Protect your WordPress from Automated Comment Spam and Brute Force Login Attack

Is your WordPress flooded with spam comment or being attacked by brute force login attempt?

Thinking about spam blocking plugin? There are a lot of plug in can help you stop spam comment. You will notice it put thousands spam comments into spam folder after a while. Those Anti-Spam did a great job stopping spam comment show up in our post. There is some drawbacks for that kind of plugin. First,spam comments will be processed and store in your database before it gets deleted manually or automatically. Second, plugin like Akismet Anti-Spam will add a java-script to your site. If your site has limited resources, these kind of activities will drag down your site's performance. If you use captcha plugin, you will also interrupt user's experience.

If you are looking for a light way to block the spam bot before the comment get posted. Yes, we have one. We can block the spam bot and also protect your login page at the same time, Spam bots' comments will not even reach the server. Unless you got hit with spam from real human. This method is almost perfect and very light to your server. It has no captcha, no moderation queues, no complicate settings page, and 99.99% filter rate.

This idea is inspired by this Stop Automated Comment Spam on WordPress with Nginx.

How this work?

Most spam bot will not process contents from server, including js and cookies. Their job is to get the comment form and post. So we can use java-script and cookies to block spam bot when they try to post any word.

  • When post is viewed, browser will set a small cookie named _pass into viewer's system.
  • If viewer attempted to post a comment, Nginx or Apache will check if they have that cookie in their system. Comment will go through if cookie found. Otherwise, it will shows 403 to block the access.
  • Since the cookie is set no matter viewer is attempt to leave comment or not, we can use the same cookie to prevent brute force login attack. Most spam bot and attack tools are not able to store cookie so the same theory work for both.

What you need?

  • Access to server's configuration file. (Nginx or Apache's config file)
  • Ability to change something.

Step one, add code to set cookie.

You can add below code via Code Snippets or directly to theme's function.php file.


function set_post_cookie() {
echo '<script>document.cookie = "_pass=1; max-age=43200; path=/; secure";</script>' . "n"; 
add_action( 'comment_form', 'set_post_cookie', 100 );

This will set a cookie "human" and value is "1". You can change the cookie name and value to whatever you want.
If you use HTTP, remove the the work secure from above code.

Step two, add below code to check and block spam bot with Nginx/Apache


#Stop Automated Comment Spam and log in attempt with Nginx
if ($request_uri ~* /|/wp-login.php) { set $block_flag 1; }
if ($http_cookie ~* _pass) { set $block_flag 0; }
if ($block_flag) {
        return 403;

For Apache:

RewriteCond %{REQUEST_URI} ^/$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$
RewriteCond %{HTTP_COOKIE} !_pass
RewriteRule ^forbid/(.*)$ - [F]

Step three, reset the cookie for failed login attempt

Every time incorrect login attempted cookie will be remove to prevent brute force login attack. Add below codes to functions.php of your theme

function no_wordpress_errors(){
echo '<script>document.cookie = "_pass=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; secure";</script>' . "";
$message = "Your are blocked. IP address $ip";
return $message;

add_filter( 'login_errors', 'no_wordpress_errors');

JavaScript must be turned on and browser must accept cookie for this system to work.

Remember! Next time when you try to login your admin page, open a post first so you will have the cookie and will not be blocked by this.


  1. It won't stop all brute force login attacks, only those not using JavaScript. I think it should be used in conjunction with other measures.

    1. For those using JavaScript, every failed login attempt will reset the cookie and take them to 403. So it will stop them for going forward until they revisit a post to get a correct cookie. Unless they are using a program specifically designed then this method is not suitable.

Leave a Reply

Your email address will not be published. Required fields are marked *