DISCLAIMER: this post is older than one year and may not be up to date with latest WordPress version.

Sick of spammers? Of course, Akismet helps a lot, but your .htaccess file can also help: Today’s recipe is a snippet that prevent spam bots to directly access your wp-comments-post.php file, which is used to post comments on your blog.

Simply paste the following lines into your .htaccess file. This file is located at the root of your WordPress install.
Remember to always make a backup of your .htaccess file before editing it so, you’ll be able to restore it if something went wrong.

Don’t forget to replace yourdomainname on line 5 by your real domain name.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomainname.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Once you saved your .htaccess file, spam bots will not be able to access your wp-comments-post.php file directly. This will significantly reduce the amount of spam received on your blog.

Thanks to AllGuru.net for the tip!


  1. I am trying this out. I am guessing we put it in between the #Begin WordPress and #End WordPress hashtags and after the mod_rewrite that is already there?

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /blog/
    RewriteRule ^index.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /blog/index.php [L]

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post.php*
    RewriteCond %{HTTP_REFERER} !.*xyz.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

    # END WordPress


  2. Also, do you know if this will work if you use Disqus for your commenting system?

  3. Note that the above chunk of code, as used, will disable all comments on your site unless you happen to have the site at xyz.com.

    In the fifth line, xyz will need changed to whatever your domain name is.

  4. Even using Akismet?


  5. You can fight spam without codding just by installing a few plugins.

    The one that I am working on, called ‘Retina Post’ is a replacement of ugly Capthca but with the same result: it blocks spam.

    Of course, other plugins may be necessary, but the first wall of defense remains Captcha.

  6. I think you might want to elaborate on:

    RewriteCond %{HTTP_REFERER} !.*xyz.* [OR]

    I’m guessing the xyz. should be replaced with the domain you’re hosting the blog on?

  7. Yes, sorry for the confusion! I have updated the post so it will be more clear now 🙂

  8. @Chris, since Disqus only works with JS, this fix probably won’t work with it.

  9. I’ve just modified above including http and https (http://www.ikeris.com/606/prosty-i-dodatkowy-sposob-na-spam-w-komentarzach-wordpress-a):

    RewriteEngine On

    RewriteRule ^ – [E=via:http]
    RewriteCond %{HTTPS} =on
    RewriteRule ^ – [E=via:https]

    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post.php*
    RewriteCond %{HTTP_REFERER} !.*www.ikeris.com* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^%{ENV:via}://%{REMOTE_ADDR}/$ [R=301,L]

  10. Awesome, thanks guys. Everything seems much clearer now. Appreciate all the feedback.

  11. @Chris (and anyone else wondering the same thing): Since I didn’t see the first question you asked answered yet…

    No, the code should not be placed between the WP hash tags, unless you want it to be overwritten the next time WP does a permalink structure update (as some plugins are wont to do when activated).

    The code (what a nifty tip, thanks!) should go outside the WP hash tag, possibly with its own hash tags:

    # BEGIN Stop Stupid Spammers
    .htaccess code above
    # END Stop Stupid Spammers

    Hope that makes sense.

    And for those who wonder why one would want to use extra code to fight spammers when there are already plugins available: It makes it much easier to check for false positives. They’re few and far between, but they do happen, and it’s much easier to find 1 in 10 spam comments rather than 1 in 1,000 spam comments. I’m sure there are other reasons, but that’s mine. 😛

  12. DanN: Blocking spam at the .htaccess level is TONS more efficient than using plugins (even efficient ones) at blocking spam.

    Honestly, Raven’s Antispam is the leanest, most effective, least intrusive (regular users see NOTHING of it) of all the antispam plugins. It’s entirely underrated, but it stopped spam on my site. 100%. Using only it.

    Chris Moore: You should put the block of code above the WordPress block. The comment tags (Begin/End WordPress) let WordPress know what it can overwrite. If you include your changes in that block, you may lose them next time your WP updates.

  13. Thanks Rick, I will have to try out Raven’s Antispam plugin. For anyone else interested here is the link to it: http://wordpress.org/extend/plugins/ravens-antispam/ Gonna give it a go and see how it works.

  14. @Rick Beckman: Don’t trust client side verification systems. A robot can pre-fill forms and learn tricks very easy. I program in js, php, css … and I know how easy it is to break such client side code. I have tried on other plugins and it took me 10 minutes and 7 lines of code.

    The Internet is full of so called js verification systems, but Facebook or Google still require people to enter Captchas. Why?

    I have build Retina Post to:
    – fight spam (now the protection is medium, but will get tougher as the bots learn)
    – provide bloggers with a tool to promote their feeds or certain messages
    – to increase usability of Captchas

  15. Any idea how this would be accomplished in NGINX?

  16. DanN: That’s what I hear a lot, but that isn’t my experience. Multiple sites, multiple years, and multiple platforms of use later (I ported Raven’s Antispam to phpBB 2.x.x ages ago, and found it worked just as well there as it did in WP), it just works. Maybe spam bots can break it, but I’ve yet to see it happen.

    Until the day that happens, I’d rather use that system than force legitimate users to filling out a captcha or go through some other lengths to comment.

