-- Leo's gemini proxy

-- Connecting to michaelnordmeyer.com:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini;lang=en-US

How to Disable WordPress Comments to Fully Avoid Spam


Comment spam on WordPress blogs can easily be avoided without the need for plugins if you configure your own servers. Just turning off comments in settings will not remove the ability for spammers to access the WordPress commenting facility.


The WordPress file `wp-comments-post.php` is responsible for accepting comments and is globally accessible, regardless of the comment settings in WordPress admin. Disallowing access to this file altogether would mean nobody can ever submit a comment, regardless of what is configured in WordPress, and that is not what we want.


The Basic Idea


The basic idea to fight spam is to only allow commenting if the referrer is your your own website. That’s always the case for legitimate commenters, because they have to be on the corresponding page using a browser to actually type and submit the comment. Spammers normally don’t set the referrer. Following this idea, they would be turned away.


For that to work we have to manually configure the web server which is running WordPress. I use nginx and stopped using Apache years ago for performance reasons.


nginx


We have to set `valid_referers` for which we conveniently choose nginx’s `server_name` variable, which has to be manually set for every virtual host. This is most likely the domain name. In my case it’s `michaelnordmeyer.com`.


location ~ /wp-comments-post\.php$ {
  valid_referers server_names;
  if ($invalid_referer) { return 403; access_log off; }
  include sites-available/php-fpm.include;
}

To be able to execute PHP for valid comments, we have to include the PHP settings so nginx knows how to submit the request to PHP. As I run Ubuntu Server all settings are stored in `/etc/nginx/sites-available/`. I chose to have a modular configuration setup so I included the settings from a file called `php-fpm.include` which looks like this:


location ~ \.php$ {
  include snippets/fastcgi-php.conf;
  fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
  fastcgi_keep_conn on;
}

Yours might look differently. I especially use a socket and not TCP to connect to PHP, because a socket is faster.


Logging is disabled for this particular use case to keep the logs clean `(access_log off)`.


Apache


It should be a easy to adapt this to Apache. If there’s no equivalent `server_name` variable then just use your hard-coded domain name.


Conclusion


Regardless if comments are enabled in WordPress or not, spammers won’t be able to submit spam anymore. And we don’t need a potentially insecure and/or slow WordPress plugin for that.

-- Response ended

-- Page fetched on Tue May 21 17:52:12 2024