Holy spam bots Batman!
I finally got fed up with comment spam on my wordpress blog. To help solve my problem, I decided to remove all the the url / website values for comments in my blog. It seems like the most popular use of the author url value in a comment is for spam. In fact, I would say over 90% of all my comments containing an author url is some form of ad spam. For these cases, the author url usually links to some random site with no relevant content. On the other hand, almost all my readers who post legitimate comments do not bother putting in a comment author url.
So I decided the author url is useless and decided take aggresive action against it:
- remove the url field from the comment form
- prevent comment posts with author url in it
- remove urls for existing comments
- remove comments which contained random author urls which has a slight hint of being spam.
Customize the comment form
To remove the url or website field from the comment form, you can customize the wordpress comment form by adding a filter and using the “comment_form_default_fields” hook. Go into your theme and find all usages of the function comment_form(). Before each usage, add the following filter:
<?php
function remove_url_field($fields) {
unset($fields['url']);
return $fields;
}
add_filter('comment_form_default_fields', 'remove_url_field')
?>
<?php comment_form(); ?>
I’m using the default twenty-eleven theme and the above appears in comments.php.
Validate server comment post
Customizing the comment form is great for your users but it will not make a bit of difference for spam bots. Spam bots can post comments directly to your wordpress and bypass the form directly. Because of this, you need to add validation to the php file that accepts comments. Inside wp-comments-post.php, find the following lines of code (should be somewhere near the middle of the file):
$comment_author = ( isset($_POST['author']) ) ? trim(strip_tags($_POST['author'])) : null; $comment_author_email = ( isset($_POST['email']) ) ? trim($_POST['email']) : null; $comment_author_url = ( isset($_POST['url']) ) ? trim($_POST['url']) : null; $comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;
Put the following if statement right after:
if ($comment_author_url) {
wp_redirect('/');
exit;
}
This will redirect anyone who submits a comment author url back to the main page. This should only affect bots which bypassed your form since it will not realize you do not have a url input anymore.
Remove existing author url
Finally, remove the existing urls from the mysql database. The urls are stored in wp_comments in the comment_author_url field.
mysql> update wp_comments set comment_author_url = '';
Notes
The above changes were performed on wordpress 3.2.1.
Thank you, thank you, thank you! I was trying to figure out how they kept bypassing all the ‘url’ code I had stripped out. Most of the sites I was going through were mentioning everything to just before the validate server step, but not that step in particular. Definitely going to try that and see how it works. Just annoyed it took me 3 weeks to find this, and it’s listed way down in the search engine.
it’s a great solution, but how can i remove the existing urls from the mysql database? please help me, i’m beginner in mysql
Assuming you have login access to your database and it’s called “myblog”, first switch to your database, then run the sql command in my post:
use myblog;
update wp_comments set comment_author_url = ”;
Thanks a lot :-)
I can’t seem to get this to work for me. I’m still getting a million spam bot comments. With regards to the “Validate Server” step, is there a certain spot in the file that you place the code you suggested?
I placed it at the end, so the code immediately before and after looks like this:
wp_redirect($location);
exit;
$comment_author = ( isset($_POST['author']) ) ? trim(strip_tags($_POST['author'])) : null;
$comment_author_email = ( isset($_POST['email']) ) ? trim($_POST['email']) : null;
$comment_author_url = ( isset($_POST['url']) ) ? trim($_POST['url']) : null;
$comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;
if ($comment_author_url) {
wp_redirect(‘/’);
exit;
}
?>
Is there a problem with this? It might seem obvious to you, but I can’t figure it out. Please help.
Thanks.
Hi Mona,
The proper place to put the code is around line 54. The only new code is the if statement.
if ($comment_author_url) {
wp_redirect(‘/’);
exit;
}
Look for the following 4 lines of code in the file:
$comment_author = ( isset($_POST['author']) ) ? trim(strip_tags($_POST['author'])) : null;
$comment_author_email = ( isset($_POST['email']) ) ? trim($_POST['email']) : null;
$comment_author_url = ( isset($_POST['url']) ) ? trim($_POST['url']) : null;
$comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;
And just put the if statement right after that. I’ll try to clear up my post cause that probably wasn’t clear.
Thanks for replying. It works now. I only get a small amount of spam comments, which I think people are typing direcctly in to the comment form. A big difference from sometimes more than 50 spam bot comments each day. Thanks for your help.
Mona
I’ve been looking for how to do EXACTLY this for about two hours this morning. Thanks so much for this post. It really helped a WP/SQL neophyte.
This is working fine, thanks you