Blocking WordPress Blog Spam with .htaccess

While I am a fan of Monty Python’s Spam skit, I am not a fan of automated WordPress spam, and it seems to be getting worse every day. Of course the large majority of WordPress comment spam is just automated comments posting directly to the WordPress wp-comments-post.php file. I have used different methods in the past but recently came across a way to help keep the spammers away.

While there are many very good plugins available for WordPress to help keep spam down, sometimes the best method is to use your we server to block it in the first place. Thanks to a very helpful post on the V7N forum here is a way that you can block a large portion of automated comment spam using your .htaccess file.

Before you add these six lines of code to your .htaccess file on the root of your WordPress installation be sure to make a copy, just in case something goes wrong. The wp-comments-post.php file is located in the root of your WordPress install so you need to add this code to the main .htaccess file. If you have pretty permalinks turned on you probably will not need the “RewriteEngine On” line, since pretty permalinks already turns that on.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

Anyways the code basically does this. It checks for someone posting directly to the wp-comments-post.php file, which automated spam bots do, and if the referrer is not your domain it redirects that request back to the IP address of of where the request came from.

I have been testing this out for a few days now and I am pleased to say that the amount of spam that has made it through is significantly down. It is not all gone, and there is still some making it through, but the percentage has decreased significantly. You will still need to run Akismet to catch the spam that is done by real people but this can help lower the load on your WordPress site from the automated spam bots.

If spam has your WordPress website swamped give this a try and see if it helps to turn the tide in your favour a little bit.

After you have done that take a break and enjoy the Monty Python Spam skit.


Similar Posts:

4 Responses to Blocking WordPress Blog Spam with .htaccess

  1. As an update to this post. This does not get rid of all of the spam you will get. It has cut the spam down being received by roughly half. Akismet is still important to catch the remaining spammers from commenting.

    Just another tool in the spam toolbox.

  2. Interesting concept although I would prefer an automated solution, don’t like digging in code myself.

    I’ve been using GASP (Growmap) for months and it hasn’t let a single automated spam comment through (adds a server side generated checkbox) – perhaps it adds similar code to htaccess behind the scenes?

    Akismet or antispam bee etc still needed for human spam unfortunately

    • I will have to look into that plugin.

      One of the benefits of using .htaccess to help block spam is a lower load on the server. Some WordPress plugins can be real resource hogs. I used to use one called WP-SpamFree and while it worked great it sucked a lot of resources.

      Course I have not done a huge experiment on server load on this method either perhaps when I don’t have a lot of things to do. 🙂

  3. I’ve been using GASP (Growmap) for months and it hasn’t let a single automated spam comment through (adds a server side generated checkbox) – perhaps it adds similar code to htaccess behind the scenes?

Leave a reply