WP Anti-Spam Trick #3 - Allow Comments to Be Posted Only from Your Website
This trick limits your comment-posting script to being called only with a HTTP referer URL from your website. This means that, with a few caveats I will describe below, someone can post a comment to your blog only by actually visiting your blog through a web browser and clicking on the button to post a comment.
Caveat #1 - This means that someone else using a legitimate application (other than WordPress, of course) that posts comments by directly calling the PHP file on your site will no longer be able to do so. I don't know of any such applications, though, so this may be one of those restrictions that actually affects no one. Of course, it can be worked around by forging the referer URL.
Caveat #2 - Which leads to caveat #2, which is, referer URLs can be forged. If the spam commenter is really savvy, he or she could forge the referer to make it look like the request came from a link on your site, as opposed to from their spam-comment-generator application. So far, I haven't run into any spam commenters who are that savvy, but I wouldn't put it past them.
So, here's how you do it. You need to edit the .htaccess file at the root of your blog, or in any directory above it. For example, if the index.php file for your blog is in example.com/blog/, then you can make the changes to either example.com/.htaccess or example.com/blog/.htaccess.
Here are the lines to add:
RewriteCond %{HTTP_REFERER} "!^http://[www.]?domainname.com/.*$" [NC]
RewriteCond %{REQUEST_URI} ".*wp-comments-posting-script.php$"
RewriteRule .* - [F]
Line 1 says that the referer URL must begin with http://www.domainname.com/ or http://domainname.com. The NC at the end makes the condition case-insensitive, i.e., lower case or upper case in the domain name is ignored.
Line 2 indicates the name of the PHP file that actually posts the comment. Edit this to reflect whatever you decided to name your script. The . and the * and the $ are regular expression symbols. The .* represents any character preceding the w in the file name. This allows the condition to work regardless of how many directories you might have buried your blog in. The $ represents the end of the line, or string. This tells the regular expression parser when to stop looking for a matching file name. If none of this makes sense, don't worry. Just make sure you change wp-comments-posting-script.php to exactly match the file name for your comment-posting script.
Line 3 says that if the above conditions aren't satisfied (that is, someone tried to access your comment-posting script with a referer URL that didn't begin with the domain name of your website), then send back a 403 error (Forbidden).
If you implement tricks 1, 2, and 3, I think you will find you have a layered defense that works pretty well. Since I implemented these tricks, I went from approximately 100 spam comments a day to 0 spam comments for the entire 5 weeks or so since I made the changes.
Robert
http://www.wombatnation.com/