Blog Usability: Avoid Spam Comments (Part 2)

Can of SPAMIn our previous article Blog usability: Avoid spam comments we discussed the two ways we currently where fighting spam comments on our blog:

  1. Use Akismet for WordPress
  2. Make a spam filter against BBCode like “[/url]”

The latter being a quick and dirty solution we had to implemented to deal with a lot of spam comments that for some reason where slipping though Akismet.

Today we then implemented one of the possible future protection mechanisms that we also discussed: Remove standard URLs for posting comments.

WordPress uses /wp-comments-post.php as the receiving URL when posting new comments. Some spammers exploit this and automatically send their spam directly to that URL (without actually filling out the comment form on the blog). The popular solution has therefore been to rename the file wp-comments-post.php and update the comment form to use the new filename.

But there are two drawbacks to this solution:

  1. When updating your WordPress installation to a newer version the renamed file is of course deleted and replaced with a new version with the old name. If you forget to rename the new file nobody will be able to leave a comment on your site since your theme still points to the renamed version of the file (which is now deleted).
  2. If you publish your WordPress theme or move it to another WordPress installation chances are that the comment form will break because the file hasn’t been renamed on other systems.

The solution we implemented today doesn’t actually rename the wp-comments-post.php file. Instead we deny all access to it via htaccess and point to it via a symbolic link we create in our theme directory. We then make our comment form point to this symbolic link instead.

Since the symbolic link is located in our theme directory it is never deleted when we upgrade to a newer version of WordPress and if the theme is copied to another server the symbolic link will be copied as well — hence the comment form is not in risk of breaking.

Simple 3-Step Implementation Guide

If you don’t have shell access you must ask your host provider to do this for you

  1. Create Symbolic Link
    Create a symbolic link from your theme directory to the wp-comments-post.php file:Go to the directory of your current theme (in our case wp-content/themes/jaw/) and execute the following command:

    ln -s ../../../wp-comments-post.php my-comments-post.php

    In this example we name the symbolic link my-comments-post.php, but you can choose any name.

  2. Update Comment Form
    Still in your theme directory you need to find which files that contain links to the wp-comments-post.php file. To do this execute the following command:

    grep -l wp-comments-post.php *

    You will then get a list of the files you need to edit. Now update each file so that the link to wp-comments-post.php instead point to the symbolic link. This is usually done by changing the following:

    [code]<form action=”<?php echo get_option(‘siteurl’); ?>/wp-comments-post.php” method=”post” id=”commentform”>[/code]

    To this:

    [code]<form action=”<?php bloginfo(‘template_directory’); ?>/my-comments-post.php” method=”post” id=”commentform”>[/code]

  3. Deny Access To Old File
    To make sure that the old wp-comments-post.php file cannot be accessed from the internet, edit your .htaccess file in the root of your website and add the following to the top of the file:

    [code]<Files wp-comments-post.php>
        Deny from all

    To verify that the update to the htaccess file works, try to open the wp-comments-post.php file in a browser (i.e. and see if you get a “403 Forbidden” page telling you that you do not have permission to access the document.

Remember: Make sure to test that your comment form still works when you are done with the modifications.

Technorati Tags: , , , , , , , , ,

13 Responses to “Blog Usability: Avoid Spam Comments (Part 2)”

  1. Ivan Minic Says:

    Why simply not integrtating captcha?

  2. Jesper Rønn-Jensen Says:

    Ivan, I wrote about the accessibility problems of CAPTCHA earlier in “Captcha usability revisited: Google inaccessible to blind people

    Spam number update: As we implemented this we got approx. 500 spam comments per day on this blog. After implementing like Thomas describes above, we went from 500 to 28 the last day.

    So if we assume for a moment that the spam level is the same, this trick stops 472 of 500 spam comments. Impressive!

  3. | 100,000 Blog Spam Comments Says:

    […] We have for example been blocking certain keywords that we found where common in spam that slipped through Akismet, or we have been changing the standard WordPress URL for posting comments. Finally we have incorporated a little htaccess hack that validates the posters referral URL. This should of cause be our own domain, but many spammers actually put some garbage into this header field – and we can then easily block it directly in the Apache web server before it even reaches WordPress. UPDATE: We also allow empty referrals (thanks Håvard, for pointing this out) […]

  4. Barrierefreie Alternative zu Captcha's? - Seite 2 - XHTMLforum Says:

    […] Schuss ins Blaue sinnvoll. Dort reicht es allem Anschein nach schon aus die Skripte umzubenennen ( – Blog Usability: Avoid Spam Comments (Part 2)) um einen Gro

  5. Barrierefreie Alternative zu Captcha's? - Seite 3 - XHTMLforum Says:

    […] Schuss ins Blaue sinnvoll. Dort reicht es allem Anschein nach schon aus die Skripte umzubenennen (

  6. | Spam Blog Posted 182 Articles in One Day Says:

    […] written about our spam comment countermeasures in “how to avoid spam comments” (part 1, part 2), and the last 2 months since we passed 100,000 spam comments, we have had another 57,000 spam […]

  7. Tony Joolo Says:

    CAPTCHAS shouldn’t be difficult to read. Every implementation I’ve ever seen is terrible. Computers are pretty good at OCR, so why are we providing humans with an OCR problem? The one thing we know humans are better than computers at is logic problems. A better CAPTCHA would be “type the second word from the end of this sentence”, then you’d type “this” to pass the test. How about alternate the font color of each word and tell them to type the blue word?. Or alternate the size of font and ask the user to type the word with the smallest font? Or the word that has a smiley face instead of an ‘O’? Or type the first letter of each word in the sentence? Humans are better suited than computers for all those problems.

  8. Kredyt Mieszkaniowy Says:

    CAPTCHAS isn’t difficult to read!

  9. kredyt bez bik Says:

    captcha alway makes problem, I prefer to use any math question.

  10. Carvoeiro in Portugal Says:

    The math questions are being used a lot at the moment! I think that they will go out of fashion, because it is going to be easier to crack than an image captcha! A computer can read a web page and add 3 to 5 also!
    I have seen image captchas on rapid share, where they put a captcha with dogs and cats behind the letters, and you have to type the letters that have a dog behind, that’s smart but a big pain because its all blurry!

  11. Cartao de Credito Says:

    Hello! I think these are great ideas! I have been using askimet and it is working great for my site!

  12. jitendra Says:

    I was using manual posting technique, but I am not able to post comment in any site.

    May be my URL “gigaturn” has been listed in block-list by wp-comments-post.

    Any solution for this problem would be appreciated.

    Thanks in advance!

  13. | CAPTCHA usability: Humane alternative to CAPTCHA Says:

    […] Blog usability: Avoid spam comments (part 2) […]