Comment spam via wp-comments-post.php

  • Resolved Joe C

    (@joecostello)


    1 year, 6 months ago

    I run a site which has comments enabled, but we use wpDiscuz (a plugin which provides enhancements to the built-in WP comments system, it doesn’t replace it).

    However, my problem isn’t with that plugin, but with wp-comments-post.php — wpDiscuz routes comments via admin-ajax.php, so it doesn’t use wp-comments-post.php.

    We’ve recently been getting a lot of comment spam submitted directly to wp-comments-post.php which somehow is ending up on the site, mostly “binance” sign-up spam.

    Here is an example of the POSTed data (I have removed the referral ID and obscured the email address):

    Array (
    [comment] => Thanks for sharing. I read many of your blog posts, cool, your blog is very good. https://www.binance.com/de-CH/register?ref=xxxxxx
    [author] => für binance anmelden
    [email] => [email protected]
    [url] => https://www.binance.com/de-CH/register?ref=xxxxxx
    [submit] => Post Comment
    [comment_post_ID] => 13073
    [comment_parent] => 0
)

    I already added “binance” to the “Disallowed Comment Keys” list — but that didn’t work.

    As our site’s comment form doesn’t have the website/URL field, we know that any comments which have anything in the URL field must be spam.

    So I also wrote a PHP function which hooks into the comment approval process. Note that I also check for “binance” here, even though it should be caught by the WP system already:

    add_filter( 'pre_comment_approved', function($approved, $commentdata) {

	// If the comment URL field has anything in it, mark as spam
	if ( ! empty( $commentdata['comment_author_url'] ) ) $approved = 'spam';

	// If the comment contains 'binance' then mark as spam
	if ( str_contains( $commentdata['comment_content'], 'binance' ) ) $approved = 'spam';

	return $approved;

}, 10, 2);

    From my investigations, I can’t see anywhere that wpDiscuz is interfering with these hooks, or indeed any of the WP built-in comments system.

    For now I’ve just blocked access to wp-comments-post.php in .htaccess, so nobody can get to it!

    But I thought it might be worth raising the issue here — how are these comments getting past the built-in WordPress spam blocking, which should be able to block comments containing specific strings?

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hi @joecostello. I read through the source of wp-comments-post.php in Core and can confirm that the pre_comment_approved filter ought to be called. Your PHP code snippet looks correct, too.

    We’ll need more information to debug this. Are you able to confirm if the pre_comment_approved filter is called by putting error_log() debug statements in the code in a test environment and making Ajax requests to wp-comments-post.php? If the filter is not called, is it called when all plugins are deactivated?

    add_filter( 'pre_comment_approved', function($approved, $commentdata) {
    // If the comment URL field has anything in it, mark as spam
    if ( ! empty( $commentdata['comment_author_url'] ) ) {
        $approved = 'spam';
        error_log('Comment marked as spam due to URL: ' . print_r($commentdata['comment_author_url'], true));
    }

    // If the comment contains 'binance', mark as spam
    if ( str_contains( $commentdata['comment_content'], 'binance' ) ) {
        $approved = 'spam';
        error_log('Comment marked as spam due to content: ' . print_r($commentdata['comment_content'], true));
    }

    return $approved;
}, 10, 2);
    Thread Starter Joe C

    (@joecostello)

    Hi Robert,

    Thanks for your reply! I’ll give that a try today and will let you know what transpires.

    Thanks,
    Joe

    Thread Starter Joe C

    (@joecostello)

    [Edit: Please ignore this comment! I will write an update shortly…]

    Okay I’m back with results! (Apologies for the delay.)

    So I POSTed samples of the spam data to a test site, both as set up for testing (it’s a copy of the main site) and also with all plugins disabled and the theme set to TwentyTwentyThree.

    Both times the log entries were made — so the pre_comment_approved filter is running as expected! And we therefore expect these comments will be set to “spam”.

    However, both comments still ended up published, not flagged as spam.

    So this sounds like something deeper is going on. As far as I know we’ve not got anything strange going on — it’s a normal version of WordPress, updated from the main site (so no custom adjustments to WP core files).

    I guess the next step might be to see if the spam also gets through a fresh install of WordPress?

    • This reply was modified 1 year, 6 months ago by Joe C. Reason: did some more testing
    • This reply was modified 1 year, 6 months ago by Joe C.
    Thread Starter Joe C

    (@joecostello)

    Okay another update, and a mea culpa!

    When tested before, I’d disabled all plugins and switched to a WP theme — thereby also de-activating the PHP files with our filter function in it!

    So that’s why the comment got through when I tested before.

    So I tested again, but this time I created a functions.php file in the theme directory, and added the filter — now those comments are going to spam.

    I also removed the filter again and added “binance” to the list of “Disallowed Comment Keys” in the Discussion settings — and now the comments end up in the trash, as expected.

    So WP is behaving as expected, a plugin must be preventing the WP commenting system from acting on the “spam” result from the filter. (I’m fairly sure it’s not wpDiscuz causing this, because I did try disabling only that plugin and got no change — so another plugin must be getting in the way.)

    But thank you, Robert, for pointing me in the right direction! Next time I’ll be sure to test on a plain WP install first.

    Glad you figured it out!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Comment spam via wp-comments-post.php’ is closed to new replies.

Tags