How To Prevent Comment Spam From Crashing Your WordPress Blog And Taking Down Your Server

Share On Facebook

First off, I just wanted to clarify that this article is NOT about how to detect and flag comments as spam. The WordPress plugin Akismet already does a pretty good job of screening out and filtering traditional comment spam.

Instead, this post is about how to prevent comment spam and other rogue activity from crashing your server and taking down your blog.

Photo By BoxChain

As I mentioned in my article on best posts of 2011, the traffic to my blog has doubled in the past year.

And unfortunately during that time, the amount of spam comments has increased by an order of magnitude as well.

Just to give you an idea, there were several days in December where I was getting bombarded with over 20 spam comments every few seconds.

Yes, you heard that right. Whenever I refreshed my dashboard, I would see 20 or more spam comments in my Akismet filter. In fact, the amount of spam made all of the websites on my server extremely slow or inaccessible for a long period of time during those days.

The Problem With WordPress

Now under normal operation, my blog does pretty well under heavy traffic because of a plugin called WP Super Cache.

Essentially, this plugin creates a static version of every article in my blog so that it can be served very quickly to the end user.

However, this plugin is helpless against a heavy influx of comments because comments require your server to call up WordPress each time in order to process the comments one by one.

And because WordPress is such a resource hog, a heavy influx of spam comments can easily take down any blog even if you’re on a dedicated server and you use a caching plugin.

It doesn’t matter if you use the best comment spam filters in the world, all spam comments still have to get processed by WordPress which takes a good chunk of server resources.

The Characteristics Of Spam Bots

Now having a slow or inaccessible blog is one thing, but comment spam also affects other sites that are running on the same server which is unacceptable. After doing some research about spam bots, I discovered a few things.

  • Spam bots typically do not accept cookies
  • Spam bots can leave comment spam in a matter of seconds
  • Spam bots typically don’t run javascript

So what does this mean? In a non technical terms, a spam bot does not behave like a regular user on a web browser. And the key to solving my problem involved detecting the spam bot immediately and directing it to an error page instead of launching WordPress.

Based on the characteristics described above, I could detect spam bots either by placing a cookie on the user’s machine, disabling comments for many seconds after a page loads or coming up with some javascript code to detect the spam bot.

Solving My Comment Spam Problem

After much deliberation, I came up with a fix to secretly insert a cookie on the user’s machine whenever an access is made to a page on my blog. I could then look for this cookie on the user’s machine before allowing a comment to go through.

Because a spam bot typically doesn’t accept cookies, I could easily detect the bot and direct it to a static error page.

Originally, I was planning to post my source code on this blog entry which I wrote in javascript (I would be happy to send it to you if you are curious), but after talking to a few fellow bloggers, I discovered that the same author of WP Super Cache, Donncha, had already written a plugin called Cookies For Comments which essentially does the same thing that I just wrote.

Because his plugin is written a lot more elegantly than my javascript plugin, I highly recommend you go and download it.

But if you plan on using Donncha’s Cookies For Comments plugin, make sure you make the following change to your .htaccess which differs from the plugin’s installation instructions.

By default, Donncha’s plugin recommends that you insert the following lines into your .htaccess file. (Note: Instead of all of those characters and numbers at the end, you should insert your own unique cookie value as specified in the Cookies for Comments documentation.)

RewriteCond %{HTTP_COOKIE} !^.*2071a9e39879b6a958b06162384d3c06.*$
RewriteRule ^wp-comments-post.php – [F,L]


What do these 2 lines do? Basically, these lines of code detect the presence of the secret cookie that was inserted on the users machine. If the cookie is not present, the user or spam bot is directed to WordPress’s 404 page or “page not found”.

Now the problem with this default setup is that WordPress still gets called in order to process the 404 page which still requires a lot of server resources.

A better solution would be to use the following code where “error.html” is a static error page on your site.

RewriteCond %{HTTP_COOKIE} !^.*2071a9e39879b6a958b06162384d3c06.*$
RewriteRule ^wp-comments-post.php error.html [L]

The difference here is that the spam bot is directed to a completely static error page which prevents WordPress from being loaded up altogether.

Problem Solved??? Not Quite

So the changes I described above fixed my comment spam problem, but after running smoothly for a few days, my server started crashing again! Looking at my server logs, I discovered the following.

mywifequitherjob.com GET /oxvumirserver33.rar
mywifequitherjob.com GET /oxvumirserver33.rar
mywifequitherjob.com GET /oxvumirserver33.rar

Basically, some rogue machine kept trying to access the same nonexistent file on my server over and over which was crashing the site. Now with normal websites, these rogue accesses would not affect the server at all.

However, WordPress processes all accesses to nonexistent files and sends users to WordPress’s custom 404 or “page not found” webpage.

Did I mention WordPress is a resource hog? All it takes is a bunch of these bogus accesses and your server will still go down no matter what caching plugin you use.

The secret to solving this problem is similar to my comment spam problem. Ideally, we want to take WordPress out of the equation entirely and send the rogue user to a completely static error page in order to save server resources.

So the solution I came up with was to add the following lines to my .htaccess file.

