STOP SPAM in your wordpress comments…. FREEEEEEE! (a little advanced so hold on tight)

TAGs: 4 Comment

Posted By: eligeske on in Wordpress

Before you can stop those pesky wordpress spammers you need to understand how they work.


There are several different ways to prevent them from getting their nasty data into your database. One of those ways is editing your .htaccess file. This works, kind of. But you could also be stopping bots that are good.  Also, I know since I have written bots before that you can spoof a real browser.  So what good does that do.

The method I am about to show you stops 100% of all bots spam comments, but it takes editing the core code. So everytime you update your WordPress, guess what.  You have to do these steps again. But hey, it’s free dammit.  And I would rather do it once every update than having to manage some tool that makes me sift through all the spammed comments to filter them.  This method doesn’t even let them in the door.

Back to how BOTS work, a real basic explanation.

  1. They search the web for WordPress Websites and find http://yourwebsite.com/wp-comments-post.php.
  2. It creates the message it wants to send, creating the POST values for the Name, Email, Comment, URL.
  3. Bam send!

Can anyone see the pattern? Exactly, every WordPress install always looks for Name, Email, Comment, URL.  These names can help certain things, but there are other descriptor like ALT that can be used.   (Hey WordPress, how about you randomize those field names with one of those cool functions you guys like making? Or do they have stock in Akismet?)

Anyways……. What if every WordPress site looked for different Names for their post values?  Well then the BOTs would have to get smarter. It’s not that way, so we are good in using this method without the worries of them having to get too smart.

For this to work, you need to have a basic understanding of PHP and how form Posts work.   So here is a quick over view on how HTML sends values to PHP to save:

SKIP HTML/POST Overview, go straight to editing example.

HTML: (html form with an input and submit button)

  1. <form method="post" action="myformmethod.php">
  2. <input type="text" name="elis_email" />
  3. <input type="submit" value="send" />
  4. </form>

So you have a form that is going to send elis_email to the server to save.

PHP: (Catches the form you just sent and it’s values)

  1. <?php
  2. // get eli's email
  3. $elis_email = $_POST["elis_email"];
  5. // save it somewhere with a made up function
  6. saveIt($elis_email);
  7. ?>

Ok, as you can see the $_POST value we grab is the same as the NAME in the form input. You with me so far?  We then assign it to a variable called $elis_name and send it into a function to save. (This is just a made up function for explanation purposes only)

Now that you see how this works.  If someone wanted to go through all of Eli’s websites and send a SPAM message, all it would have to know is that in <input type=”text” name=”elis_email” />  I use the name=”elis_email” on all my forms. (Which I don’t). Which is pretty much what the spammers are doing for wordpress sites. They know what all the form field names are and can just shotgun blast out messages at the PHP of wordpress, and guess what. They are successful, unless you have code that goes and checks the IP for black listing, bla bla bla.  Why let them in and then give them a pat down for their credentials when you can just stop them before they even make it to the front door.

Ok here is a simple example on how the same code above works with a total random form field name.


  1. <form method="post" action="myformmethod.php">
  2. <input type="text" name="A_randomBlaFaskjdL" />
  3. <input type="submit" value="send" />
  4. </form>

As you can see the random mess above.  Who the heck is going to guess that?


  1. <?php
  2. // get eli's email
  3. var elis_email = $_POST["A_randomBlaFaskjdL"];
  5. // save it somewhere with a made up function
  6. saveIt(elis_email);
  7. ?>

Both codesets have the exact same results to the server. No difference, except for johnny spammer totally missed because he sent the value set as elis_email.  HA!  Missed us!


Just like the big bold letters above say, you will be editing the core wordpress files and perhaps your theme.

Here is what you will need to do:

  1. You need to check your theme comments.php to see if they are creating a custom comment form or they are using the built in WordPress comment form.
  2. Edit either your theme form field names or the wordpress default ones.
  3. Edit the POST catch in wordpress core code to accept your new names that you created.
  4. Done.


STEP ONE & TWO: (Locate the file that creates the html values and edit them)

Go to your theme folder and locate the comments.php file.

EXAMPLE A: If your theme has a custom comment template you should change it to look similar to this:

  1. $fields = array(
  2. 'author' => '<input  name="Axcvxsaf" class="text inp" type="text" value="' ..........
  3. 'email' => '<input  name="vxceDf" class="text inp" ......................
  4. 'url' => '<input  name="lxjkhss" class="text inp" type="text" value="' . .....................
  5. );
  7. comment_form( array('fields' => $fields ,'comment_field' => '<textarea name="Dxjkhss"..

