Skip to content

Blocking WordPress Comment Spam

Back in January I tried renaming the wp-comments-post.php file to avoid comment spammers. That worked for about 10 hours, then they started using the new file name. So I switched back to the default filename. Like I said back then “So unless you change the comment post filename regularly, it doesn’t do much good.”

Well, duh, how about if I change the filename regularly? Over the last week I’ve been experimenting on a couple of my blogs. I manually changed the filename about once a day. The new filename got picked up and used, although there were still a lot of hits to wp-comments-post.php. Any ip address that attempts to “POST” to a non-existent wp-comments-post.php file should be firewalled.

I started wondering about the possibility of (1) changing the filename for every request; and (2) preventing spammers from storing that filename. So I’ve come up with the code to change the filename on every request. Here’s how I am currently doing it. Each request makes a call to the user’s ip address.php (e.g.

1. Rename your wp-comments-post.php file to something random-ish. This new filename will never be visible to the public. This is called security by obscurity.

mv wp-comments-post.php roses-are-red.php

2. Create a new directory, accessible under your blog directory. You can call it anything you like.

mkdir kittens

3. Change to that directory

cd kittens

4. Create a .htaccess file

vi .htaccess

Put these two lines into it:

RewriteEngine on
RewriteRule ^.*$ /roses-are-red.php

The filename at the end of line 2 should be the same filename you used in step 1 above. What these commands do is any request to any filename in the kittens directory, will actually be calling the renamed wp-comments-post.php file.

5. Edit your template’s comments.php file. This will be in (your blog directory)/wp-content/themes/(theme name). Look for the line that sets up the form to the comment submission page. In the default Kubrick style, this is on line 72. Comment that line out by adding <!−− before it and −−> after it:

<!--<form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform">-->

You comment this out so that if the spammers’ spiders are looking for the post page, they’ll find it, and not the “real” post page. Then add these lines after the commented line:

<form action="<?php
echo get_option('siteurl'); echo "/responses/".$ip; echo ".php"; ?>" method="post" id="commentform">

And now if a comment spammer spiders my site and later tries to send spam through the comment submission page, all I have to do is check to see if the IP address matches the filename. If they don’t match, someone is storing the comment submission page URL and trying to spam through it.

So for example, this line was in my log file this morning: - - [02/Apr/2007:07:00:16 -0400] "POST /kittens/ HTTP/1.1"
   302 - "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows
   NT 5.0; H010818; InfoPath.1)"

Note the request came from, but the comment was submitted to So when I grep through the log for the ip address “” I find this line: - - [02/Apr/2007:06:52:22 -0400] "GET /2007/04/01/exampleurl/ HTTP/1.0" 200
   16942 "-" "topicblogs/0.9"

Googling topicblogs shows lots of references that topicblogs may be a spammer. Well, there’s the proof.

The commands in step 5 above could very easily be tweaked to include whatever information you want to store. I started out by creating an MD5 hash, but decided I would start out easy and work up to a more complicated tracking system.

I also tried to create this as a WordPress plugin, but it looks like there isn’t a system call for the filename of the wp-comments-post.php file.

If a user is using some kind of a proxy to surf the web, it is possible that they may be caught by this. Their original request would generate an ip-address.php submission page, but in the few minutes it would take to enter their comment, their proxy system may change their IP address. So their comment would come from a different IP address.


  1. Duncan says:

    Personally, I’ve found Spam Karma 2 to be extremely effective at stemming the flow of spam from bots etc. I get a summary once per day of posts that didn’t quite make the cutoff point – I’ve never had to rescue a comment. It uses metrics like speed of posting (some posters manage to post a (long) comment within .1 of a second of visiting the page.. if that’s not a bot, I want to know how they’re using the ‘net), age of the article, distributed blacklists etc.

  2. Hi Duncan, yes, there are systems that help fight with the spam. I’m adding in a new step that will prevent the crud from even getting into those systems in the first place.

  3. Gareth Heyes says:

    I’ve developed a plugin that is 100% effective against automated comment spam, check it out :-

  4. Jeff Chan says:

    Hey Mike,

    This is Jeff from topicblogs. The “kittens” url has nothing to do with us, and we’re certainly not spamming anyone! 🙂

    We’re currently in (an extended) private beta. Feel free to email me if you have any questions.

    Jeff Chan

  5. Akismet 20,000 spam caught…

    I just checked my Akismet spam listing, and see that at some point on October 20th, 2007, Akismet tagged the 20,000th spam comment on my blog. Wow, amazing. And that is…

  6. Rosie Manning says:

    Wow…20,000 spam is quite a lot. I just don’t really get it why would spammers waste time on trying to spam sites. Most people nowadays already know what SPAM messages or comments looks like and will simply ignore it.

    I just want to point out that the Bad Behavior plugin can also reduce the chance spam bot from posting spam.

    Anyways, this an interesting guide and I will definitely keep this page on my bookmark 🙂


  7. Hi Rosie, Bad Behavior blocked some family members who are behind a proxy at their jobs, so I don’t use it any more.

  8. Rosie Manning says:

    Oh..I see. Maybe we should suggest to the developer of Bad Behavior to make a feature that would let use manually add a whitelist.

    This might sound funny, but recently I was blocked from my own site by Bad Behavior! But all is working fine now 🙂

  9. Jeff says:

    I stopped using Bad Behavior too…it started blocking all my visitors. For anti-spam, I use WP-SpamFree and Akismet. It’s a killer combo.