After updating my WordPress to the newest version, site was hit with enormous number of SPAM messages. For a day or two, Akismet marked 3 to 4 thousand messages which sounds a bit problematic. With few lines in htaccess and simple plugin, I’ll try to reduce that number.
The key with htaccess is to filter all POST requests to wp-comments-post.php without correct referrer or without set HTTP_USER_AGENT variable. This mod_rewrite rules should stop HTTP request even before it reaches PHP page. (WordPress site will “not know” for such SPAM messages). Just add several lines to your htaccess file to block obvious SPAM access:
RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !.*redips.net.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Here is link to the source and other useful htaccess tips:
https://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676
After monitoring site, it seems that almost all bot had nice referrer and agent value so htaccess modification wasn’t so successful. Please see how SPAM bot generates HTTP POST requests to wp-comments-post.php:
104.193.9.234 - - [11/May/2015:13:32:03 +0200] "POST /wp-comments-post.php HTTP/1.1" 302 - "http://www.redips.net/linux/yum-install-mplayer-fedora18/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727 ; .NET CLR 4.0.30319)" 104.193.9.234 - - [11/May/2015:13:33:30 +0200] "POST /wp-comments-post.php HTTP/1.1" 302 - "http://www.redips.net/php/convert-array-to-xml/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.0.3705)" 183.161.168.55 - - [11/May/2015:13:33:50 +0200] "POST /wp-comments-post.php HTTP/1.1" 302 - "http://www.redips.net/javascript/maintain-scroll-position/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727 ; .NET CLR 4.0.30319)" 183.161.160.17 - - [11/May/2015:13:35:05 +0200] "POST /wp-comments-post.php HTTP/1.1" 302 - "http://www.redips.net/javascript/redips-drag-documentation/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )"
Now it’s time for second level of defence. Idea is to prepare some front-end trap for bad bot (honeypot) because currently bots are not so good with JavaScript. Whole discussion is on:
http://davidwalsh.name/wordpress-comment-spam
Based on this concept, Stop Spam Comments WordPress plugin is created – dead simple and super lightweight anti-spambot WordPress plugin, no captcha, tricky questions or any other user interaction required at all.
In short, when user set focus on TEXTAREA (simply clicks on Message field), JavaScript will create hidden input field with the following code:
<input value="3153efee0decd8c6" name="ssc_key_a1743d2581e3c6c9" type="hidden">
Submitted comment is tested for new field (created with JavaScript) and if it doesn’t exist, then this should be a bot on the other side. Comment like this is not even placed in Akismet queue and that is really a relief (this can be changed with option in discussion settings).
Wish you luck in SPAM fight!