EXAMPLE B: If your theme uses the WordPress built-in comments it will look more like this, and you will not edit it here, you need to go to the core code:

  1. comment_form();

If your’s looks like example A, then change all the name attributes in your fields to some random stuff, different for each field and save them to a text pad or something. Make sure you note which random string equals what. You don’t want your Email going into the Comment field and your Comment field going into the URL. Well maybe you’re some weird entity and do, but I prefer mine not too.

If you have example B, you are going to have to find the core code for that.  (Please note: I recommend creating a custom Comment Field template in your theme. It will help out in the future, believe me).

Example B: Find /wp-includes/comment-template.php, open it up and do a search for “function comment_form(“.  This should take you straight to where you need to be.  In my wordpress version it is around line 1500.

Here is an image of the code, a little too much for me to paste in.  Open it up in separate window to get a good view of example.

Changing wordpress core comment form names

How to change core comment form names


STEP THREE: (Change wordpress’s PHP file that catches the form post to match your new values)

Hopefully step 1/2 went painlessly for you. If not drop a comment.   Onward! To Step Three!

Find this file: /wp-comments-post.php  (right in the root directory)

This file is a lot smaller than the one that contained comment_form function.  So it shouldn’t be a problem for you to locate the following lines:


  1. $comment_author = ( isset($_POST['author']) ) ? trim(strip_tags($_POST['author'])) : null;
  2. $comment_author_email = ( isset($_POST['email']) ) ? trim($_POST['email']) : null;
  3. $comment_author_url = ( isset($_POST['url']) ) ? trim($_POST['url']) : null;
  4. $comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;

Can anyone guess what we are about to do?  If not, you may want to scroll back to the top and read how the form post works with PHP a couple more times.

For those of you who know, we are about to edit the $_POST[""] values to match the names we created in Step 1/2. Hopefully you wrote them down in respect to where they go.

So here is the edited version:

  /wp-comments-post.php (after edit)

  1. //$comment_author = ( isset($_POST['author']) ) ? trim(strip_tags($_POST['author'])) : null;
  2. //$comment_author_email = ( isset($_POST['email']) ) ? trim($_POST['email']) : null;
  3. //$comment_author_url = ( isset($_POST['url']) ) ? trim($_POST['url']) : null;
  4. //$comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;
  6. $comment_author = ( isset($_POST['WhatIcreatedForAuthor']) ) ? trim(strip_tags($_POST['WhatIcreatedForAuthor'])) : null;
  7. $comment_author_email = ( isset($_POST['WhatIcreatedForEmail']) ) ? trim($_POST['WhatIcreatedForEmail']) : null;
  8. $comment_author_url = ( isset($_POST['WhatIcreatedForURL']) ) ? trim($_POST['WhatIcreatedForURL']) : null;
  9. $comment_content = ( isset($_POST['WhatIcreatedForContent']) ) ? trim($_POST['WhatIcreatedForContent']) : null;

Notice that the values are “WhatIcreatedForAuthor” etc etc.  In the Popup image I used “asd23jfs” for Author, so if you used that in your code. DON’T!  If everyone uses what I posted then Bots will start seeing the pattern. The entire idea is everyone uses different names.  Sorry about being so cynical, but…. come on.    So match up the $_POST["Values"] to the Names you created in your theme form or comment_form function.  I commented out the old code just for reference purposes.  Once you have them edited save your form.

Now I recommend doing a test comment to verify you didn’t break anything, after all you were editing a core file.  If you broke it, reload your backup and try again. If you get the comment you are good to go and you will notice your spam is eliminated, minus trackbacks.

Finished? Your email server will thank you.



4 Responses to "STOP SPAM in your wordpress comments…. FREEEEEEE! (a little advanced so hold on tight)"

  1. Thanks says:

    Thanks a lot, worked perfectly and was a great tutorial to follow.

  2. David says:

    Hm… I like the idea, but given it means editing the wordpress core files… I like the article by clickon5 that uses a function to check the referrer. Sweet, simple, cut and paste. Not perfect, but no need for hacks whenever updating wordpress.
    I didn’t see one, but you’re sure there’s no hook to work with, right?

    PS – If you had a subscribe to comments feature I’d totally come back.

  3. JP says:

    It stops 100% of all bots spam comments … as long as you remember to repeat this whole process after every WordPress update. I’ll keep looking for a better solution.

  4. eligeske says:

    You are absolutely correct. This does edit a core file. Thought I had written that in the post…

    If you find another solution come back and share it! Solving the issue is the goal. :)

Learning DHTMLX Suite UI

Learn the foundation of the DHTMLX Suite quickly while building a single page application with multiple components in harmony.

Popular post