Spam Stopper Hack for WordPress 1.2

by JD — Nov. 5, 2004 @ 10:08 AM

Update: It looks like the spammers have finally found a way around this hack :-( . The new spam bots apparently parse through the post page to find the correct name of the comment-posting script. Oh well, it was fun while it lasted.

For stopping this new wave of spam bots, I whole-heartedly recommend the WordPress auth-image hack.
You can read a little more about the authimage hack here.

The problem: Spammers use robots that target the wp-comments-post.php file to automatically enter spam comments into your blog.

The solution: This hack renames the wp-comments-post.php file and all related references to this file. So the spammers bot can’t find the posting file and therefore, can’t post spam on your site.

*Note: There is also a blank wp-comments-post.php file so that your error log doesn’t fill up with 404 errors and so that the spammer doesn’t receive a "not found" error and go searching for the renamed file.

icon Download WordPress Spam Stopper

27 Comments »


  1. Pingback by Chabuduo » Comment Spam — Nov. 7, 2004 @ 4:25 AM

    [...] this has proved sufficient, and I have not been spammed since. If this fails, I found thishack which (in their words): renames the wp-comments-post.php file and al [...]

  2. [...] en den WordPress Spam Stopper installiert, der (Download hier ) von Joe Schmoe auf seiner Homepage angeboten wird. Zusätzlich habe ich noch eine Negativliste [...]

  3. Pingback by GINCO BLOG » spam v?delem — Nov. 14, 2004 @ 5:09 AM

    [...] t amit a spam botok haszn?lnak kiiktatja ?s egy m?sik f?jlb?l h?vja meg a sz?ks?ges k?dot. spam-stopper-hack-for-wordpress ha k?s [...]

  4. Pingback by Speedkill » Comment spam returns…again — Nov. 30, 2004 @ 7:07 PM

    [...] help, considering I have to go through and delete it anyway. So, I’m now trying this plugin, which changes the wp-comments-post.php name. Hopefully that works [...]

  5. Pingback by paul chang - blog » Blog Comment Spam — Dec. 14, 2004 @ 12:43 AM

    [...] I’ve found helpful if you’re using WordPress and are receiving comment spam: Mudbomb- A Big Pile of Internet Crap » Spam Stopper Hack for WordPress [...]

  6. Pingback by /usman/ » Going live! — Jan. 17, 2005 @ 10:59 PM

    [...] uches: Gallery: layout now matches the rest of the site. Comment spam: I’m using the spam stopper hack and Hash Cash. Consequently, I’ve disabled comme [...]

  7. Comment by IO ERROR — Nov. 7, 2004 @ 12:24 AM

    Spam Stopper in this form doesn’t seem to work with the nightly builds. I was able, however, to take the basic idea and edit the PHP myself. Thanks for posting this!

  8. Comment by Joe Schmoe — Nov. 7, 2004 @ 1:47 AM

    IO,
    You are correct. This hack is only for the latest “official” release of WordPress(1.2.1). It won’t work with the nightly or CVS builds.

  9. Comment by Ed Tarno — Nov. 14, 2004 @ 10:33 AM

    Nice! Since I installed this hack a few days ago I haven’t gotten a single spam on my blog. Thanks :)

  10. Comment by IO ERROR — Nov. 19, 2004 @ 9:08 PM

    As a followup, I haven’t gotten a single spam after installing this idea (see comment #1). I’m thinking about going a step further and having wp-comments-post.php redirect to a PayPal page where the spammer can enter their credit card information and send me $250. :)

  11. Comment by Scribe — Nov. 26, 2004 @ 4:07 AM

    Thanks for saving my sanity. As soon as I installed your hack, the spam stopped. Thank you.

  12. Trackback by Schrödinger's Cat is Dead — Dec. 1, 2004 @ 8:31 AM

    Can spam
    In that WPBlacklist wasn’t particularly effective in stopping spam, and I woke up this morning to find another 20 or so advertisements for pharmeceuticals or online gambling, Speedkill pointed out a new method for stopping spam, called, appropriately …

  13. Comment by anthony — Dec. 1, 2004 @ 7:30 PM

    Nice job I just installed it and so far the spamming has stopped.

