How to Stop WordPress Comment Spam with CloudFlare

Comment Spam, the plague of the Internet with any website having any input forms, with WordPress most website owners and admins would know well how much spam can be posted daily, especially as your website grows. Currently, there are free and paid plugins, some work but with various degrees of success, then on top you it can add a delay to your site with having to load additional files for captchas which is the most effective form in reducing comment spam to date.

A handy trick for users who run their websites behind Cloudflare reverse proxy for DDoS protection and utilizing their CDN service is to place an automatic javascript challenge on all comments posted, which is far more effective at stopping all comments spam in its track immediately. Another handy benefit, giving that bots don’t visit your site like a traditional user. All spam attempts won’t hit your site but get stopped on Cloudflare servers, giving your servers decreased load if you are severely spammed.

The following tutorial will show you some handy tricks with Cloudflare rules which can work on any plan Free to Enterprise.

Prerequisites

  • Required Software: WordPress – With Admin or Owner status.
  • Required Services: CloudFlare – With Admin or Owner status.

Create WordPress Spam Rules

Firstly, sign in to your Cloudflare account and navigate to the Firewall section.

Example:

How to Stop WordPress Comment Spam with CloudFlare

Next, you will need to create the firewall rule, and this is easy; click Create a Firewall rule button.

Example:

How to Stop WordPress Comment Spam with CloudFlare

Next, here you need to specify the firewall rule name, the field, the operator’s value, and the subsequent action. Don’t worry. For users that are novices to Cloudflare and WordPress, this is very straightforward, and you can apply this to multiple input form plugins such as WP Forms. But for now, follow the example below in creating a rule for comment replies only.

Example:

How to Stop WordPress Comment Spam with CloudFlare

To go over the above example.

  • Rule name: The rule name, use the example “WordPress Comment Spam Filter” or name the rule whatever you prefer.
  • Field: Option of what circumstance the rule applies too, this needs to be “URI PATH” for the filter to effectively work correctly.
  • Operator: This is the matches string, by default equal is selected, this is not fully effective make sure to type “CONTAINS” as it just needs to match part of the value.
  • Value: As the name suggests the value of what your fielkd and operator are matching to which “wp-comments.php”. Make sure to include the .php or else the URI path could make challenges if the same value is in the permalink.
  • Choose Action: The action which can be allow, block, javascript challenge or challenge. The ruleset has chosen “javascript challenge” as its the least invasive for users.

Alternatively, you can select “Challenge” over “Javascript Challenge,” be warned this will force users to fill out a “hcaptcha” with filling out patterns on images. Typically, spambots don’t have javascript enable browsers, so you shouldn’t need to go to this extreme unless you got a serial spammer targeting you, which will be very rare, but let’s face it, most users hate filling out captchas, so use this as a last resort.

The way Javascript Challenges work is that the user will have 2 to 5 seconds checking your browser message from Cloudflare and then, once passed, will be taken through to the next page. This small price for the user posting a reply is typically easier than filling out the standard plugin recaptchas on websites.

Click Deploy once done for the rule to be effective immediately. Bye, Bye Spam!

Check WordPress Comment Spam Cloudflare Logs

Now that your rule is activated and working, you can see the success rate and the number of times a person or bot has tried posting on your comment forms. This is an example from Linuxcapable.com.

How to Stop WordPress Comment Spam with CloudFlare

As above, in 24 hours, 5% of all 20 comments posted were actually by humans. By the graph, you can see spikes, and typically comment spikes occur when bots fail to post several times, some even more than that. Overall, the 5% score is good; the lower, the better it means blocking more bots than humans. If the percentage was at 90% out of 20, 9 out of 10 were real human beings, that means you are challenging more humans than bots, but this should not occur if you have a publicly listed website.

You can also scroll over the 5% data to reveal the numbers instead of the graph.

Example:

How to Stop WordPress Comment Spam with CloudFlare

As explained, the solved rate being lower means you are effectively stopping more bots than humans.

You can also go into the rule itself for further information by clicking the original bar graph.

Example:

How to Stop WordPress Comment Spam with CloudFlare

As above, you can see the stats on spam, along with filtering Action, Host, Country, ASN, IP, Path, and much more. Further down, the page reveals more information.

Example:

How to Stop WordPress Comment Spam with CloudFlare

This information can be good if you want to see a pattern from a specific provider or ASN and have that default blocked or challenged if you get hundreds of spam attempts per day. The same can be said on IP Addresses. The previous day an IP address tried spamming over several hundred times in a few hours; that IP was now permanently blocked using Cloudflare Tools.

Example:

How to Stop WordPress Comment Spam with CloudFlare

From the example, 1.1.1.1 is the example IP address, along with the action Block. If you host multiple websites, you can apply to all websites hosted on the Cloudflare account, which is even handier. Optionally you can place a note at the end, which is a good idea for tracking purposes. By default, Cloudflare gives 50,000 IP access rules, so filling this up will take a while; the suggestion would be to ban the most toxic repeat offenders.

Comments and Conclusion

The Cloudflare method of stopping WordPress spam may seem a bit extreme, but when put into context, spam will be an issue when you grow your site. Using plugins adds delays to sites and brings unwanted security issues, and any decent plugin costs money. Cloudflare’s method can be used on free accounts, does not add to your site’s load time or resources, and is only triggered when someone invokes the wp-comments.php file. Overall, it isn’t full-proof but will effectively stop spam in its tracks since spam bots are cheaply made. To date, since applied on our domain, not one spam comment has got through. If it becomes an issue, it is always possible to increase it to a proper hcaptcha with the same principle.

Give it a try, and you have nothing to lose if you utilize CloudFlare already.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!