Stopping Spamblog Registration in WordPress MultiUser

📰 Blog post |  Posted on May 20, 2009 |  2 minutes |  393 words
spam wordpress wpmu ucalgaryblogs.ca htaccess apache

Comment Spammers Burn In Hell...I've been running a copy of WordPress MultiUser for over a year now. Comment spam hasn't been much of a problem, thanks to Akismet, but if I leave site registration open (so students and faculty can create new accounts and blogs), the evil spammers find it and start sending their bots en masse.

I tried a few plugins, with varying levels of success. There's an interesting one that attempts to limit registrations to a specific country, but it falsely reported some valid users as not being in Canada. Captchas work, but also block some valid users (and the signup captcha plugin I'd been using is possibly abandoned).

So, I did some quick googling, and came across the page on the WordPress Codex about using .htaccess files to stop comment spam. I made some modifications to the technique, and am now running it on UCalgaryBlogs.ca with apparent success. The apache logs show the bot attacks are still in full force, but not a single one has gotten through in order to register. And valid users have been able to get through. That's pretty promising.

Here's the technique - just drop a modified version of this into your .htaccess file for your WPMU server:

# BEGIN ANTISPAMBLOG REGISTRATION
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-signup\.php*
RewriteCond %{HTTP_REFERER} !.*ucalgaryblogs.ca.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://die-spammers.com/ [R=301,L]
# END ANTISPAMBLOG REGISTRATION

I put that block above the WPSuperCache block in my .htaccess file.

Modify the part that says "ucalgaryblogs.ca" to be whatever your WPMU server is (you may need to do more if you run multiple domains...), and modify the die-spammers.com part to point to wherever you want to send suspected evil spammers. I send them here.

What it does is detect any POST requests (submitting a form) for wp-signup.php, that haven't been sent from a web page on the WPMU site or have an empty user agent string (identifying the software making the request), and sends them to a page that apologizes for any false positives (and provides a contact to get around it for valid users that somehow got sent there) and scolds evil spammers for being evil spammers.

The beauty of it is that it doesn't require anything from WordPress. No plugins. No mu-plugins. No hacking core files. Nothing. Apache steps in and kicks spammers out before they get in at all.

See also

comments powered by Disqus