Comment spam is one of the most annoying phenomena in blogs and content systems. Even if you hide the comment form in the frontend, the WordPress comment endpoint (wp-comments-post.php) remains active by default – and can be accessed directly.
I’ll explain the details and how to avoid comment spam.
To illustrate how to create a comment using curl:
An easy way to test how comment spam works is to call curl. This allows you to send a comment directly to WordPress – independently of the visible form:
curl -X POST https://example.com/wp-comments-post.php \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "author=John Doe" \
-d "email=john.doe@example.com" \
-d "url=https://example.com" \
-d "comment=This is a test comment submitted via curl." \
-d "comment_post_ID=123" \
-d "comment_parent=0"Instead of the domain example.com in the first line, you must use your WordPress domain.
author, email, url and comment will then appear in the comment.
You can determine the comment_post_ID by going to Posts>All posts in the WordPress backend and then hovering over the heading of a post. The following address will then appear in the browser footer: https://www.example.com/wp-admin/post.php?post=5&action=edit. The value after post= corresponds to comment_post_ID. Alternatively, you can also right-click on the title of the post and select Copy link address.
Such calls can easily be automated – by bots, scripts or even inadvertently by legitimate tools.
Simple solution: mandatory registration for comments
An effective and uncomplicated form of protection is to allow only registered users to comment.
To do this, simply set in WordPress under: Settings>Discussion and check the box “Users must be registered and logged in to comment”.
This means that any automated spam attempt will come to nothing – because the comment will not be accepted without a valid login, even if the POST data is correct.
Now all that remains is to secure the user registration page
I recommend the Simple Cloudflare Turnstile plugin for this purpose
With this plugin you can protect the user registration page from spambots.
Optional: Further protective measures
For even more security, you can also:
- Deactivate user registration under Settings>General>Membership.
- Lock the wp-comments-post.php file with a plugin or .htaccess rule.
- Generally deactivate comments if you don’t need them.
Conclusion
Even if no form is visible, the comment endpoint remains active in WordPress. This can be understood – and exploited – with a simple curl command.
Effective protection against this type of spam can be set up quickly: Mandatory registration for comments. This allows many automated attacks to be elegantly fended off – without plugins or complex measures.
Leave a Reply
You must be logged in to post a comment.