ONE Cloudflare Rule to Block All WordPress Comment Spam

Table of Contents

1. Access the Cloudflare Firewall Rules Section

Log into your Cloudflare account and click “WAF” to go to the “Firewall Rules” tab as shown here:

If you’re on a Cloudflare free tier plan, you can create five firewall rules for free.

2. Create a Firewall Rule to Block all WordPress Spam

Click the “Create Firewall Rule” button as shown here:

Now create the firewall rule like this:

1. Give your rule a name: “Block WordPress Comment Spam”
2. Under “Field”, select “URI Path”
3. Under “Operator” choose “Contains”
4. In the “Value” section, click comments-post.php
5. Click the “Or” button on the right-hand side
6. Repeat the above four steps, and in the last step, type /?replytocom instead

Here’s what it looks like:

To do this quickly, click “Edit expression” as shown above and type the following into the box:

(http.request.uri.path contains "comments-post.php") or (http.request.uri.path contains "/?replytocom=")

Scroll down and under the box labeled “Then…”, choose “JS Challenge”:

Now save your changes, and you’re done.

3. Monitor the Cloudflare Firewall Rule Activity

After waiting for a day or so, check the efficacy of the firewall rule by clicking the “Activity” graph next to the firewall rule name like this:

The activity report shows you each request that the Cloudflare firewall processed. The “CSR” is the “Challenge Solve Rate”, which shows how many actual users with browsers accessed your comments. In the screenshot above, the CSR for the rule is 0%, which means all the requests were by automated bots.

Here’s the Cloudflare Firewall activity log:

You can expand each entry to see details about which URL was blocked, where the visitor came from, and whether or not they were successful.

I’ve found the above rule to block all automated WordPress spam completely.

Why I Use a Cloudflare JS Challenge Over Blocking Outright

You’ll notice that in the final part of step 3, I use a JS challenge instead of blocking the request. The reason is that I want to allow humans with a browser to comment on WordPress while blocking automated spam bots. When a human posts a comment, they’ll see a screen like this for a few seconds:

A regular human user will leave just one WordPress comment at a time, so this screen won’t inconvenience them. And Cloudflare remembers a successful JS challenge preventing the same visitor from seeing another for a while. You can configure how long a WordPress user has to wait before seeing another JS challenge screen. On the Cloudflare dashboard, under “Security -> Settings”, there’s an option called “Challenge Passage” as shown here:

You can set this to as long as you want – up to a year. So if you think WordPress commenters are seeing too many challenge screens, increase this setting to an appropriately long duration.

Lots of Space for More Cloudflare Rules

The beauty of this solution is that it bundles two Cloudflare firewall rules into one. And using the “OR” button, you can include as many rules as you want. You can dedicate a single Cloudflare firewall rule for WordPress spam with as many rules as you wish. Those using Cloudflare’s free tier will appreciate the additional four rules they can use before upgrading to a “Pro” plan.

Even “Pro” users can bundle many different Cloudflare rules and save space.

Improve WordPress Security with Cloudflare Zero Trust

In addition to the firewall rule above, you can also use Cloudflare Zero Trust to protect WordPress login pages. With Zero Trust, you specify a set of e-mail addresses that are allowed to access WordPress, and Cloudflare ensures that only those users can present themselves for identification via an OTP that it sends to the e-mail ID.

This method of protection is perfect for those who don’t want to configure VPNs to protect WordPress – or indeed any application’s login page.

Why Cloudflare is so Effective for Combating WordPress Spam

I’ve tried many solutions for dealing with automated WordPress spam, and Cloudflare firewall rules are the best I’ve found so far. Other solutions like plugins put the burden on WordPress to detect spam. WordPress is already a heavy CPU and database user, and I don’t like adding to its burden by making it detect comment spam.

Automated bots, in particular, can hit your site thousands of times in a short period, and this can overburden a WordPress installation, especially if it’s on a shared hosting environment. By offloading the bot detection to Cloudflare, you keep your WordPress installation free to deal with actual requests from real users and not waste them on coping with automated spam. Instead, you can disable links in WordPress comments to focus on the quality of comments.

I hope you found this tutorial useful!