Hi everybody, My host recently contacted me saying that I was using far too much server load for my blog, and was going over my limit they accept on my hosting package. This has never been a problem, as I only get 150-200 uniques a day. The problem is the wp-comments-post.php file is getting requested by spam bots, I admit I'm not the best in keeping things up to date, so I immediately updated Wordpress and Akismet, as well as installing and Bad Behaviour. What I'm worried about that - checking my stats - I'm still getting a lot of spam (Akismet has gone up by about 20,000 in the last few hours), and that wp-comments-post.php is still getting accessed by the spam bots, which is increasing server load. Do you have any other suggestions on what I can do to reduce server load?
use some other spam plugins alongside your akismet. You can also disallow comments on your wordpress site.
The problem with a lot of spam plugins is that they usually work after the spambot is in the site, so it doesn't really reduce server load. Bad Behaviour's different. I don't really want to disable comments as it's where I get most of my feedback. May have to disable it on some posts though.
If it's a bunch of common IP's and you know which ones are the spam bots. You could block them from your site that is one option.
Hmmmm....the problem is that, just looking at the IP's, there's actually quite a lot of them, but they seem to be accessing the /wp-comments-post.php file directly. Is there anyway of blocking direct access to that file using some .htaccess code, so say, if you come from http://www.myblogdomain.com/ instead of from http://www.spammydomain.com/, you can access it?
you could look at this too. http://www.google.com/search?hl=en&q=bad+behavior&btnG=Google+Search it will help stop the spam bots from even reading your site
Already have that installed Thanks anyway I'm keeping an eye on the server load, I'm using between 2-4% (I do have a blog post that I'm editing atm so that could drive it up a bit), whereas the acceptable use policy is average of 2%. Is that reasonable (just a fairly standard reseller package).
I would suggest disabling comments for a day or two, just to let everything calm down. You will then be able to see what your real load should be. Then turn comments back on with all of the plugins to protect yourself. It also might be a good idea to move away from wordpress. It is a bloated piece of software that is known to overload servers. I've found that serendipity is the best blogging software for large sites without a ton of resources. If you (or anyone else for that matter) want to move to serendipity I would be more than happy to help out.
Hi Chickens, Thanks for your suggestions! Will look into serendipity, though I didn't think my site was that big :S. Will also switch off comments or change to another form of commenting as well at some point. They have suggested I add the following line to my .htaccess file: SetEnvIfNoCase User-Agent "indy library" keep_out Code (markup): And checking my raw log file to find the spam bots User-Agent string. My raw log file has this in it: 81.89.11.109 - - [07/Nov/2007:08:21:33 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:33 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:33 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:33 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:33 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:33 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:33 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:33 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:33 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:33 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:35 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:36 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:37 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:38 -0600] "POST /wp-comments-post.php HTTP/1.0" 500 1184 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:39 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:39 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:39 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:39 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:39 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 81.89.11.109 - - [07/Nov/2007:08:21:39 -0600] "POST /wp-comments-post.php HTTP/1.0" 403 898 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Code (markup): Can anybody help me decipher it? What I think is that the user string is Mozilla/4.0, which I obviously don't want to block.... Any suggestions?
How about installing some sort of verification image? I see some blogs use sum verification or image verification. I myself haven't tried this, so I would like to know whether this measure is effective or not.
The problem with that is that it will increase, rather than reduce the server load (according to my host, and I'd agree with that too) I'm not getting bombarded with spam (Akismet and Bad Behaviour are dealing with it), I'm just getting requests for that one file which is crippling my server. Thanks for helping though
if you don't have anyone posting that isn't malicious just chmod that file to 0 for the time being. That'll give the bots a nice 403 error and it won't even need to process php.
Bann the ips if you can find them it shouldn't be hard to find the ips.. and if not Disable post for about 3 days and mabye itll go away.. Good luck
You can use .htaccess and only allow referrers from your domain: http://codex.wordpress.org/Combating_Comment_Spam/Denying_Access Don't know how much it will reduce server load, however.
Just check if the file is directly acessed or no referrer through rules in .htaccess file. If so, then page request will be dropped or redirected to non-existant domain.
The bot is getting a 500 internal server error followed by a 403 forbidden when trying to post comments. This means the bot is still hitting your server, but it should not make an impression on the server. This is because the page is probably white with a tiny bit of text stating that error. What you need to look for is when the bots get a 401, which means it got to the actual page. This will create a load on the server. The only way to have a bot not show up in your logs is to IP ban them using iptables. This means your host will have to do it. That really means it will never happen. A 403 is a good error for the bot to see.
Right, I have made a few changes with my blog configuration (mainly renaming the wp-comments-post.php and hiding the part of the code that calls it in a Javascript file), my host has said that my usage has dropped considerably. Thanks for all your help guys