How to Block Comment Spam More Efficiently on Your WordPress Website

Most blog owners block comment spam in their WordPress blog heavily relying on anti-spam plugin or built-in Comments Blacklist. While this provides easy solution that works, it does have drawbacks. Because it does NOT stop spammer from doing this, but check if the comment is legitimate. It takes a hit on website performance by consuming system resources, which could be saved to serve valuable visitors.

More efficient solution, is to add extra protection on the website to stop spammers. This includes two steps:

  • Block spam that targets wp-comments-post.php
  • Block spammer using ip blacklist

Block spam that targets wp-comments-post.php

Legitimate users leave comments on your blog using the comment form in the blog post. This requires loading blog’s comment template (e.g., comments.php), which should be located within the same domain as the blog post. After filling out the comment form and clicking “submit”, which then initiates the PHP script that actually processes the comment. In WordPress, the comment processing file is wp-comments-post.php located in root directory. Therefore, the HTTP referrer for all legitimate comments is your domain.

Automated spam robots, on the other hand, typically target the wp-comments-post.php directly, bypassing your comments.php form altogether. This behavior results in HTTP referrer is not your domain. Therefore, by blocking requests for the wp-comments-post.php that are not sent directly from your domain, you immediately eliminate a large portion of blog spam.

To block spam that targets wp-comments-post.php directly, you shall add following code into .htaccess.

# Block spam that targets wp-comments-post.php & wp-login.php by denying access to no-referrer requests
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.** [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule ^(.*)$ ^http://%{REMOTE_ADDR}/$ [R=301,L]

The only thing you need to do, is to change is the highlighted “” to your own domain.

Once save and upload the change to website, you shall load website, check pages, posts and other area to make sure the change doesn’t have negative impact on your site.

* Updated on April 09, 2014. The code has been updated at line 5 by adding wp-login.php in protected file. This can prevent spam attack targeting wp-login.php.


Block Spammer using IP Blacklist

Going through the spam comments list, you may find some repeated IP addresses. To do so, you can go to:

Admin Panel > Comments

wordpress-post-comments-iconand click on Spam.

From author’s list, click on the last item – IP address under Author’s icon. It will filter the list to show all comments from the same IP address.

This is an important reference for blog owner (or site administrator). Basically, the IP should be banned if the IP address repeatedly posts spam comments on your website.

After identifying the spammers, we can block them using IP Blacklist. To block an IP from accessing your website, add following code into .htaccess.

# IP Blacklist
<limit GET POST PUT>
	Order Allow,Deny
	Allow from all
	Deny from XXX.XXX.XXX.XXX

Replace “XXX.XXX.XXX.XXX” with the real IP address. You can add more IPs into the list.

For example, here is a list of spam comments from same IP. They are apparently posted by bot, not human. I never think twice before adding ips like this into .htaccess blacklist anytime I spot this kind of pattern.

IP blacklist is more powerful and efficient than WordPress built-in Comment Blacklist. While WordPress built-in Comment Blacklist will consume system resources, IP blacklist stops spammers from even accessing your website.


With the IP blacklist, and .htaccess directives against spambots targeting wp-comments-post.php, you can find it dramatically cutting down the numbers of spam comments. What left can be handled by Anti-spam plugin without leaving too much burden to the system resources.