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !(robots\.txt|sitemap\.xml(\.gz)?)
RewriteCond %{REQUEST_FILENAME} \.(css|js|html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|xml|asf|
asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|exe|gif|gz|gzip|ico|jpg|jpeg
|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|
odp|ods|odt|ogg|pdf|png|pot|pps|pt|pptx|ra|ram|rar|swf|tar|tif|tiff|wav|wma
|wri|xla|xls|xlsx|xlt|xlw|zip)$ [NC]
RewriteRule .* – [L]

ErrorDocument 404 http://mywifequitherjob.com/404.html

What does all this code do? Basically, when a file is requested from my server which matches one of the types above, I want my server to bypass WordPress altogether. If the file does not exist, the user will be directed to a static error page called 404.html.

Once again, bypassing WordPress is the key to solving my crashing problems. Because the rogue process in my server logs is accessing a .rar file, I now redirect this malicious user to my error page which takes practically no resources at all.

Does This Solve All Of My Problems?

So I’ve been running with the above 2 changes for a few weeks now and my server has been running like a champ with no slowdowns. Unfortunately, the way WordPress is written makes it impossible to prevent all rogue accesses from crashing your server.

For example, whenever someone tries to access an article that is not found on my blog, WordPress still gets loaded. So in theory, if someone wanted to take down MyWifeQuitHerJob.com or any WordPress blog for that matter, all they would have to do would be to access nonexistent pages on the site over and over.

But in the meantime, everything seems to be stable on my end. Hopefully in the future, WordPress can be patched to address these server issues.

Ready To Get Serious About Starting An Online Business?


If you are really considering starting your own online business, then you have to check out my free mini course on How To Create A Niche Online Store In 5 Easy Steps.

In this 6 day mini course, I reveal the steps that my wife and I took to earn 100 thousand dollars in the span of just a year. Best of all, it's absolutely free!

Share On Facebook

Similar Posts

Have you read these?

30 thoughts on “How To Prevent Comment Spam From Crashing Your WordPress Blog And Taking Down Your Server”

  1. Thanks for the great info! I have toyed with a couple of different blogging platforms. WP was one, but I ended up deciding against it. I’m still in the decision process but this helps in knowing additional areas of the system to consider.

  2. Rick James says:

    After reading your article I still have no clue how you fixed your spam problem but if this ever happens to me I know who to turn to:)

    1. The solution is simple. Go and install the Cookies For Comments plugin and made the extra change that I describe above in your .htaccess file. You can feel free to ask me again if and when you decide to do this with your blog

  3. I was having similar issues recently on my sites where spambots were hitting my servers constantly – and even though the comments were flagged as spam my server was bogging down and crashing constantly because of the high number of times it was hitting the server and hogging resources. Sounds similar to your issue.

    What I did on my server was to first install a plugin that asks the user to check a checkbox before submitting a comment. That cut down on quite a bit of it but I was still having issues.

    Next I discovered this page over at wordpress.org, and implemented some of the steps listed there:

    http://codex.wordpress.org/Combating_Comment_Spam/Denying_Access

    Basically the one that basically stopped the spam cold for me was the section titled “Deny Access to No Referrer Requests”. Basically if the commenter doesn’t have a referrer it redirects the user back to their own IP.

    After I implemented that my server stopped crashing and it’s been weeks since I’ve had a problem. Sounds like your solutions would help as well.

    1. I used the same two steps that Peter used and had very positive results. I was getting somewhere around 300-500 spam messages per day, now I am down to 5-10, and almost all of them are direct entry from keyword spammers who are leaving spam comments manually. (I also removed Aksimet and use a different anti-spam plugin, because Akismet is notorious for flagging comments falsely).

      1. Thanks for sharing Ryan. I’m thinking about removing Akismet as well because of way too many false positives. In fact, Peter’s comment got spammed and I’ve known him for years.

      2. Thanks Peter… I have used your shared contents & I’m positive about them…. They have solved my problem….. Especially ( Deny Access to Spammer IPs ). Thanks a million.

    2. Cool. Thanks for sharing. I read up on that and that seems to do the trick as well. Now if only there was a way to redirect all non existent requests to a static 404 page and everything would be all good. You don’t have any good solutions in this regard do you? I was thinking about editing WP directly but then I would have to replicate my change every time I upgrade.

  4. As always Steve, great of you to share this timely and helpful advice.

    I kept getting a lot of crap comments on one of my blogs as so many of us do, (but not as much as your example here) and I ended up installing disqus comments and it seemed to help at least in my case. Is this something that would help in regards to what you experienced or is it not enough?

    Thanks,
    Mark

    1. I’m not a big fan of disqus because of 2 things. One you require an account and two, you no longer own your comments. But I’ve heard great things about disqus in terms of promoting discussions.

  5. Steve –

    Interesting solutions, way beyond my capability. I’ve had success with the G.A.S.P. plugin, which is one of the 7 plugins that are packaged in the CommentLuv Premium plugin from Andy Bailey.

    It simply uses Javascript to display a checkbox commentators need to check off to leave a comment. Spam bots don’t normally see it, and it’s cut down on spam 10-fold at least.

