Comment Spam, the plague of the Internet with any website having any input forms, with WordPress most website owners and admins would know well how much spam can be posted daily, especially as your website grows. Currently, there are free and paid plugins, some work but with various degrees of success, then on top you it can add a delay to your site with having to load additional files for captchas which is the most effective form in reducing comment spam to date.
The following tutorial will show you some handy tricks with Cloudflare rules which can work on any plan Free to Enterprise.
Table of Contents
- Required Software: WordPress – With Admin or Owner status.
- Required Services: CloudFlare – With Admin or Owner status.
Create WordPress Spam Rules
Firstly, sign in to your Cloudflare account and navigate to the Firewall section.
Next, you will need to create the firewall rule, and this is easy; click Create a Firewall rule button.
Next, here you need to specify the firewall rule name, the field, the operator’s value, and the subsequent action. Don’t worry. For users that are novices to Cloudflare and WordPress, this is very straightforward, and you can apply this to multiple input form plugins such as WP Forms. But for now, follow the example below in creating a rule for comment replies only.
To go over the above example.
- Rule name: The rule name, use the example “WordPress Comment Spam Filter” or name the rule whatever you prefer.
- Field: Option of what circumstance the rule applies too, this needs to be “URI PATH” for the filter to effectively work correctly.
- Operator: This is the matches string, by default equal is selected, this is not fully effective make sure to type “CONTAINS” as it just needs to match part of the value.
- Value: As the name suggests the value of what your fielkd and operator are matching to which “wp-comments.php”. Make sure to include the .php or else the URI path could make challenges if the same value is in the permalink.
Click Deploy once done for the rule to be effective immediately. Bye, Bye Spam!
Check WordPress Comment Spam Cloudflare Logs
Now that your rule is activated and working, you can see the success rate and the number of times a person or bot has tried posting on your comment forms. This is an example from Linuxcapable.com.
As above, in 24 hours, 5% of all 20 comments posted were actually by humans. By the graph, you can see spikes, and typically comment spikes occur when bots fail to post several times, some even more than that. Overall, the 5% score is good; the lower, the better it means blocking more bots than humans. If the percentage was at 90% out of 20, 9 out of 10 were real human beings, that means you are challenging more humans than bots, but this should not occur if you have a publicly listed website.
You can also scroll over the 5% data to reveal the numbers instead of the graph.
As explained, the solved rate being lower means you are effectively stopping more bots than humans.
You can also go into the rule itself for further information by clicking the original bar graph.
As above, you can see the stats on spam, along with filtering Action, Host, Country, ASN, IP, Path, and much more. Further down, the page reveals more information.
This information can be good if you want to see a pattern from a specific provider or ASN and have that default blocked or challenged if you get hundreds of spam attempts per day. The same can be said on IP Addresses. The previous day an IP address tried spamming over several hundred times in a few hours; that IP was now permanently blocked using Cloudflare Tools.
From the example, 184.108.40.206 is the example IP address, along with the action Block. If you host multiple websites, you can apply to all websites hosted on the Cloudflare account, which is even handier. Optionally you can place a note at the end, which is a good idea for tracking purposes. By default, Cloudflare gives 50,000 IP access rules, so filling this up will take a while; the suggestion would be to ban the most toxic repeat offenders.
Comments and Conclusion
The Cloudflare method of stopping WordPress spam may seem a bit extreme, but when put into context, spam will be an issue when you grow your site. Using plugins adds delays to sites and brings unwanted security issues, and any decent plugin costs money. Cloudflare’s method can be used on free accounts, does not add to your site’s load time or resources, and is only triggered when someone invokes the wp-comments.php file. Overall, it isn’t full-proof but will effectively stop spam in its tracks since spam bots are cheaply made. To date, since applied on our domain, not one spam comment has got through. If it becomes an issue, it is always possible to increase it to a proper hcaptcha with the same principle.
Give it a try, and you have nothing to lose if you utilize CloudFlare already.