Back in January I tried renaming the wp-comments-post.php file to avoid comment spammers. That worked for about 10 hours, then they started using the new file name. So I switched back to the default filename. Like I said back then “So unless you change the comment post filename regularly, it doesn’t do much good.”
Well, duh, how about if I change the filename regularly? Over the last week I’ve been experimenting on a couple of my blogs. I manually changed the filename about once a day. The new filename got picked up and used, although there were still a lot of hits to wp-comments-post.php. Any ip address that attempts to “POST” to a non-existent wp-comments-post.php file should be firewalled.
I started wondering about the possibility of (1) changing the filename for every request; and (2) preventing spammers from storing that filename. So I’ve come up with the code to change the filename on every request. Here’s how I am currently doing it. Each request makes a call to the user’s ip address.php (e.g. 220.127.116.11.php):
1. Rename your wp-comments-post.php file to something random-ish. This new filename will never be visible to the public. This is called security by obscurity.
mv wp-comments-post.php roses-are-red.php
2. Create a new directory, accessible under your blog directory. You can call it anything you like.
3. Change to that directory
4. Create a .htaccess file
Put these two lines into it:
RewriteEngine on RewriteRule ^.*$ /roses-are-red.php
The filename at the end of line 2 should be the same filename you used in step 1 above. What these commands do is any request to any filename in the kittens directory, will actually be calling the renamed wp-comments-post.php file.
5. Edit your template’s comments.php file. This will be in (your blog directory)/wp-content/themes/(theme name). Look for the line that sets up the form to the comment submission page. In the default Kubrick style, this is on line 72. Comment that line out by adding
<!−− before it and
−−> after it:
<!--<form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform">-->
You comment this out so that if the spammers’ spiders are looking for the post page, they’ll find it, and not the “real” post page. Then add these lines after the commented line:
<form action="<?php $ip = $_SERVER['REMOTE_ADDR']; echo get_option('siteurl'); echo "/responses/".$ip; echo ".php"; ?>" method="post" id="commentform">
And now if a comment spammer spiders my site and later tries to send spam through the comment submission page, all I have to do is check to see if the IP address matches the filename. If they don’t match, someone is storing the comment submission page URL and trying to spam through it.
So for example, this line was in my log file this morning:
18.104.22.168 - - [02/Apr/2007:07:00:16 -0400] "POST /kittens/22.214.171.124.php HTTP/1.1" 302 - "http://www.example.com/2007/04/01/exampleurl/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; H010818; InfoPath.1)"
Note the request came from 126.96.36.199, but the comment was submitted to 188.8.131.52.php. So when I grep through the log for the ip address “184.108.40.206” I find this line:
220.127.116.11 - - [02/Apr/2007:06:52:22 -0400] "GET /2007/04/01/exampleurl/ HTTP/1.0" 200 16942 "-" "topicblogs/0.9"
Googling topicblogs shows lots of references that topicblogs may be a spammer. Well, there’s the proof.
The commands in step 5 above could very easily be tweaked to include whatever information you want to store. I started out by creating an MD5 hash, but decided I would start out easy and work up to a more complicated tracking system.
I also tried to create this as a WordPress plugin, but it looks like there isn’t a system call for the filename of the wp-comments-post.php file.
If a user is using some kind of a proxy to surf the web, it is possible that they may be caught by this. Their original request would generate an ip-address.php submission page, but in the few minutes it would take to enter their comment, their proxy system may change their IP address. So their comment would come from a different IP address.