Blog Usability: Avoid Spam Comments (Part 2)
In our previous article Blog usability: Avoid spam comments we discussed the two ways we currently where fighting spam comments on our blog:
- Use Akismet for WordPress
- Make a spam filter against BBCode like “[/url]”
The latter being a quick and dirty solution we had to implemented to deal with a lot of spam comments that for some reason where slipping though Akismet.
Today we then implemented one of the possible future protection mechanisms that we also discussed: Remove standard URLs for posting comments.
WordPress uses /wp-comments-post.php as the receiving URL when posting new comments. Some spammers exploit this and automatically send their spam directly to that URL (without actually filling out the comment form on the blog). The popular solution has therefore been to rename the file wp-comments-post.php and update the comment form to use the new filename.
But there are two drawbacks to this solution:
- When updating your WordPress installation to a newer version the renamed file is of course deleted and replaced with a new version with the old name. If you forget to rename the new file nobody will be able to leave a comment on your site since your theme still points to the renamed version of the file (which is now deleted).
- If you publish your WordPress theme or move it to another WordPress installation chances are that the comment form will break because the file hasn’t been renamed on other systems.
The solution we implemented today doesn’t actually rename the wp-comments-post.php file. Instead we deny all access to it via htaccess and point to it via a symbolic link we create in our theme directory. We then make our comment form point to this symbolic link instead.
Since the symbolic link is located in our theme directory it is never deleted when we upgrade to a newer version of WordPress and if the theme is copied to another server the symbolic link will be copied as well — hence the comment form is not in risk of breaking.
Simple 3-Step Implementation Guide
If you don’t have shell access you must ask your host provider to do this for you
- Create Symbolic Link
Create a symbolic link from your theme directory to thewp-comments-post.phpfile:Go to the directory of your current theme (in our casewp-content/themes/jaw/) and execute the following command:ln -s ../../../wp-comments-post.php my-comments-post.php
In this example we name the symbolic link
my-comments-post.php, but you can choose any name. - Update Comment Form
Still in your theme directory you need to find which files that contain links to thewp-comments-post.phpfile. To do this execute the following command:grep -l wp-comments-post.php *
You will then get a list of the files you need to edit. Now update each file so that the link to
wp-comments-post.phpinstead point to the symbolic link. This is usually done by changing the following:[code]<form action=”<?php echo get_option(‘siteurl’); ?>/wp-comments-post.php” method=”post” id=”commentform”>[/code]
To this:
[code]<form action=”<?php bloginfo(‘template_directory’); ?>/my-comments-post.php” method=”post” id=”commentform”>[/code]
- Deny Access To Old File
To make sure that the oldwp-comments-post.phpfile cannot be accessed from the internet, edit your.htaccessfile in the root of your website and add the following to the top of the file:[code]<Files wp-comments-post.php>
Deny from all
</Files>[/code]To verify that the update to the htaccess file works, try to open the
wp-comments-post.phpfile in a browser (i.e. http://www.yourblog.com/wp-comments-post.php) and see if you get a “403 Forbidden” page telling you that you do not have permission to access the document.
Remember: Make sure to test that your comment form still works when you are done with the modifications.
Technorati Tags: blog usability, spam comments, akismet, bbcode, guide, wordpress, blogging, justaddwater.dk, htaccess, wordpress theme
June 30th, 2006 at 00:33 (GMT-1)
Why simply not integrtating captcha?
June 30th, 2006 at 17:16 (GMT-1)
Ivan, I wrote about the accessibility problems of CAPTCHA earlier in “Captcha usability revisited: Google inaccessible to blind people”
Spam number update: As we implemented this we got approx. 500 spam comments per day on this blog. After implementing like Thomas describes above, we went from 500 to 28 the last day.
So if we assume for a moment that the spam level is the same, this trick stops 472 of 500 spam comments. Impressive!
February 6th, 2007 at 13:57 (GMT-1)
[…] We have for example been blocking certain keywords that we found where common in spam that slipped through Akismet, or we have been changing the standard WordPress URL for posting comments. Finally we have incorporated a little htaccess hack that validates the posters referral URL. This should of cause be our own domain justaddwater.dk, but many spammers actually put some garbage into this header field – and we can then easily block it directly in the Apache web server before it even reaches WordPress. UPDATE: We also allow empty referrals (thanks Håvard, for pointing this out) […]
February 22nd, 2007 at 12:49 (GMT-1)
[…] Schuss ins Blaue sinnvoll. Dort reicht es allem Anschein nach schon aus die Skripte umzubenennen (JustAddWater.dk – Blog Usability: Avoid Spam Comments (Part 2)) um einen Gro
February 22nd, 2007 at 12:59 (GMT-1)
[…] Schuss ins Blaue sinnvoll. Dort reicht es allem Anschein nach schon aus die Skripte umzubenennen (JustAddWater.dk
April 2nd, 2007 at 02:35 (GMT-1)
[…] written about our spam comment countermeasures in “how to avoid spam comments” (part 1, part 2), and the last 2 months since we passed 100,000 spam comments, we have had another 57,000 spam […]
August 6th, 2007 at 21:14 (GMT-1)
CAPTCHAS shouldn’t be difficult to read. Every implementation I’ve ever seen is terrible. Computers are pretty good at OCR, so why are we providing humans with an OCR problem? The one thing we know humans are better than computers at is logic problems. A better CAPTCHA would be “type the second word from the end of this sentence”, then you’d type “this” to pass the test. How about alternate the font color of each word and tell them to type the blue word?. Or alternate the size of font and ask the user to type the word with the smallest font? Or the word that has a smiley face instead of an ‘O’? Or type the first letter of each word in the sentence? Humans are better suited than computers for all those problems.
February 1st, 2008 at 12:09 (GMT-1)
CAPTCHAS isn’t difficult to read!
April 22nd, 2008 at 14:14 (GMT-1)
captcha alway makes problem, I prefer to use any math question.
August 28th, 2008 at 15:32 (GMT-1)
The math questions are being used a lot at the moment! I think that they will go out of fashion, because it is going to be easier to crack than an image captcha! A computer can read a web page and add 3 to 5 also!
I have seen image captchas on rapid share, where they put a captcha with dogs and cats behind the letters, and you have to type the letters that have a dog behind, that’s smart but a big pain because its all blurry!
September 3rd, 2008 at 21:56 (GMT-1)
Hello! I think these are great ideas! I have been using askimet and it is working great for my site!
September 26th, 2008 at 06:29 (GMT-1)
I was using manual posting technique, but I am not able to post comment in any site.
May be my URL “gigaturn” has been listed in block-list by wp-comments-post.
Any solution for this problem would be appreciated.
Thanks in advance!
January 31st, 2011 at 20:26 (GMT-1)
[…] Blog usability: Avoid spam comments (part 2) […]