Recently, we received numerous spam comments with email addresses “[email protected]” on the Meta Box website. Surprisingly, these comments managed to bypass the spam check conducted by the plugin “Simple CloudFlare Turnstile” that I use to prevent spam. It got me thinking, why not block all comments with specific email domains?
In this article, I’ll demonstrate a simple method to block comments by domain. You can implement it in a functionality plugin for your website, effectively putting an end to this annoyance.
Blocking comments using the default WordPress blacklist
WordPress comes equipped with a built-in feature that allows you to block comments containing specific keywords in the comment author’s name, email, URL, IP address, or content. You can find this feature under Settings > Discussion > Disallowed Comment Keys.
By adding “@tempmail.de” to the blacklist, WordPress successfully identifies these comments and instantly moves them to the Trash. So far, so good.
However, the issue with this method is that WordPress still needs to process these comments. What’s worse is that these comments are still inserted into the database. Writing to the databse is a computationally heavy task. On a high-traffic website, this can lead to performance problems, especially if you become a target of a spam attack campaign.
Eventually, you’ll have to manually clean up your database by emptying the Trash.
Therefore, I decided to search for a better approach to block comments before they are processed and inserted into the database.
Blocking comments before saving them to the database
After reviewing the WordPress source code, I stumbled upon an intriguing filter called pre_comment_approved. This filter enables us to check the comment data and determine its status: spam, trash, pending, or approved.
If any errors are detected, we can return an instance of the WP_Error class to inform WordPress. Consequently, WordPress will refrain from inserting the comment into the database. That’s precisely what I was looking for!
With this in mind, I created a code snippet to check the comment email against a blacklist of domains, like so:
add_filter( 'pre_comment_approved', function( $approved, $commentdata ) {
$blacklist = [
'tempmail.de',
];
foreach ( $blacklist as $domain ) {
if ( str_contains( $commentdata['comment_author_email'], "@$domain" ) ) {
wp_die( 'Please do not spam. Thank you.', 'Your comment is blocked.', 403 );
}
}
return $approved;
}, 10, 2 );In this code snippet, I can return an instance of WP_Error as instructed by WordPress. Unfortunately, WordPress does not display or log this error anywhere. Submitting a comment with a blacklisted domain will simply lead to a blank screen. Therefore, it can be difficult to verify if the code is functioning properly.
Instead, I utilize wp_die to halt the process and instantly display an error message. Since this is a spam comment, this approach is entirely appropriate. Additionally, I set the response status to 403, which represents “Forbidden” – a fitting status in this scenario!
Thanks to wp_die, testing the code snippet is straightforward. Simply visit a post and submit a comment with a domain from the blacklist, and the error message will be displayed!
If you come across any spam comments from other domains, simply add them to the $blacklist variable provided above.
From now on, all these comments will be preemptively blocked before they are processed or inserted into the database. Your website will be faster, without any database updates or trash cluttering up the database.