ONE Cloudflare Rule to Block All WordPress Comment Spam

Here’s an easy way to block all WordPress comment spam using a single Cloudflare firewall rule.

Table of Contents

1. Access the Cloudflare Firewall Rules Section

Log into your Cloudflare account and click “WAF” to go to the “Firewall Rules” tab as shown here:

Cloudflare WAF Firewall Rules
Cloudflare WAF Firewall Rules

If you’re on a Cloudflare free tier plan, you can create five firewall rules for free.

2. Create a Firewall Rule to Block all WordPress Spam

Click the “Create Firewall Rule” button as shown here:

Cloudflare Create Firewall Rule
Cloudflare Create Firewall Rule

Now create the firewall rule like this:

  1. Give your rule a name: “Block WordPress Comment Spam”
  2. Under “Field”, select “URI Path”
  3. Under “Operator” choose “Contains”
  4. In the “Value” section, click comments-post.php
  5. Click the “Or” button on the right-hand side
  6. Repeat the above four steps, and in the last step, type /?replytocom instead

Here’s what it looks like:

Cloudflare Firewall Rules to Block WordPress Spam
Cloudflare Firewall Rules to Block WordPress Spam

To do this quickly, click “Edit expression” as shown above and type the following into the box:

(http.request.uri.path contains "comments-post.php") or (http.request.uri.path contains "/?replytocom=")

Scroll down and under the box labeled “Then…”, choose “JS Challenge”:

Choose JS Challenge Under Then
Choose JS Challenge Under Then

Now save your changes, and you’re done.

3. Monitor the Cloudflare Firewall Rule Activity

After waiting for a day or so, check the efficacy of the firewall rule by clicking the “Activity” graph next to the firewall rule name like this:

Cloudflare Firewall Rule Blocking Activity for WordPress Spam
Cloudflare Firewall Rule Blocking Activity for WordPress Spam

The activity report shows you each request that the Cloudflare firewall processed. The “CSR” is the “Challenge Solve Rate”, which shows how many actual users with browsers accessed your comments. In the screenshot above, the CSR for the rule is 0%, which means all the requests were by automated bots.

Here’s the Cloudflare Firewall activity log:

Details of Cloudflare Blocked Request
Details of Cloudflare Blocked Request

You can expand each entry to see details about which URL was blocked, where the visitor came from, and whether or not they were successful.

I’ve found the above rule to block all automated WordPress spam completely.

Why I Use a Cloudflare JS Challenge Over Blocking Outright

You’ll notice that in the final part of step 3, I use a JS challenge instead of blocking the request. The reason is that I want to allow humans with a browser to comment on WordPress while blocking automated spam bots. When a human posts a comment, they’ll see a screen like this for a few seconds:

Cloudflare JS Challenge Screen for Regular WordPress Commenters
Cloudflare JS Challenge Screen for Regular WordPress Commenters

A regular human user will leave just one WordPress comment at a time, so this screen won’t inconvenience them. And Cloudflare remembers a successful JS challenge preventing the same visitor from seeing another for a while. You can configure how long a WordPress user has to wait before seeing another JS challenge screen. On the Cloudflare dashboard, under “Security -> Settings”, there’s an option called “Challenge Passage” as shown here:

Cloudflare JS Challenge Passage Validity Duration
Cloudflare JS Challenge Passage Validity Duration

You can set this to as long as you want – up to a year. So if you think WordPress commenters are seeing too many challenge screens, increase this setting to an appropriately long duration.

Lots of Space for More Cloudflare Rules

The beauty of this solution is that it bundles two Cloudflare firewall rules into one. And using the “OR” button, you can include as many rules as you want. You can dedicate a single Cloudflare firewall rule for WordPress spam with as many rules as you wish. Those using Cloudflare’s free tier will appreciate the additional four rules they can use before upgrading to a “Pro” plan.

Even “Pro” users can bundle many different Cloudflare rules and save space.

Improve WordPress Security with Cloudflare Zero Trust

In addition to the firewall rule above, you can also use Cloudflare Zero Trust to protect WordPress login pages. With Zero Trust, you specify a set of e-mail addresses that are allowed to access WordPress, and Cloudflare ensures that only those users can present themselves for identification via an OTP that it sends to the e-mail ID.

This method of protection is perfect for those who don’t want to configure VPNs to protect WordPress – or indeed any application’s login page.

Why Cloudflare is so Effective for Combating WordPress Spam

I’ve tried many solutions for dealing with automated WordPress spam, and Cloudflare firewall rules are the best I’ve found so far. Other solutions like plugins put the burden on WordPress to detect spam. WordPress is already a heavy CPU and database user, and I don’t like adding to its burden by making it detect comment spam.

Automated bots, in particular, can hit your site thousands of times in a short period, and this can overburden a WordPress installation, especially if it’s on a shared hosting environment. By offloading the bot detection to Cloudflare, you keep your WordPress installation free to deal with actual requests from real users and not waste them on coping with automated spam. Instead, you can disable links in WordPress comments to focus on the quality of comments.

I hope you found this tutorial useful!

About Bhagwad Park

I've been writing about web hosting and WordPress tutorials since 2008. I also create tutorials on Linux server administration, and have a ton of experience with web hosting products. Contact me via e-mail!




  2. Finally removed akismet and turned off jetpack. This cloudflare rule is easy and simple to do.


Speak Your Mind