  14. Comment by Joe Schmoe — Dec. 1, 2004 @ 10:57 PM

    Glad this hack is working out for everyone. I plan on changing the posting file name in the hack every month or so. That way, folks downloading it one month get a different version than those downloading it the next. Hopefully, this way the spammers will never be able to find the posting file :-)

  15. Trackback by Mr.Brog - Mr.Brown's Blog — Dec. 6, 2004 @ 1:07 PM

    WordPress e lo spam nei commenti (2)
    La mamma dei fessi è sempre incinta. E questo si sa. Ma pure quella degli spammers si dà da un gran daffare, da grandissima zoccola quale è.
    Questo per dirvi che il trucchetto proposto qui, sembra che alle volte non funzioni perché i bastardi fann…

  16. Comment by Brady White — Jan. 1, 2005 @ 5:21 PM

    I got my first wave of 183 porn spam this morning. I installed these comment php files on my server, reactivated comments, and boom… more spam. I think I’ll have to sit this one out. I think I’m using 1.2 or 1.2.2 so this apparently doesn’t work for it. If anyone has gotten it to work with this version, e-mail me. Thanks!

  17. Comment by Joe Schmoe — Jan. 2, 2005 @ 5:11 AM

    Hi Brady,
    Are you ABSOLUTELY certain that the spam came in AFTER the hack was installed? If so, this is the first report I’ve gotten like this. I’m using the hack on this site, and have not gotten a single spam in months.

    From your description, it sounds like all of the spam is coming from one spammer. Is it possible that this one spammer may be targeting your site specifically?(i.e. changing his bot to match your post.php filename) If so, I’m not sure anything will work except banning IPs, etc.

    Having said all that… I still went ahead and updated the hack with a new post filename “just in case” :) . Download the new version and give it a try.

  18. Comment by Michael Cruz — Jan. 5, 2005 @ 2:02 AM

    Hello! I think your hack is a great idea and I implemented it tonight, but I had to delete it because it also altered the look of my comment form. I am using WP 1.2.1 with modified Kubrick (although comment forms have not been modified)

  19. Comment by Joe Schmoe — Jan. 5, 2005 @ 6:12 AM

    Hi Michael,
    I shortened your comment a bit by removing the examples. Hope that’s okay :-) .

    Actually, the hack uses the default WordPress comment file that is included with every WordPress download. The Kubrick template does indeed use a modified wp-comments.php file, but you can still use the hack.

    Just extract every file in the archive EXCEPT wp-comments.php. Now open your current wp-comments.php file and change line 73 from:
    <form action="<?php echo get_settings(‘siteurl’); ?>/wp-comments-post.php"

    to:
    <form action="<?php echo get_settings(‘siteurl’); ?>/pcmnt.php"

  20. Comment by Michael Cruz — Jan. 6, 2005 @ 12:21 AM

    Thanks!! The links in your posts are awesome btw.

  21. Comment by Shreenath Deshpande — Jan. 12, 2005 @ 9:30 AM

    Hi,
    I am getting this error
    —————————————
    Fatal error: Call to undefined function: __() in /var/bt/home/web/deshshr/pande.info/html/wp-comments.php on line 25
    —————————————–

    Could you please help me ?
    I am also getting hell lot of commetns :(
    FYI, I am using WordPress 1.0.2

    -pande

  22. Comment by Joe Schmoe — Jan. 15, 2005 @ 1:46 PM

    Shreenath,
    The hack only works with WordPress 1.2 and above.

  23. Comment by Andy — Feb. 11, 2005 @ 11:03 AM

    This hack works as part of a larger defence scheme. It will work for maybe a couple of weeks, maybe longer, but then others scripts will find the renamed file. Use it in conjunction with one or more other techniques, like the graphical or logical captcha, .htaccess server referer blocking, wordpress plugins, etc.

  24. Comment by Andy — Feb. 11, 2005 @ 11:04 AM

    Image verification sucks – it effectively means those with visual impairments are treated the same way as spammers – ie excluded. There are better, less exclusive, methods

  25. Comment by Joe Schmoe — Feb. 11, 2005 @ 11:32 AM

    Um, no, as I mentioned the hack no longer works at all. Spammer scripts have progressed to the point where they actually search for the comment post file/script target in the form. Referer scripts are useless as most spammers simply spoof it.

    If there was a better, more inclusive method available for WordPress I would gladly use it. Please provide a link…

    Actually, I think that the authimage hack allows an option for using text for the verification code. Easier for the spam-bots to get through, but it would probably be effective for the next year or so until the spammers “get wise”. This would allow visually impaired users to post, and still provide some slight measure of security.

    But in the end, I have not gotten a single spam since switching to authimage, down from nearly 60 a day. Put simply, Authimage stops spam. …So, I certainly have no plans to go back to a daily routine of moderating 50-60 porn spams a day.

  26. Comment by Andy — Feb. 17, 2005 @ 7:44 AM

    So does Jeff Barr’s plugin – no spam for about 2 months (since I installed it).

  27. Comment by agenzie investigative — Jun. 2, 2005 @ 6:54 PM

    Anyone know some kind of verification code for WP ?

RSS feed for comments on this post. TrackBack URI

Leave a comment