Title: Please eliminate wp-comments.php!
Last modified: August 19, 2016

---

# Please eliminate wp-comments.php!

 *  [Jason Lau](https://wordpress.org/support/users/jason-lau/)
 * (@jason-lau)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/)
 * Hello,
 * If you want to eliminate the comment spam problem you need to eliminate the static
   wp-comments.php file and generate a unique version of this file for each visitor.
 * It’s a simple solution to fix the comment system’s Achilles Tendon.
 * I wish you would please implement this idea at once to stop the comment spam!

Viewing 15 replies - 1 through 15 (of 40 total)

1 [2](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/page/2/?output_format=md)

 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881207)
 * How would that help? A spammer would be a visitor as well, wouldn’t it?
 * The same logic you’d use to detect if a visitor was a spam-bot OR a real human
   would suffer the same problems it does if the file exists or not.
 *  Thread Starter [Jason Lau](https://wordpress.org/support/users/jason-lau/)
 * (@jason-lau)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881210)
 * A spammer which is a human perhaps. Most comment spam is not generated by humans.
   Bots target wp-comments.php specifically by name. Any security done client-side
   is pointless when this file exists. Randomize the file name with each visitor
   and you eliminate the ability to find a specific file on the server.
 * I’ve done it. It eliminated 100% of my spam.
 *  Thread Starter [Jason Lau](https://wordpress.org/support/users/jason-lau/)
 * (@jason-lau)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881212)
 * However, the comment form’s action attribute always reveals the location of the
   processing script. This is where I use JavaScript and cookies to remedy that 
   issue. I store the location of the comment processing script in a cookie and 
   use javascript to retrieve it. The location is then never revealed in the source
   code.
 *  Thread Starter [Jason Lau](https://wordpress.org/support/users/jason-lau/)
 * (@jason-lau)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881218)
 * Actually, the processing script doesn’t even have to exist until the form is 
   submitted. This allows you to perform security client-side. Otherwise a bot can
   simply bypass the form by directly accessing the processing script on the server.
   You know, all they have to do is [@file](https://wordpress.org/support/users/file/)(“
   [http://remotesite.hmm/wp-comments.php&#8221](http://remotesite.hmm/wp-comments.php&#8221);)
   to see if it exists. How secure is that? A spammer can hit it all day long until
   they find the right crack because the file name is always so easily accessible.
   That accessibility is a definite weakness.
 *  Thread Starter [Jason Lau](https://wordpress.org/support/users/jason-lau/)
 * (@jason-lau)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881221)
 * When the button is pressed a new file is generated named [security-hash].[visitor-
   ip].[timestamp].php. That file is then used for the form action. Once the form
   is successfully submitted, the file can be deleted.
 * In the processing script, use the filename to compare to the visitor’s ip.
    If
   the ip does not match the filename, you know it’s a bad visit. Use the timestamp
   to expire the script.
 * The file then cannot be re-used by bots. = Happy Admin
 *  Thread Starter [Jason Lau](https://wordpress.org/support/users/jason-lau/)
 * (@jason-lau)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881258)
 * Achilles’ heel too. >:\
 *  Thread Starter [Jason Lau](https://wordpress.org/support/users/jason-lau/)
 * (@jason-lau)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881275)
 * I really intended to say wp-comments-post.php , but I think you know what I meant.
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881310)
 * > Bots target wp-comments.php specifically by name.
 * Well sure but it’d be easier to just protect that with .htaccess. If someone 
   comes to that file directly (that is NOT referred by your domain), then they’re
   a spammer.
 * I use this to stop splogs. Maybe it could be used for that instead:
 *     ```
       RewriteCond %{REQUEST_METHOD} POST
        RewriteCond %{REQUEST_URI} .wp-signup.php*
        RewriteCond %{HTTP_REFERER} !.*domain.com.* [OR]
        RewriteCond %{HTTP_USER_AGENT} ^$
        RewriteRule (.*) http://lmgtfy.com/?q=spammer [R=301,L]
       ```
   
 * From [http://www.darcynorman.net/2009/05/20/stopping-spamblog-registration-in-wordpress-multiuser/](http://www.darcynorman.net/2009/05/20/stopping-spamblog-registration-in-wordpress-multiuser/)
 * By the way. Next time consider EDITING your post rather than posting over and
   over so soon 🙂
 *  Thread Starter [Jason Lau](https://wordpress.org/support/users/jason-lau/)
 * (@jason-lau)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881359)
 * Whatever. I’m not going to hash it out about efficient ways to do it. Referrer
   can be spoofed. Point is, something can be done to fix it.
 *  [Clayton James](https://wordpress.org/support/users/claytonjames/)
 * (@claytonjames)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881375)
 * > Whatever. I’m not going to hash it out about efficient ways to do it. Referrer
   > can be spoofed. Point is, something can be done to fix it.
 * Sounds like you’re the guy… write it up and submit it.
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881388)
 * What Clayton said 🙂 If you can code it, please do and submit it to trac.wordpress.
   org! We’d appreciate it!
 *  Thread Starter [Jason Lau](https://wordpress.org/support/users/jason-lau/)
 * (@jason-lau)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881392)
 * > Sounds like you’re the guy… write it up and submit it.
 * I only know a _little bit_ about everything. 😉
 * Seriously though, I’ll work on it.
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881394)
 * Yeah, but you said:
 * >  I’ve done it. It eliminated 100% of my spam.
 * So .. y’know, share details on trac. Can’t promise they’ll pick it up, but y’know,
   giving back is a wonderful thing. It will save the jungles and bunnies. 😉
 *  Thread Starter [Jason Lau](https://wordpress.org/support/users/jason-lau/)
 * (@jason-lau)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881396)
 * Honestly, once I changed my website I no longer need any CAPTCHA or similar devices.
   I’m not saying a human can’t _manually_ submit a spam message, but automation
   is very difficult if not impossible. Banning an individual is much easier than
   banning a bot which works from multiple IP addresses.
 *  [rawalex](https://wordpress.org/support/users/rawalex/)
 * (@rawalex)
 * [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/#post-1881494)
 * Please see [http://wordpress.org/support/topic/comment-spam-improvements-needed?replies=3](http://wordpress.org/support/topic/comment-spam-improvements-needed?replies=3)
   for my ideas on the subject.

Viewing 15 replies - 1 through 15 (of 40 total)

1 [2](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/page/3/?output_format=md)
[→](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/page/2/?output_format=md)

The topic ‘Please eliminate wp-comments.php!’ is closed to new replies.

## Tags

 * [bot](https://wordpress.org/support/topic-tag/bot/)
 * [comment](https://wordpress.org/support/topic-tag/comment/)
 * [spambot](https://wordpress.org/support/topic-tag/spambot/)
 * [spammer](https://wordpress.org/support/topic-tag/spammer/)
 * [wp-comments.php](https://wordpress.org/support/topic-tag/wp-comments-php/)

 * In: [Requests and Feedback](https://wordpress.org/support/forum/requests-and-feedback/)
 * 40 replies
 * 6 participants
 * Last reply from: [rawalex](https://wordpress.org/support/users/rawalex/)
 * Last activity: [15 years, 4 months ago](https://wordpress.org/support/topic/please-eliminate-wp-commentsphp/page/3/#post-1881560)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics