Block WordPress comment spammers manually


The less spammers hit your WordPress blog, the better your blog performs, is one of my opinions. A second is, the less unnecessary plugins you use on your WordPress blog, the better. So, a little while ago I decided to remove plugins like Stop Spammer Registration Plugin and do its work myself. Here is why & how:

As long as Akismet catches the spam, I can block the IP addresses myself. Plus, I might be able to see some trends like IP ranges that spam a lot, new IP ranges, new spam templates being used, and so on. I like that :).

Blocking WordPress spammers manually may sound very time consuming, but it really isn’t. You mostly have to wait for the spam. Here on, Akismet catches about 98.53% of the spam, so I don’t have to mark a lot of comments as spam. Further, we automate a lot of tasks with MySQL and Notepad++ (which is my text editor of choice on Windows) or VIM on your Linux Bash shell.

There is more than one way to block comment spammers on your WordPress blog. As you might know, I host my website on the IIS web server platform. Therefor we need the Dynamic IP Address Restrictions module.

If you are on Apache, you can use mod_rewrite instead.

Find spammer IP addresses in MySQL database

All real live data here. To find IP addresses belonging to spammers in your database:

WordPress saves the comments in the table prefix_comments. We can easily use MySQL to list all IP addresses that match our requirements. Akismet uses the word spam in the column comment_approved.

Knowing that, our query becomes:

  `comment_approved` = 'spam';Code language: SQL (Structured Query Language) (sql)

We use SELECT DISTINCT to list unique IP addresses. In my case, this lists the following IP addresses:

| comment_author_IP         |
|             |
|              |
|            |
|              |
|            |
|            |
|            |
|              |
|              |
|            |
|           |
|           |
|           |
| 2002:7180:2e5d::7180:2e5d |
|            |
|              |
|              |
|              |
|                |
|            |
|              |
|            |
|             |
|            |
452 rows in set (0.00 sec)Code language: SQL (Structured Query Language) (sql)

Did you notice the one IPv6 address? All IP addresses are presumed innocent until proven guilty :-) Look up their reputation at

Preparing the IP addresses for web.config with Notepad++

You might think it’s a lot of work to copy/paste each address into the web.config format:

<add ipAddress="" allowed="false" />Code language: HTML, XML (xml)

but it isn’t. Notepad++ has a handy search and replace function (shortcut key: CTRL H).

  1. first, find one space (“”) and replace ‘all’ with nothing. All spaces are gone;
  2. second, find the pipe (“|“) and replace ‘all’ with nothing. All pipes are gone too;
  3. third, use the Regular Expression option to execute the following search and replace:
    find what: ^(.*)$
    Replace with: <add ipAddress="\1" allowed="false" />
    The \1 is a back reference to the IP address found in (.*) and we have our web.config format ready!

Add IP addresses to Dynamic IP Address Restrictions web.config

The partial output of our Notepad++ actions above is:

<add ipAddress="" allowed="false" />
<add ipAddress="" allowed="false" />
<add ipAddress="" allowed="false" />
<add ipAddress="" allowed="false" />
<add ipAddress="" allowed="false" />
<add ipAddress="" allowed="false" />
<add ipAddress="" allowed="false" />
...Code language: HTML, XML (xml)

We add this to our web.config file under <security> <ipSecurity>, just copy and paste. Now all those IP addresses are blocked and denied access to my blog.

Block IP addresses in Apache 2.4.6+ .htaccess module mod_authz_core

Apache 2.4.6+ uses a new module mod_authz_core for authorization and blocking. The Apache mod_authz_core documentation writes:

This module provides core authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site. mod_authz_core provides the functionality to register various authorization providers. It is usually used in conjunction with an authentication provider module such as mod_authn_file and an authorization module such as mod_authz_user. It also allows for advanced logic to be applied to the authorization processing.

