Because WordPress is the most used CMS on the internet you will be exposed to a lot of spam. There are a lot of bots that run automatically and try to let comments or register users. I have websites with thousands of comments and users created in just a few days.
In this article, we are going to see how we can use CloudFlare to better protect our WordPress website from these spam comments or user registrations, or even contact forms spam, this can be done for free with the Cloudflare free plan. I have already written an article that will help you protect the wp-login area and xmlrpc attacks with CloudFlare just go and check it to find out more.
Having a lot of spam comments or user registration on your website can cause performance issues or even security issues, there are plugins that can help you do this also but they can cause performance issues, or configurations to your WordPress website like closing comments on older posts or not let user register but in some cases that can’t be applied.
Let’s start and configure Cloudflare to protect us from 3 things: spam comments, user registrations, and contact for spam, you can apply this also to the login page to limit the chances of hacking and server load if you can’t do the complete block from the other article.
The configurations in Cloudflare need to be done under the domain in Security – WAF – Page Rules
You have 5 firewall rules that you can use and better protect your WordPress website for free, all those setting will use 1 rule only. Below we are going to see the individual PHP scripts that should be controlled to limit the spam.
wp-comments-post.php is used to post comments in WordPress making it harder to reach these pages will protect you against spam comments
action=register – is used to register new users by default, if you are using membership plugins this can change so you need to see the URL created by the membership plugin. In this scenario, we are going to challenge everything that has registered, if you have posts with these in theme use action=register instead.
contact – in case we have a contact page with the name in it will be also protected.
In case you have plugins that use these endpoints you can allow theme by using a referer containing your domain name or you can use the IP address of your VPS server.
It will be something like in the below picture:
The action that we are going to choose is the JS challenge or Legacy Captcha, recommended way is to use Managed Challenge (Recommended) which will use the best option for your visitors, more on Cloudflare actions.
(http.request.uri.path contains "comments-post.php") or (http.request.uri.query contains "register") or (http.request.uri.path eq "/contact")
In the settings, you can choose the time for which the challenge to be allowed after it is resolved:
That’s about all that you need to do to better protect your WordPress website from spam comments or spam registrations with Cloudflare. Let a comment below with some of the configs you may have so others know also.