    It loads a static page vs. the 404 error page, like you mention. The G.A.S.P. plugin stands for “Growmap Anti-Spam Plugin” and it’s free to use.

    1. Hey James,
      I’m sure that the GASP plugin works as well. As other readers have pointed out, there seems to be many solutions available which is a good thing. I usually prefer to create my own because in general I don’t like polluting my blog with too many plugins.

  6. I can’t wait to try this. Still learning how to do customizations on WP so this is a bit unnerving. Appreciate all the other comments too. Will look into those too.

    I don’t get many spam comments but cutting them down would make me happy.

    1. Lars
      It saves time too in not having to go down your spam list to edit out legit comments.

  7. So note to spam bot makers: accept cookies so you can continue spamming Steve’s blog :) (or when that doesn’t work, just keep requesting a nonexistent page to crash his server and teach him a lesson). Of course they would have to store the values and retrieve them on demand, but a small price to pay to leave the generic “Love ur content! Write more like this!”

    Do you think that the spamming works and that they actually sucker in people to buying V I A G R A Cheap!, or are they just spamming for spam sakes?

    1. Aron,
      I don’t know about you but I found my v i a g r a supplier from a random emailer who turned out to be cheap and reliable. I think most people comment spam still because even though the link is no follow, it might still carry some weight in other search engines.

  8. First let me say, you have the most useful information, you are my favorite read! I recently pipped out my Google+ joined klout, and a few others, and have my url in my Twiiter bio, thanks to you!!!

    Down to business!
    So I just installed cookies for comments and the code in my .htacess file, but i did not change the numbers because i dont know where to get new numbers???

    Also the plug-in literature read like i didn’t even need to install the code in the htacess file. (if your adventurous it said).

    So should I find my cooky numbers, and where do i look for them???

    Thanks for all you do!

    1. Hi Michael,

      You can get your secret numbers on the settings page for the cookies for comments plugin. Beware, if you copy the numbers incorrectly, no one will be able to make comments on your site.

      1. Thx Steve!

        That’s where I got the code, did it right, just didn’t know.

        I would love to learn programing if I can ever quit my day job!

        Thx for help

  9. Interesting. This week I got a bunch of spam and was wondering what to do if it got bad. I don’t know if my site has gotten overloaded – how do you know that?

    Also, isn’t this a problem for readers who have the computers set up to not allow cookies? They’d never be able to read your site.

    One final question – why not just get Akismet and pay the $50 per year for it? And do we all have to? there is a running question about when you need to pay the $50 and when you can just make a donation.

    Look forward to your thoughts.

    – Adrienne

    1. Hi Adrienne,
      Readers only need to have cookies enabled to leave a comment. Anyone can read the article. Akismet is great at filtering spam but the mere act of filtering takes up resources on your server. The solution I outlined in the article above requires minimal server resources which prevents spam bots from bringing down your site altogether.

  10. Great tips for bloggers dealing with the same issue. Thanks for breaking that solution down. Stay young and thrifty :)

  11. Currently I have no problems with spam comments. I guess the problem increases as you get more traffic to your site. This is a great article to bookmark or I can simply install the plugin now so I dont have to worry about remembering to do it later.

  12. Thanks a lot for the insights about Web Filter of your blog. That means how to prevent your Blog from the spammer.

  13. I am so glad I read this. I recently suffered a slow down thanks to 71000 comments in moderation. Deleting them takes forever, I can only do 100 at a time. I read everything they said to do as far as unchecking this and CSS adding that. I then tried to switch to some kind of “fun time” capatcha to keep these suckers out, and I found this helps in some cases but they are also commenting on pages and posts. ACK! I’m off to find the cookies plugin and I thank you ever so much!

  14. Hi Steve,

    Excellent write up, I stumbled on the article looking for a permanent fix, big sigh of relief to find an easy fix. My blog is getting hammered by bots since upgrading to 3.9 and my server has slowed down considerably. I’m in the process of implementing your tweaks but I just have a quick Q about where to enter the code below into .htaccess?

    I’ve tried before #begin WP and also inside, but both threw up a server error once I saved, I’ve created error.html and 404.html

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !(robots\.txt|sitemap\.xml(\.gz)?)
    RewriteCond %{REQUEST_FILENAME} \.(css|js|html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|xml|asf|
    asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|exe|gif|gz|gzip|ico|jpg|jpeg
    |jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|
    odp|ods|odt|ogg|pdf|png|pot|pps|pt|pptx|ra|ram|rar|swf|tar|tif|tiff|wav|wma
    |wri|xla|xls|xlsx|xlt|xlw|zip)$ [NC]
    RewriteRule .* – [L]

    Where should it be going within .htaccess?

    Thanks for any help you can offer, it’s greatly appreciated.

    All the best,

    Johnny

  15. Hey there,

    Thanks for nice article on How To Prevent Comment Spam From Crashing Your WordPress Blog And Taking Down Your Server. Hope users will get benefit from your write up.

Leave a Reply

Your email address will not be published. Required fields are marked *