Apache Module mod_authz_core

Because it’s really different from the Apache 2.2 Access Control, it requires a syntax change (and mindset). WordPress plugin editors take note: the new syntax is:

	Require all granted
	# IP address to block in Apache
	Require not ip
	# ...
</RequireAll>Code language: Apache (apache)

To create an Apache .htaccess blacklist use the following steps:

  • connect to your database – use SSL wherever available for MySQL connections:
    • mysql --ssl-mode=PREFERRED -h db_hostname -u user_name -p --database=db_name, or
    • mysql --ssl-mode=REQUIRED -h db_hostname -u user_name -p --database=db_name
  • select all as spam marked comments:
    • SELECT DISTINCT comment_author_IP FROM wp_comments WHERE comment_approved = 'spam';
  • save the result in a file, and use Vim to transform it into a compatible .htaccess format:
    • :%s/ //g # remove spaces
    • :%s/|//g # remove pipes
    • :%s/^\(.*\)$/Require not ip \1/g # Apache 2.4.6+ .htaccess module mod_authz_core

Blocking IP addresses with Apache mod_rewrite

If your blog is on a Apache webserver, you can use mod_rewrite to block the IP addresses. The syntaxis is:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REMOTE_ADDR} ^107\.6\.159\.30 [OR]
 RewriteCond %{REMOTE_ADDR} ^108\.163\.221\.85 [OR]
 RewriteCond %{REMOTE_ADDR} ^108\.163\.247\.19 [OR]
 RewriteRule ^(.*)$ - [F,L]
</IfModule>Code language: Apache (apache)

When, in time your web.config or .htaccess file grows (and becomes huge), it is necessary to start using rewrite maps:

And of course you can start blocking whole IP ranges. Don’t forget to delete the spam comments and meta data from your database afterwards.

it’s better to use mod_authz_core Require All blocks like above than all these rewrite conditions. Read the WordPress .htaccess security best practices in Apache 2.4.6+.

Create your own local web blacklist of comment spammers in PHP

Use Project Honey Pot and Stop Forum Spam to block spammers on your website

Beside these steps above, it is also possible to automatically filter web traffic with one or multiple blacklists. Project Honey Pot for instance. The IP address of every visitor is looked up in the Project Honey Pot database. If it’s listed there, access to the website is denied. I’ve written a PHP implementation that works with both IIS web.config and Apache mod_rewrite:

Disable WordPress comments
Learn how to disable WordPress comments on individual posts or globally.

foto van Jan Reilink

About the author

Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely a systems administrator, doing my daily SysOps/DevOps thing at cldin. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

0 0 votes
Article Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
1 month ago

Recently, Jeff Starr wrote about blocking IP addresses posting random string comment spam. That post reminded me about my own older post about blocking WordPress comment spammers manually. With just a few manual steps, you create your own little blocklist for WordPress in either a .htaccess or web.config file. Here are the IP addresses I’m currently blocking. Note, this list can get long (loooonnggg).

.wp-block-code {
border: 0;
padding: 0;

.wp-block-code > div {
overflow: auto;

.shcb-language {
border: 0;
clip: rect(1px, 1px, 1px, 1px);
-webkit-clip-path: inset(50%);
clip-path: inset(50%);
height: 1px;
margin: -1px;
overflow: hidden;
padding: 0;
position: absolute;
width: 1px;
word-wrap: normal;
word-break: normal;

.hljs {
box-sizing: border-box;

.hljs.shcb-code-table {
display: table;
width: 100%;

.hljs.shcb-code-table > .shcb-loc {
color: inherit;
display: table-row;
width: 100%;

.hljs.shcb-code-table .shcb-loc > span {
display: table-cell;

.wp-block-code code.hljs:not(.shcb-wrap-lines) {
white-space: pre;

.wp-block-code code.hljs.shcb-wrap-lines {
white-space: pre-wrap;

.hljs.shcb-line-numbers {
border-spacing: 0;
counter-reset: line;

.hljs.shcb-line-numbers > .shcb-loc {
counter-increment: line;

.hljs.shcb-line-numbers .shcb-loc > span {
padding-left: 0.75em;

.hljs.shcb-line-numbers .shcb-loc::before {
border-right: 1px solid #ddd;
content: counter(line);
display: table-cell;
padding: 0 0.75em;
text-align: right;
-webkit-user-select: none;
-moz-user-select: none;
-ms-user-select: none;
user-select: none;
white-space: nowrap;
width: 1%;
$ grep -c 'Require not ip' .htaccess
Code language: Apache (apache)
That’s 313 unique IP addresses posting spam comments here on Sysadmins of the North. Consider this a public pillory. Unlike Jeff, I do remove the comments, so there are no samples saved. I have database backups available, so it’s easily restored.
Read how to restore single MySQL table from a full mysqldump backup file.
Without further ado, here’s the list (tip, use grep 'Require not ip' .htaccess | cut -d " " -f 4 | sort -n):

6 years ago

nice article and discuss in detail

Would love your thoughts, please comment.x