Stopping Comment Spam on WordPress with NginX

Stopping comment spam is a lot easier when using NginX as the web server for WordPress instead of Apache. It can be done by blocking specific country codes as well as IP ranges in CIDR format. Coupled with two WordPress plugins, a WordPress blog can become nearly spam-free. You don’t have to take my word for it, of course, because you can see the results by viewing your daily access log. While I would like to offer all the country codes I block and all the IP CIDR ranges I use, I don’t want to influence your choices. What I’m going to do is offer you what I use so you can set it all up for yourself.

The WordPress Plugins I use to Prevent Comment Spam

nginx and wordpress - stopping comment spam The first plugin I use is the one that comes bundled with WordPress, Akismet. It flags comments that seem like spam, but it doesn’t remove anything.

The second plugin I use is called “Conditional CAPTCHA for WordPress“. Its purpose is to give humans the opportunity to prove they’re human when comments are flagged as spam by Akismet. It won’t even activate for anyone else. I have it set up to remove spam-flagged comments where the CAPTCHA hasn’t been completed.

If you use this plugin and check your access log, you’ll see lines where some POST requests resulted in a 403 error code being returned for the request URI of “/wp-comments-post.php”.

Both plugins consume memory – each instance requires a new PHP process. By using some smart configuration code with NginX, those instances can be reduced dramatically.

The NginX Configuration Code I use to Prevent Comment Spam

I don’t have the default NginX package installed on my server. I have “nginx-extras” (Ubuntu) installed because it includes the GeoIP module. The Geo module is a different module and it’s included by default

Once a month, I use a cron job and wget to fetch the GeoLiteCountry data file:

In the main nginx.conf file, I have this code set up in the HTTP context:

The “nocomments.conf” file can include CIDR ranges (like “″) or individual IP addresses. Each one is followed by ” 1;” (space-1-semicolon). You can follow that with a comment, if you wish. Here’s a very short example:

In the server context for my domain’s virtual server file, I used to include this code, but I found out it didn’t work the way I expected (an if directive within a location directive):

I changed it to:

The 444 response code is unique to NginX and it tells the web server not to send any response at all.

Less Comment Spam to Delete or Moderate

I rarely get any comment spam. I’d be “lucky” to get one or two in a month. Although I have 1024 megs of RAM allocated for my hardware server, rarely does it reach 500 megs and that’s usually when I’m doing something on the WordPress admin side of things.

I scan my access log every day. I see lots and lots of 444 error codes and that tells me what I’m doing is effective.


Enter your e-mail address to receive new articles as I post them.