Protect your WordPress from Automated Comment Spam and Brute Force Login Attack

Is your WordPress flooded with spam comment or being attacked by brute force login attempt? Thinking about spam blocking plugin? There are a lot of plug in can help you stop spam comment. You will notice it put thousands spam comments into spam folder after a while. Those Anti-Spam did a great job stopping spam comment show up in our post. There is some drawbacks for that kind of plugin. First,spam comments will be processed and store in your database before it gets deleted manually or automatically. Second, plugin like Akismet Anti-Spam will add a java-script to your site. If your site has limited resources, these kind of activities will drag down your site’s performance. If you use captcha plugin, you will also interrupt user’s experience.

If you are looking for a light way to block the spam bot before the comment get posted. Yes, we have one. We can block the spam bot and also protect your login page at the same time, Spam bots’ comments will not even reach the server. Unless you got hit with spam from real human. This method is almost perfect and very light to your server. It has no captcha, no moderation queues, no complicate settings page, and 99.99% filter rate. This idea is inspired by this Stop Automated Comment Spam on WordPress with Nginx. How this work? Most spam bot will not process contents from server, including js and cookies. Their job is to get the comment form and post. So we can use java-script and cookies to block spam bot when they try to post any word.

  • When post is viewed, browser will set a small cookie named _pass into viewer’s system.
  • If viewer attempted to post a comment, Nginx or Apache will check if they have that cookie in their system. Comment will go through if cookie found. Otherwise, it will shows 403 to block the access.
  • Since the cookie is set no matter viewer is attempt to leave comment or not, we can use the same cookie to prevent brute force login attack. Most spam bot and attack tools are not able to store cookie so the same theory work for both.

What you need?

  • Access to server’s configuration file. (Nginx or Apache’s config file)
  • Ability to change something.

You can add below code via Code Snippets or directly to theme’s function.php file. For HTTPS:

1
2
3
4
function set_post_cookie() {
echo '<script>document.cookie = "_pass=1; max-age=43200; path=/; secure";</script>' . "n";
}
add_action( 'comment_form', 'set_post_cookie', 100 );

This will set a cookie “human” and value is “1”. You can change the cookie name and value to whatever you want. If you use HTTP, remove the the work secure from above code.

2. add below code to check and block spam bot with Nginx/Apache

For NGINX:

1
2
3
4
5
6
#Stop Automated Comment Spam and log in attempt with Nginx
if ($request_uri ~* /wp.comments.post.php/wp-login.php) { set $block_flag 1; }
if ($http_cookie ~* _pass) { set $block_flag 0; }
if ($block_flag) {
return 403;
}

For Apache:

1
2
3
4
RewriteCond %{REQUEST_URI} ^/wp.comments.post.php?$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
RewriteCond %{HTTP_COOKIE} !_pass
RewriteRule ^forbid/(.*)$ - [F]

Every time incorrect login attempted cookie will be remove to prevent brute force login attack. Add below codes to functions.php of your theme

1
2
3
4
5
6
7
8
function no_wordpress_errors(){
echo '<script>document.cookie = "_pass=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; secure";</script>' . "";
$ip=$_SERVER['REMOTE_ADDR'];
$message = "Your are blocked. IP address $ip";
return $message;
}

add_filter( 'login_errors', 'no_wordpress_errors');

Remember! Next time when you try to login your admin page, open a post first so you will have the cookie and will not be blocked by this.

Set custom DNS servers on Linux with resolv.conf Asus Z87-A MacOS high sierra upgrade prepare with clover

Comments