Last year I neglected this blog and after a while I discovered that it wasn’t working well anymore. Requests would time out, the admin panel was loading slow and the experience sucked even with caching enabled. After doing some investigation, I found out that comment spam was the culprit. There were thousands of spam comments every month and many more attempts that were hitting the server really bad. The chart below shows that at the peak there were more that 125K comments per months that Akismet was catching. I had ReCaptcha enabled but it looks like there is a way to bypass it since the comments were ending up in the database.

Before and after the spam block trick

So, how did I get from 128K spam comments to just 80/month?

The request logs clearly shows how often and what the spam bots were doing: POST requests to the comments API. Most of the requests fail but still the server was hit like crazy with them and they were from different IPs.

107.150.40.162 - - [27/Oct/2014:05:13:54 -0700] "GET /my-interview-with-microsoft/comment-page-2/?rcommentid=316840&rerror=incorrect-captcha-sol&rchash=a7d800a5d59af9b8eb63f9f0b0b8a345 HTTP/1.0" 200 47692 "https://victorhurdugaci.com/my-interview-with-microsoft/comment-page-2/?rcommentid=316840&rerror=incorrect-captcha-sol&rchash=a7d800a5d59af9b8eb63f9f0b0b8a345#commentform"
107.150.40.162 - - [27/Oct/2014:05:14:07 -0700] "POST /wp-comments-post.php HTTP/1.0" 302 15 "https://victorhurdugaci.com/my-interview-with-microsoft/comment-page-2/?rcommentid=316840&rerror=incorrect-captcha-sol&rchash=a7d800a5d59af9b8eb63f9f0b0b8a345#commentform"
107.150.40.162 - - [27/Oct/2014:05:14:12 -0700] "GET /my-interview-with-microsoft/comment-page-2/?rcommentid=316840&rerror=incorrect-captcha-sol&rchash=a7d800a5d59af9b8eb63f9f0b0b8a345 HTTP/1.0" 200 47692 "https://victorhurdugaci.com/my-interview-with-microsoft/comment-page-2/?rcommentid=316840&rerror=incorrect-captcha-sol&rchash=a7d800a5d59af9b8eb63f9f0b0b8a345#commentform"
107.150.40.162 - - [27/Oct/2014:05:14:13 -0700] "POST /wp-comments-post.php HTTP/1.0" 302 15 "https://victorhurdugaci.com/my-interview-with-microsoft/comment-page-2/?rcommentid=316840&rerror=incorrect-captcha-sol&rchash=a7d800a5d59af9b8eb63f9f0b0b8a345#commentform"
107.150.40.162 - - [27/Oct/2014:05:14:26 -0700] "GET /my-interview-with-microsoft/comment-page-2/?rcommentid=316840&rerror=incorrect-captcha-sol&rchash=a7d800a5d59af9b8eb63f9f0b0b8a345 HTTP/1.0" 200 47690 "https://victorhurdugaci.com/my-interview-with-microsoft/comment-page-2/?rcommentid=316840&rerror=incorrect-captcha-sol&rchash=a7d800a5d59af9b8eb63f9f0b0b8a345#commentform"
107.150.40.162 - - [27/Oct/2014:05:14:33 -0700] "POST /wp-comments-post.php HTTP/1.0" 200 97 "https://victorhurdugaci.com/my-interview-with-microsoft/comment-page-2/#commentform" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.0.3705)"

Clearly there is a bug in wp-comments-post.php that the spam bots were exploiting (see the last request that succeeded). I wish I had the time to do more investigation and see what the real issue is. Also, I had trackbacks enabled and those were even easier to spam because there is no captcha:

107.183.141.18 - - [27/Oct/2014:21:42:52 -0700] "GET /my-interview-with-microsoft/ HTTP/1.1" 200 11928 "-"
107.183.141.18 - - [27/Oct/2014:21:42:57 -0700] "POST /my-interview-with-microsoft/trackback/ HTTP/1.1" 200 93 "https://victorhurdugaci.com/my-interview-with-microsoft/"
107.183.141.18 - - [27/Oct/2014:21:43:06 -0700] "GET /my-interview-with-microsoft/ HTTP/1.1" 200 11928 "-"

First, I replaced the comments system with Disqus. By doing this, I delegated all the comments and the spam protection to the Disqus service and they will handle it for me. They seem to be doing a great job especially that you need an account to post. You can add Disqus to a WordPress site by installing the official plugin.

However, simply adding Disqus will not stop comment spamming and lots of request through the WordPress comments system. You have to prevent any POST requests to wp-commets-post.php. I did that through mod_rewrite, redirecting any POST request back to its origin address:

1
2
3
RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

The rewrite rule above means that any request to wp-comment-post.php (line 2) gets a 301 (Moved permanently) response code with the redirect URL the address from where the request originated (line 3). Basically, it is sending the spam request back to the spammer. By doing this, you cannot use the WordPress comments anymore because any request to post a comment will be redirected, including yours. But, you don’t need it anymore because you have Disqus.

My server is now happy and the blog is responsive, until spam bots will find another way to post comments.

If you want more WordPress tips, leave your contact information below and I will send you a newsletter with new ways to improve your WordPress site.