Block Remote Comments on a WordPress site

How to block remote comments on a WordPress site?   How indeed?   Here is a question for all of you – WordPress masters out there.   Right now I am a bit puzzled.

Problem – Comments without Visits

I am noticing that people are posting a spam comments in a very tricky way.  Somehow comments arrive with Site URL field populated, but I do not even have that field on the “Leave a Comment” form.

It means that there is an automated way to send a comment without actually visiting the site.  Is it true?  I am searching all over the Internet right now.

Looks like there is a product out there called CxxGxx.  This product lets you to comment on a WordPress blog without actually visiting the blog and reading the articles.

So the first part of the answer was easy.  Yes, people can do that.  They do not need to visit to post comments. But now, two more questions arise.
– First, does that way of commenting counts as a visit to the site? and
– Second, are all comment generated this way spam?

For the sake of argument, let’s say I do not want anyone to be able to post meaningless comments for my articles remotely.  They have to be here to post their blubber.  At least that way spammers will waste not only my, but their time as well.

After a few quiet moments of contemplation I’ve come up with a potential solution.  I would setup a hidden field in a “comment-template.php“, and would not allow the comment, if this field is not set in “wp-comments-post.php“.  Of course, this would be a serious undertaking for me, because I do not know PHP.

Solution Found – Block Remote Comments in WordPress

It took six hours to come up with a perfect solution.  This is a pure gold. Enjoy!

To understand the solution let’s picture, how remote comments are sent in the first place.  Some third-party software is sending a remote POST request to your site, and all the required fields are carefully populated: Name, Email, URL and a Comment itself.

What are the obvious negative aspects of these remote comments:
– They do not count as a visitors on your site;
– They still take processing power from your server and database;
– They are in no way related to the content of your articles;
– They take precious time to go through them and spam them.

All in all, these comments are useless.  They are clearly deserved to be annulled, blocked, crashed, disallowed, eliminated and so on.  You do not want to see them in your Inbox.

The trick in blocking these will require changing one line of code, but in two (or three for some themes) files.  Let me explain the idea.  File wp-comments-post.php will process these remote requests as long as they contain all the required fields.  And number one required filed is the “comment” itself.  If we just change the name of the expected filed “comment” into something else like “my_very_own_comment_field“, these requests will not be processed, because they would lack this required field.

Here is what you are looking for.  Open file /wp-comments-post.php and search for this line:

$comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;

Replace it with this line:

$comment_content = ( isset($_POST['xyz_com']) ) ? trim($_POST['xyz_com']) : null;

Obviously, use your imagination to come up with a unique name for your comment filed name.  Save and try to leave a comment.  Note that system complains that comment field is blank.  This is good.  That is the defense that you are building against remote commentators.

But now no one can post any comments on your site.  We need to fix that.  Read on.

We need to make a mirror change in one or two files (depending on the theme).  To preserve validity of post requests that real actual visitors are making, we need to similarly rename comment field inside comment template file.

First of all, you’ll need to make a change in a main WordPress location inside wp-includes/comment-template.php, and secondly, if your theme overwrites comment field, you also would need to make a similar change inside your_theme\comments.php file.

First, open wp-includes/comment-template.php and look for this code:

<textarea id="comment" name="comment" cols="45" rows="8" aria-required="true">

Replace it with:

<textarea id="comment" name="xyz_com" cols="45" rows="8" aria-required="true">

Save and try to post a comment. If system still complains that comment is blank, you’ll need to proceed to a next step.

Now, let’s fix the THEME comment field. Search inside your theme subdirectory for text ‘comment_field‘. In my theme I found it inside “my_theme\comments.php” file. It is possible that your theme doesn’t overwrite this field, and in that case you can omit this step.

Search for this code:

<textarea id="comment" name="comment" cols="45" rows="8" aria-required="true">

Replace it with this code:

<textarea id="comment" name="xyz_com" cols="45" rows="8" aria-required="true">

Note that the name of the TEXTAREA should be exactly the same as the name that you used inside wp-comments-post.php file.

Save and try to leave a comment. Everything is back to normal for your regular visitors. And now only true visitors can comment on your articles.

As a possible suggestion for the next WordPress release, it would be beneficial to let administrators to define their own custom comment filed name through ADMIN interface to stop spammers in their tracks. Thank you WordPress!

Tags: Ban, Block, Comment, CommentGator, Local, Post, Prevent, Remote, Site, Stop, Visitor, WordPress