tl;dr added a Cloudflare WAF rule to challenge all requests for wp-comments.post.php, and it’s stopped automated comment spam almost entirely.
[rule screenshot])——
My site has been reeling under comment spam for the past few weeks. Thousands of spam comments every day. I don’t use any antispam plugins, but I have honeypots and blacklists in place. While they have been faithfully catching all this crap, it’s been an unnecessary burden on the server that I wanted to avoid.
Cloudflare has a “bot fight mode” that would likely fix this, but I prefer not using it as it tends to challenge all bots, even good ones (at least in the free plan, which is what I use). If I enable bot fight mode, I will always see a high “blocking time” in pagespeed insights without fail. Bot fight is pretty good if you don’t care about this (or if you site is super heavy and won’t be affected much by one extra script).
Cloudflare also offers a “threat score” (a number from 0 to 100) for every request which can be used in rules or assigned to headers, but I find it a bit useless. Almost all spam bots hitting my site had a threat score of 0 (which means “completely safe”).
Yesterday, I learnt about the file *wp-comments.post.php* which processes WordPress comments after they are submitted. All comments in WordPress’s native comment system will always go through this file. So I decided to create a Cloudflare WAF rule to challenge *all* hits to wp-comments-post.php.
I wasn’t sure if it would work, and thought it might even break things, but it actually does work! It’s been over 12 hours, and not a single bot spam has hit my spam folders! I can see thousands of blocked attempts in the Cloudflare logs. Cache hit ratio on Cloudflare is up because hits to wp-comments-post.php are not cached. Also have verified that regular people are able to submit comments – they just see a Cloudflare interstitial for a second or two after clicking “Submit” and there’s that. The rule won’t work against human spammers, but I’ve my blacklists waiting for them.
I’ve now added my login and xmlrpc pages to the same rule. xmlrpc is already disabled at server, but I’d rather these requests not reach my server at all. Cloudflare is truly a marvel.