Stop WordPress Comment Spam When They Are Already Disabled

Some websites prefer to completely disable comments on their posts or pages. There’s a straightforward way to achieve this, though it won’t entirely eliminate spam. Luckily, we have solutions for that!

How To Disable Comments in WordPress – Conventional Method

However, this method does not prevent bots from bypassing the WordPress interface and submitting comments directly to your database.

How To Completely Block Comments, Including Spam

1 – The Simplest Method

If you’re looking for a hassle-free solution to eliminate all comment fields across your site, even those in specific layouts designed by your theme:

1. Go to Plugins > Add New
2. Search for Disable Comments
3. Install and activate the plugin
4. Navigate to Settings > Disable Comments and select Everywhere

2 – The Code Method

Bots typically exploit two main methods to submit comments:

1. Direct POST Requests: They submit data directly to wp-comments-post.php, bypassing the need for a form.
2. REST API / XML-RPC: They utilise these programmatic interfaces to inject comments directly into your database.

Here’s how to barricade these approaches:

1. Disable the REST API for Comments

The REST API allows modern applications to communicate with your site, but it’s also a preferred entry point for bots. Specifically disabling the comments endpoint can prevent them from taking advantage of it.

• Option A (Plugin): If you have the Disable Comments plugin installed, visit its settings and make sure the option for “Disable via REST API” is checked.
• Option B (Code): To stop the API from processing comments, add the following code to your theme’s functions.php file:

  add_filter( 'rest_endpoints', function( $endpoints ) { if ( isset( $endpoints['/wp/v2/comments'] ) ) { unset( $endpoints['/wp/v2/comments']; } return $endpoints; });

2. Block direct access to wp-comments-post.php

You can configure your Server to deny access to the script responsible for processing comments. This can be done by adding the following lines to your .htaccess file, which you can find in your site’s root directory via FTP or File Manager:

    Order Deny,Allow
    Deny from all

This is an extreme measure, effectively blocking access to the WordPress comment system.

3. Disable XML-RPC

XML-RPC is an older interface, functioning similarly to the REST API. If you’re not using the WordPress mobile app to manage your site, it’s advisable to disable this feature.

To do so, you can install the Disable XML-RPC plugin, or check if your security plugin (such as Wordfence or Sucuri) has an option for it.

Conclusion

Dealing with spam is frustrating, and understanding how it infiltrates your site can shed light on its operations. We hope these methods help in securing your WordPress site effectively.