Forum Topic: block WP comment spam in WP Multisite

Forum: .htaccess Forum : WordPress • Posted by Steve Wolfson • Updated:

Hi

This code works great to stop comment spam on single sites:

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} wp-comments-post.php
RewriteCond %{HTTP_REFERER} !^http://example.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://example.com/landing-page-for-spammers/ [R=301,L]

It is not workable on my Multisite installation as it uses domain mapping. There are several dozen legitimate domains the incoming request could be directed to. The code above assumes all access attempts are to example.com. I need it set up with a variable for the legitimate domain that refers to the domain wp-comments-post.php file is being requested from, rather than hardcoding example.com

Can you help with that?

thank you

4 Replies to “block WP comment spam in WP Multisite”

Posted by Jeff Starr

Hi Steve,

One possible way to do it, if you know the names of the other legit domains:

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} wp-comments-post.php
RewriteCond %{HTTP_REFERER} !^http://(example.com|domain.com|website.com) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://example.com/landing-page-for-spammers/ [R=301,L]

..where you would replace example.com, domain.com, website.com with your own domain names.

Posted by Steve Wolfson •

Hi Jeff

Thanks for the suggestion. Since the # of domains is growing, I am hoping for a more dynamic solution.

I’m not an htaccess expert. Conceptually, does HTTP_REFERER != HTTP_HOST potentially work as a condition that would handle multiple domains? The idea is a specific domain is being accessed. If it is WordPress on that site that is attempting to access its wp-comments-post.php file, then the referrer should be the same domain as the one its trying to access. That way it wouldn’t need to be a static list of domains. I realize there could be a mile wide hole in my thinking. But that is the concept I am after.

Do you see any issues with an approach like that? As I say, I am a student of the subject and not an expert.

thank you

Posted by Jeff Starr

Interesting idea.. I haven’t tried it, but something like the following could work:

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} wp-comments-post.php
RewriteCond %{HTTP_REFERER} !%{HTTP_HOST} [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* http://example.com/landing-page-for-spammers/ [R=301,L]

There should be no errors or issues with this code, but I’m not sure if it actually works. Test thoroughly!

Posted by Steve Wolfson •

Hi Jeff

Thank you for that. I will test it out. What I saw is if they want to spoof the referrer, making it match the domain they are trying to spam, that is a hole in this approach. Right now not many people are using this blocking approach (I guess) so it might work fine now. But that could change pretty quickly if this approach was adopted by a lot of sites.

I had another thought – the Multisite install is on a VPS so the IP addresses are not shared. Is there a way to block attempts to access wp-comments-post.php regardless of what domain the file is on when the attempt is not coming from a short list of IP addresses?

I promise this is my last request.

thank you, very much appreciate your help.