"
RewriteRule .* - [F]
Remember to change “my.site” to your site and the ‘wp-comments-post.php’ file name to what ever you have called it if you have decided to change it’s name as well, as described in this post. Notice that you may prevent legitimate users from making comments if their browser does not send the referer header - shame on them.
i used your method, i think it should work now, thanks for that :)
Comment by Mr. Dew — 11/1/2004 @ 9:33 am
No problem. Please let me know how it works. I have had no comment SPAM since I set this up but I would like to hear experiences from others too. It might also work in a .htaccess file I beleive, but I haven’t tried that yet. The referer could also be easily checked in PHP and become a default security feature of WordPress that could be enabled or disabled (dis/allowing for comments from clients that do not send a referer). Any form action scripts would have to check that a referer that is at least the server itself and could also check a list of approved referers (possibly any virtual hosts that are on the same server).
Comment by marc — 11/1/2004 @ 10:14 am
It should be noted that the referrer check will work until the bot writers start forging their referer headers to be the site they are connecting to. However, it’s just one of many tools to help stop spammers. I have also implemented the authimage plugin which adds a strong level of human verification to the comment submission process.
Comment by marc — 11/12/2004 @ 2:17 pm
Is there a way to make the rule work with any subdomain and none? For example, so it’d work if the person were accessing the site from http://flatplanet.ws/ or http://www.flatplanet.ws/ or even http://something.flatplanet.ws/ ?
Comment by Armitage — 12/22/2004 @ 12:38 pm
Sure. Right now, as it is in in the example, the rewrite rule works for all hosts. The second rewrite condition “
RewriteCond %{REQUESTURI} “.*wp-comments-post.php$”” is a regular expression for any URL that contains “wp-comments-post.php”. You can narrow the focus to a particular host by specifying that in the regular expression:RewriteCond %{REQUESTURI} “.myhost.someserver.wp-comments-post.php$”would limit the rewrite to only URLs that are from myhost.someserver that contain “wp-comments-post.php”.However, if you have seperate virtual hosts, you can simply use the above directive in the individual host’s global httpd.conf and it will affect all accesses to that host. For example, I run several vhosts on virtual0.mecworks.com, one of which is blog.mecworks.com. The directive is placed only in the blog httpd.conf file.
Does this help you out?
Comment by marc — 12/22/2004 @ 2:32 pm
Seems to be working. I’ve had some problems with rewrite rules and people adding or not adding the www. before. Thanks for the help, great idea :)
Comment by Armitage — 12/22/2004 @ 3:11 pm
Cool! Glad it’s working for you.
Comment by marc — 12/22/2004 @ 3:41 pm
Three rules for the spam game:
1) you can not win.
2) you can not draw.
3) you can not leave the play.
Greetings,
Antonio, from Malaga (Spain)
Comment by duplicacion serigrafiado — 2/14/2005 @ 3:33 am
Wow, I don’t believe that any one of thoes rules is true…but nice tie in with poker… 8^)
Comment by Marc — 2/14/2005 @ 6:48 am