Welcome to WebmasterWorld!
Do you have Captcha enabled?

As Lorax kind of pointed at. Using a good captcha plugin is likely the fastest way to cut them off.

On sites where I used that I had good experience with "SI CAPTCHA Anti-Spam" (find on Wordpress.org).

I stopped using it only because I am now catching them instead. I am working on stuffing all the blog/forum spammers into lists I can export/transform into DNSBL, or firewall or httpd level blocking. With either I can block them before they get to even bother me by running any Wordpress code. They just won't get in.

But merely installing SI CAPTCHA Anti-Spam would be a good start for you. Most spammers then never get more than a 500 code.

These knuckleheads are bipassing the registration. I have disabled registration and they still get through

That seems an indication your installation may be open. Check everything!

Greenovator,

Some things don't quite connect here.


Turning off registration is a separate thing.. Does not block Spam on its own.
From the patterns I watch in catching the spam bots, they still run through the "registration phase" of the bots, without detecting whether it fails or even caring. They attempt to register, and then whether that succeeds or not they come back later for the actual spam-posting attempt, which typically show up as only a two line thing in your logs. (Call base URL, call /post-comment.php)

As long as you do not see new users magically show up in your Wordpress user-list, the registration blocking is working fine. (If you wanted to enable registration, you could add the Captcha to block robots instead.)

If your registration is turned off, you then need to look at your Discussion Settings. Thats where the real crux is.

If the Wordpress option "Users must be registered and logged in to comment." is not selected under "Settings" -> "Discussion", then whether or not you have turned off registration have little meaning in relation to Spam. Without that, the "Comment author must fill out name and e-mail " is the only restriction. Whether they can just add spam, or must fill in a fictional email and name.
In HTTP protocol terms, that makes no difference at all to a robot, since it can just post all three parts, whether you "require" it or not. That option only have a meaning for a human poster, who must fill it out manually.

If you have registration turn off, and "User must be registered" turned on already, then the bots should be blocked. (And so are every other new visitor.)

Notice that if you have both these options selected, then only existing users can comment.
No new users can enter (cannot register), and no one outside your existing user-list can comment. This means that each new user would have to be manually created by you in WP Admin before they can comment on any post. Is that really what you want?

Also moderate your comments, which is different than registration.

You might be also experiencing pingback and trackback spam.

In your wordpress Admin panel go to:

Settings > Discussions

and uncheck the box for:

“Allow link notifications from other blogs (pingbacks and trackbacks)”

This will make sure that all newer posts have the pingbacks and trackbacks disabled. Remember this is only for the posts that you’ll publish going forward. The next step disables them for the past posts.


To disable or enable pingbacks for specific pages or posts, go to the post or page editor and under the post check or uncheck the box for:

“Allow trackbacks and pingbacks on this page”

under Discussion.

For plugins you should definitely use these:

Akismet (Should come with a default install and is free if you don't use your WordPress site for money or something.)

Bad Behavior
[wordpress.org...]

Cookies for Comments
[wordpress.org...]

You could also try these:

Invisible Captcha
[wordpress.org...]

Anti-Captcha
[wordpress.org...]

Those are all transparent.

Here is another old trick. You may have to customize it for you setup. But put this in your .htaccess file.

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?example\.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* - [F]

Here is a couple of plugins I installed recently because of a spam problem

Ban Hammer - This plugin prevents people from registering with any email you list and inks into a spam blacklist

User Spam Remover - Automatically removes spam user registrations and other old, never-used user accounts.

Can get them through the admin panel for plugins

I'm a big fan fan of Askimet. Captcha's not so much, because users should not have to work to participate on a site.

Per my earlier comment I used to use captcha. But is is often very annoying (to me too). Plus the blurring techniques many of them use is distinctly unreadable to many (color-blind, older, ...)
But I just finished my own blocker, currently the Wordpress plugin. Forum Spam is next, if there is any interest.

Now I block bad comments and trackbacks pretty cold. Plus, as new unseens show up, the API will learn (across the net) as someone "Spam" them. Intent is to let Spammers build their own walls around them. The more they try, the worse off they get.

Just finished the Wordpress plugin. Not on Wordpress.org yet, but is ready for anyone that want to test it out. More than just blocking Spammers, it has a security blocking section as well, blocking known bad actors. Info trackers, mark scanners, scrapers. By IP, agent string, ...

If someone wants to help test it out, see more on crudarrest[dot]com/about-crudarrest/

Plugin ZIP file can be downloaded from the download page.

I've had good results with NoSpamNX Plugin:

[wordpress.org...]

Akismet and moderating comments minimizes spam for me. I delete a few a day from the moderation queue, takes a few seconds daily.

There are some truths about WordPress comment spam that are hidden in plain sight.

Does anyone here bother to do a stats analysis on the User Agent string of the people who are spamming you?