Block Remote Comments on a WordPress site

How to block remote comments on a WordPress site?   How indeed?   Here is a question for all of you – WordPress masters out there.   Right now I am a bit puzzled.

Problem – Comments without Visits

I am noticing that people are posting a spam comments in a very tricky way.  Somehow comments arrive with Site URL field populated, but I do not even have that field on the “Leave a Comment” form.

It means that there is an automated way to send a comment without actually visiting the site.  Is it true?  I am searching all over the Internet right now.

Looks like there is a product out there called CxxGxx.  This product lets you to comment on a WordPress blog without actually visiting the blog and reading the articles.

So the first part of the answer was easy.  Yes, people can do that.  They do not need to visit to post comments. But now, two more questions arise.
– First, does that way of commenting counts as a visit to the site? and
– Second, are all comment generated this way spam?

For the sake of argument, let’s say I do not want anyone to be able to post meaningless comments for my articles remotely.  They have to be here to post their blubber.  At least that way spammers will waste not only my, but their time as well.

After a few quiet moments of contemplation I’ve come up with a potential solution.  I would setup a hidden field in a “comment-template.php“, and would not allow the comment, if this field is not set in “wp-comments-post.php“.  Of course, this would be a serious undertaking for me, because I do not know PHP.

Solution Found – Block Remote Comments in WordPress

It took six hours to come up with a perfect solution.  This is a pure gold. Enjoy!

To understand the solution let’s picture, how remote comments are sent in the first place.  Some third-party software is sending a remote POST request to your site, and all the required fields are carefully populated: Name, Email, URL and a Comment itself.

What are the obvious negative aspects of these remote comments:
– They do not count as a visitors on your site;
– They still take processing power from your server and database;
– They are in no way related to the content of your articles;
– They take precious time to go through them and spam them.

All in all, these comments are useless.  They are clearly deserved to be annulled, blocked, crashed, disallowed, eliminated and so on.  You do not want to see them in your Inbox.

The trick in blocking these will require changing one line of code, but in two (or three for some themes) files.  Let me explain the idea.  File wp-comments-post.php will process these remote requests as long as they contain all the required fields.  And number one required filed is the “comment” itself.  If we just change the name of the expected filed “comment” into something else like “my_very_own_comment_field“, these requests will not be processed, because they would lack this required field.

Here is what you are looking for.  Open file /wp-comments-post.php and search for this line:

$comment_content = ( isset($_POST['comment']) ) ? trim($_POST['comment']) : null;

Replace it with this line:

$comment_content = ( isset($_POST['xyz_com']) ) ? trim($_POST['xyz_com']) : null;

Obviously, use your imagination to come up with a unique name for your comment filed name.  Save and try to leave a comment.  Note that system complains that comment field is blank.  This is good.  That is the defense that you are building against remote commentators.

But now no one can post any comments on your site.  We need to fix that.  Read on.

We need to make a mirror change in one or two files (depending on the theme).  To preserve validity of post requests that real actual visitors are making, we need to similarly rename comment field inside comment template file.

First of all, you’ll need to make a change in a main WordPress location inside wp-includes/comment-template.php, and secondly, if your theme overwrites comment field, you also would need to make a similar change inside your_theme\comments.php file.

First, open wp-includes/comment-template.php and look for this code:

<textarea id="comment" name="comment" cols="45" rows="8" aria-required="true">

Replace it with:

<textarea id="comment" name="xyz_com" cols="45" rows="8" aria-required="true">

Save and try to post a comment. If system still complains that comment is blank, you’ll need to proceed to a next step.

Now, let’s fix the THEME comment field. Search inside your theme subdirectory for text ‘comment_field‘. In my theme I found it inside “my_theme\comments.php” file. It is possible that your theme doesn’t overwrite this field, and in that case you can omit this step.

Search for this code:

<textarea id="comment" name="comment" cols="45" rows="8" aria-required="true">

Replace it with this code:

<textarea id="comment" name="xyz_com" cols="45" rows="8" aria-required="true">

Note that the name of the TEXTAREA should be exactly the same as the name that you used inside wp-comments-post.php file.

Save and try to leave a comment. Everything is back to normal for your regular visitors. And now only true visitors can comment on your articles.

As a possible suggestion for the next WordPress release, it would be beneficial to let administrators to define their own custom comment filed name through ADMIN interface to stop spammers in their tracks. Thank you WordPress!

(Visited 251 times, 1 visits today)


  1. One problem with your solution is that when wordpress is updated the wp-comment.php file will be replaced and break comments on your site.

    Users need to be aware of this.

    Possibly an option is to add a .htaccess file in your wordpress root folder with the lines

    # Stop Apache from serving wp-comments-post.php files
    Order allow,deny Deny from all

    You can add an allow feild in there if required

    This is not tested but try yourself.

  2. It certainly solve my problem to block all the remote comments.

  3. Thanks for sharing information about block remote comments on a WordPress site. These tips are really useful.

  4. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts

  5. I dont know what to say. This web site is amazing. Thats not truly a actually substantial statement, but its all I could come up with soon after reading this. You know a great deal about this subject. Much making sure that you produced me wish to understand additional about it. Your web site is my stepping stone, my buddy. Many thanks for that heads up on this theme.

  6. Great blog! I truly love how it’s easy on my eyes and the details are well written. I am wondering how I could be notified whenever a new post has been made. I have subscribed to your rss feed which ought to do the trick! Have a nice day!

  7. спасибо за интересную информацию

  8. Hey, I am checking this blog using the phone and this appears to be kind of odd. Thought you’d wish to know. This is a great write-up nevertheless, did not mess that up.

    – David

  9. I really like your blog and i really appreciate the excellent quality content you are posting here for free for your online readers. thanks peace claudia.

  10. Хотелось бы услышать от кого-то, кто использует это remote commenting tool. A работают ли мои рекомендации? I would love to hear from someone who uses this remote commenting tool. Does my recipe work?
  11. Опутеть как интересно во задвигаете. Класс!

1 Trackback / Pingback

  1. Block WordPress Remote Comment Spam Bot – wordpress spam

Your question, correction or clarification Ваш вопрос, поправка или уточнение