How to Disable WordPress Comments and Fully Avoid Spam

Comment spam on WordPress blogs can easily be avoided without the need for plugins if you configure your own servers. Just turning off comments in settings will not remove the ability for spammers to access the WordPress commenting facility.

The WordPress file wp-comments-post.php is responsible for accepting comments and is globally accessible, regardless of the comment settings in WordPress admin. Disallowing access to this file altogether would mean nobody can ever submit a comment, regardless of what is configured in WordPress, and that is not what we want.

The Basic Idea

The basic idea to fight spam is to only allow commenting if the referrer is your your own website. That’s always the case for legitimate commenters, because they have to be on the corresponding page using a browser to actually type and submit the comment. Spammers normally don’t set the referrer. Following this idea, they would be turned away.

For that to work we have to manually configure the web server which is running WordPress. I use nginx and stopped using Apache years ago for performance reasons.


We have to set valid_referers for which we conveniently choose nginx’s server_name variable, which has to be manually set for every virtual host. This is most likely the domain name. In my case it’s michaelnordmeyer.com.

location ~ /wp-comments-post\.php$ {
  valid_referers server_names;
  if ($invalid_referer) { return 403; access_log off; }
  include sites-available/php-fpm.include;

To be able to execute PHP for valid comments, we have to include the PHP settings so nginx knows how to submit the request to PHP. As I run Ubuntu Server all settings are stored in /etc/nginx/sites-available/. I chose to have a modular configuration setup so I included the settings from a file called php-fpm.include which looks like this:

location ~ \.php$ {
  include snippets/fastcgi-php.conf;
  fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
  fastcgi_keep_conn on;

Yours might look differently. I especially use a socket and not TCP to connect to PHP, because a socket is faster.

Logging is disabled for this particular use case to keep the logs clean (access_log off).


It should be a easy to adapt this to Apache. If there’s no equivalent server_name variable then just use your hard-coded domain name.


Regardless if comments are enabled in WordPress or not, spammers won’t be able to submit spam anymore. And we don’t need a potentially insecure and/or slow WordPress plugin for that.