Blocking spambots on WordPress blogs

A slight deviation for this blog into geekville…

Any website that allows people to make comments on it will suffer a problem with junk messages being posted by spammers seeking to promote their various snakeoils and potions.

If you use WordPress (as this website does), then the Akismet service will check if an incoming message is spam or not, and file it appropriately – but that doesn’t stop the flood of spam arriving.

As any spam filter will have false positives, I have to manually check the spam filter for messages that shouldn’t be there, and with hundreds of spams per day, I wanted a method to kill off the flood.

The technique I have been testing for a few weeks is below, and it seems to kill 99% of spam dead in its tracks.

For now at least.


A spambot loads the webpage and then looks for comment forms. The spambot doesn’t really care where or what the forms are, they just fire junk at anything.

So, when the spambot loads the webpage, it is hunting through the HTML source code for a <form> tag. Or more technically, most of the ones I have looked at seem to use an off-the-shelf php class that converts the HTML into an easily searchable array.

Having found the <form> they find its action variable, and then look up each of the comment fields. Now the spambot knows what fields need filling in (email, name, website, comments) and which URL to send the junk to (action value) and off they go merrily spamming away.

The technique I use is to break up the form tag in such a manner as to make it impossible for the usual php classes to detect it.

This requires JavaScript – which does mean that anyone trying to comment on your blog without JavaScript enabled wont be able to. On the upside, such people are a vanishingly tiny minority and as they are used to websites not working properly, I think it is an acceptable trade-off.

The Method:

Sorry, this cannot be done as a simple plug-in, you need to manually edit the source code of your blog.

Log into your webserver by your preferred method (sFTP etc) and you need to locate wp-includes folder and open/edit the comment-template.php file.

Almost at the very bottom of file, locate the following bit of text:

<form action=”<?php echo site_url( ‘/wp-comments-post.php’ ); ?>” method=”post” id=”<?php echo esc_attr( $args[‘id_form’] ); ?>”>

Now replace it with the following:

<script language="javascript">
<form ac'+'tion=”<?php echo site_url( '/wp-comments-post.php' ); ?>” method="post" '+'id=”<?php echo esc_attr( $args['id_form'] ); ?>">');
<noscript>Sorry, to post comments, please enable Javascript</noscript>

Save the edited file and also if necessary clear your WordPress cache if you have that plug-in installed.

That’s it – job done.

….in technical terms, the action=”url” component of the <form> tag no longer exists as a single piece of text in the source code – so your standard off-the-shelf php classes can’t detect it.

I’ve tested the change on this blog for over a month without complaints, and also asked a lot of people on Twitter try a test page and see if they had any problems. None reported.


Two issues – because this is not a plug-in, when WordPress does an upgrade, it will occasionally overwrite your modified comment-template.php file. Just look for a flood of spam after a WP update – and you’ll know to look this blog post up again.

The other issue is that this solution to the problem is only temporary for if it becomes popular, then the spammers have an incentive to rewrite their spambots to get around the problem. However, any write-around would probably be slower in terms of their server processor time, leading to either fewer spam messages overall per spammer or them spending more money on extra servers to maintain the flood – and eventually that becomes uneconomical.

The war against spam will never be won, but this is one skirmish where the blogger has a temporary victory.

Whats's on in London: today or tomorrow or this weekend

Posted in geekery Tagged with: ,
7 comments on “Blocking spambots on WordPress blogs
  1. Funnily enough, I spotted this some time before this blog post went up. I normally browse without Javascript, so it made itself very noticeable.

    At least you’ve added a ‘click for desktop website’ link. Any chance of upgrading that to use cookies so I don’t have to use it every time I visit like with the BBC?

  2. For me, the Bad Behavior plugin has been the best defence against comment spam. I’d wholeheartedly recommend it.

  3. Nomen Nescio says:

    Why not CAPTCHA?

  4. You could use Disqus or IntenseDebate to handle your comments. They have a good track record of eliminating spam. The latter is also part of the Automattic product line, which obviously includes WordPress.

    • IanVisits says:

      In a way they are the same solution – they replace the form field with a javascript plug-in.

      On a purely aesthetic bias, I also happen to think they are ugly and lack the necessary tight integration into the blog admin systems – but that is a personal gripe.

Leave a Reply

Your email address will not be published. Required fields are marked *