  17. What about when the visitor’s browser doesn’t send the Referer? Will it’s comment be blocked?

  18. Léon: Correct. Same thing if the visitor’s browser sends a blank user agent.

  19. Rick, thanks for suggesting the Raven’s Anti-Spam plugin, however, it doesn’t appear to trap 100% of spam as evidenced by the creator’s website: http://kahi.cz/wordpress/ravens-antispam-plugin/ (see the latest comments from Aug. ’11…I’m pretty sure people like “Cotton Yarn” and “Crossbow” aren’t legitimate readers). In this case, I’d actually defer to Akismet, possibly in tandem with RAS.

  20. You could not be 100% sure that a certain plugin will filter all spam. The job of anti-spam developers is to make the cost of inserting a spam message as high as possible.

    If you use client-side script the cost is low (just a few lines of code). If you prefer a challenge-response test (CAPTCHA, HIP) the cost grows but the user experience will drop.

    If you use services that filter based on content you should probably review the messages marked as spam.

    I have started RetinaPost with the desire to provide something new and engaging for the user (by using feeds, custom messages) and costly for spammers (more and more costly as new versions arrive)

  21. I can only speak for my own experience on my own site. It should be noted that Raven’s Antispam won’t trap spam posted by people (and there are some spammers who pay people to just post the stuff, thereby bypassing any and all CAPTCHA systems).

    The ideal setup (and this is overkill, but it works) is this:

    Block as much via .htaccess (or server config) as possible. Using the blacklists from http://perishablepress.com/ is highly recommended.

    Use Bad Behavior (and turn on the http:BL features) to block known spammers from your site which manage to make it past the .htaccess blocks.

    Filter human-posted spam with Akismet.

    And finally, block the majority (if not all) of automated spam using Raven’s Antispam.

    This process works great, and it provides minimal intrusion for legitimate commenters (only those people with JavaScript enabled have to do anything extra, and those people only have to enter an extra string of next, not decipher an image or some other CAPTCHA trick).

  22. You cannot be 100% sure that any solution will eliminate all spam. You probably want to increase the cost that spammers pay for each comment.

    If you use a client-side verification (js captchas) the cost is low (a few lines of code don’t cost much). Other solutions are even weaker because they are breaking an important rule: You cannot trust any browser passed variables

    If you use message filters you probably will get the job done, but you should review all messages marked as spam to ensure that it does not include legitimate content.

    Challenge-response test have the highest cost for spammers, but tend to annoy users.

    When I started developing Retina Post I wanted it to be more and more secure, BUT a pleasant alternative to Captcha images. I use feeds, custom messages to encourage the user to read more, to respond to other comments, to view other pages.

  23. Very useful article for me. I think that Blocking spam at the .htaccess level is more efficient than using plugins. This post is gonna help. Thank you!

  24. So I should change it to

    RewriteCond %{HTTP_REFERER} !.*mydomain.com.* [OR]

    or remove the dot after my domain name like this?

    RewriteCond %{HTTP_REFERER} !.*mydomain.com* [OR]

    Thanks for the great tip!

  25. Since from few days my inbox is being filled with the spam comments, I am getting a lot of comments which are not relevant to my content. To help my blog from spam comments i am using plugins which i really don’t want to use in my blog as i want to maintain as many less plugins as possible. Thank Q for providing the code.

  26. Well Still i fight against spam through plugin but it looks better way to protect my blog. Thanks

  27. Thanks, this is an awesome little snippet! I am using the Invisible Captcha plugin on learncomputer.com, which works well, but you still need to empty the spam folder from time to time!

  28. What exactly does this code do? I am looking at it and I think it requires the comment to come from the file and to be sent by post method, but probably I am wrong. I do not know much about .htaccess. Please explain. I do not want to block something else along with the bots. For example one I used .htaccess code, the site had problems with bots of some social networks.

  29. I have the same question as Edwin. Could we see a working example? How would it look for wprecipes.com, for example? 🙂

  30. Nice tips, useful for me.

  31. I tried it also before i was using akismat wordpress plugin.

  32. Really useful info. Didn’t know you could do this with .htaccess.

  33. Been getting a ton of spam and just implemented the lines in the htaccess as per the post above… is there any way of testing it? (I’ve tried posting comments on the blog and that’s still working fine, but how do I test whether the direct access to the comments file is being blocked?)


  34. I’m glad I bookmarked this article months back because I was looking for it specifically this week when I got bombarded by blatant SPAM adverts. Akismet identified them properly, but still allowed them space on my database rather than disregarding them immediately.

    @ Wonkie: The Opera web browser has an option built in to disable sending referrer information. In Opera 11.61, it’s in Tools menu > Preferences > Advanced tab > Network > uncheck: Send referrer information. Then try to post a comment on your site from Opera to see how it’ll work for a bot, or someone not sending their info.

  35. looks like it doesn’t work. akismet stats shows +1000 spam comments for 12 hours after inserting this code |:

  36. “You can fight spam without codding just by installing a few plugins.”
    Dan, using htaccess as a first line of defense is always a good idea because it will save system resources. Those bots will be blocked by apache before it needs to load your php files, thus saving resources.

  37. Does the url needs to be changed when running WP in a subdirectory?

Leave a Comment

Your email address will not be published. Required fields are marked *