Keep the Comment Bots at Bay

Space Invaders - Found at: http://www.sxc.hu/photo/191111It does not take long after your blog opens before the automated comment spam bots start to invade your beautiful creation. Dealing with comment spam is a daily task for every blogger, and if the automated comment spam bots have you on their list of blogs to attack it can be an over whelming task. There are many different methods that you can use to keep them from attacking your blog with a barrage of bad and often non-sense comments. You can try to ban the ip addresses using your htaccess file, you can install different types of captcha plugins and add in hidden comment fields to stop the bots. The method I prefer is to use Javascript to redirect a real person leaving a comment from an automated comment spam bot leaving a comment.

To understand how this method works you need to know a little bit about how WordPress processes the comment form. If you look at the source code of a WordPress comment form you will see the form tag. It should llook something like this:
<form action="http://www.yourblog.com/wp-comments-post.php" method="post" id="commentform">
WordPress uses the wp-comments-post.php file to handle the processing of comments. Automated comment spam bots know this so all they do is add your blog to their list of sites to target and their software goes to work spamming your blog by posting directly to the wp-comments-post.php file. You can try to simply rename the default WordPress file for handling comments but that will only work for a little while until the bot does read the actual html form and adds the new url and file name to their database.

Automated comment spam bots so far have one flaw that we can still use to our advantage. They don’t read external Javascript files very well. What we simply do is hijack the normal comment form action using Javascript and send the real person to the correct comment processing script and let the bot go ahead and post to the default WordPress comment file. Here is how you do it.

Warning: This requires the editing of core WordPress files. You are reminded to make a backup of your blog before doing this just in case or at the very least copies of the files you are going to edit.

Step 1
Create a copy of the wp-comments-post.php file from the root of your WordPress blog. Give the copy of the wp-comments-post.php file another name, one that is hard to guess would be best, but it should be something different from wp-comments-post.php. I often use a randomly generated file name created from a password generator, but something as simple as nospamcomments.php should work. This copy of the wp-comments-post.php is going to become your new comment form processing file, so make a note of the file name you will need it later.

Step 2
Now that you have a copy of the wp-comments-post.php file you can go ahead and edit the wp-comments-post.php file. What we want to do is keep the wp-comments-post.php

I edited it down to just this:

<?php
if ( 'POST' != $_SERVER['REQUEST_METHOD'] ) {
header('Allow: POST');
header('HTTP/1.1 405 Method Not Allowed');
header('Content-Type: text/plain');
exit;
}

require( dirname(__FILE__) . '/wp-config.php' );

$location = ( empty($_POST['redirect_to']) ? get_permalink($comment_post_ID) : $_POST['redirect_to'] ) . '#comment-' . $comment_id;
$location = apply_filters('comment_post_redirect', $location, $comment);

wp_xhzlub_redirect($location);

?>

Save the file.

Essentially what we want to do is just redirect the submitted form from the bot to the post that the bot says it came from without actually doing anything.

Step 3
We need to create a way to direct real users to the correct comment form processing script. We do this with a little bit of Javascript. In your text editor create a new file and add the following Javascript:

function nospamaction(theForm) {
theForm.action="http://www.yourblog.com/nospamcomments.php";
return true;
}

Save the file as nospamaction.js (it can be named something different if you want, it is up to you).

Step 4
If you have been editing these files on you home computer you will need to upload the new files to your web server. If you have been editing/creating new files on your web server using your web server control panel then you can skip this step.

Step 5
Once you have the files uploaded to your web server you can login into your WordPress admin panel and login. You need to make two small edits to your theme files. Go to the Presentation tab and choose Theme Editor. Select your header file first. The javascript file you created needs to be added to the header. Add the following line between the head tags. If you don’t know where that is just place the line just before the closing head tag (</head>).

<script language="javascript" type="text/javascript" src="http://www.yourblog.com/nospamaction.js"></script>

Update the file header file and then edit the comments file. You need to find the form tag for the comment form. The default one looks like this from the Kubrick theme:
<form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform">

To make the form submit to the proper file to process the form we need to add a Javascript event to the form. Add the onsubmit event handler to the form tag and call your Javascript function to redirect the form output to the correct comment handling file.
<form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform" onsubmit="return nospamaction(this);">

Update your comments file.

Step 6
Go and test your comments form on your post. Make sure you clear your web browser cache and if you are using wp-cache or Super cache turn them off. Try your new form with Javascript turned on first to make sure it redirects properly to your renamed wp-comments-post.php. If you get a new comment posted then you know if worked. Then try your form with Javascript turned off. You should be redirected right back to your post and no comment will appear in your admin.

Pros
This method can help prevent automated comment spam from overwhelming your blog.
Lets automated comment bots think they successfully posted.

Cons
Requires Javascript be turned on in your readers browser. Most have this turned on.
Edits a core WordPress file. When you upgrade your WordPress install you will need to redo steps one and two again and upload the files.

Conclusion
I have used this simple Javascript hijack to prevent comment spam on several WordPress installations and it has cut down considerably on automated comment spam. The comment spam that does get through will be trackback spam and spam from real people actually visiting your blog and filling in the comment form. I have used this method on other types of comment and contact forms as well and it continues to work on several high profile sites that I have worked on in the past. This is only one solution to comment spam. If you are not comfortable editing WordPress files you might want to have someone that is do it for you, or try some of the other techniques that are available. The sooner you don’t need to worry about dealing with comment spam the sooner you can do what you love, writing great content for your blog!

11 Responses to Keep the Comment Bots at Bay

  1. This is a nice method Lee, like you say it is a shame it runs on JavaScript but nonetheless it is a decent method. I prefer to have a hidden form field to fool spam bots rather using captcha on my blog as it is important to make things as simple as possible and I feel getting visitors to my website to jump through hoops to comment just isn’t good practice. I think captcha is great, just not for a blog comment form, keep captcha for profile signup’s on commercial websites. Another great article on blog housekeeping, cheers!

  2. That sure is one heck of a way to deal with the spam. However, Akismet has done a pretty darn good job at keeping 99% of the spam off of my blog. Also, I wouldn’t want to do this every time a new WordPress version is released, it could get old after awhile. But thanks for sharing your technique.

  3. At one time, I thought about changing the name of the text fields in the comment form, but when I attempted to do so, the comment form broke. Apparently, those are hard coded values or something. I always thought that perhaps changing the Email fields from Email to something like Emale might be a way to prevent spam

Leave a reply