Getting hundreds of spam comments daily? Here’s a plugin-free solution that blocks 95% of spam bots at the server level.
The Problem: Most spam bots post comments by directly hitting your wp-comments-post.php file, bypassing your website’s front-end entirely. Anti-spam plugins catch this AFTER it reaches WordPress, wasting server resources processing garbage requests.
The Solution – Add to .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
# Block comment spam bots
RewriteCond %{REQUEST_URI} ^/wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !^https?://yoursite\.com/.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* - [F,L]
</IfModule>
Replace “yoursite.com” with your actual domain.
How It Works:
This rule checks two conditions for wp-comments-post.php requests:
1. Is the referer from your own domain?
2. Does the request include a user agent?
Legitimate comments come from users filling out your comment form (referer = your site). Spam bots directly POST to the file with empty or spoofed referers. If either condition fails, Apache returns a 403 Forbidden before WordPress even loads.
Why This Beats Plugins:
• Blocks spam at Apache level (before PHP executes)
• Zero database queries for blocked requests
• No plugin overhead or compatibility issues
• Works even if WordPress is broken
Edge Case Fix:
If legitimate commenters get blocked (rare), add their user agents as exceptions:
RewriteCond %{HTTP_USER_AGENT} !^(Mozilla|Chrome|Safari|Firefox).*
Monitor Results:
Check your server error log after 24 hours:
grep "wp-comments-post" /var/log/apache2/error.log | wc -l
You’ll see hundreds or thousands of blocked attempts. Each blocked request saved your server from loading WordPress, running anti-spam plugins, and querying the database.