WordPress comment and contact form spam blocking using Cloudflare
bikegremlin
ModeratorOGContent Writer
OK, we all know that Cloudflare is (another) big brother that smiles warmly upon us (for now) giving a lot of free goodies.
Being less than thrilled with Google reCAPTCHA, I decided to try doing the same using Cloudflare, for as long as it's free.
It boils down to creating a WAF rule:
Field: URI Path
Operator: contains
Value: wp-comments-post.php
Action: JS Challenge
So far so good.
All the details (how to configure and test it) are in the article:
Stopping WordPress comment spam with CloudFlare
It's a constant cat-and-mouse game, but so far so good (says a man falling from a 10-storey building 
).
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Comments
It seems you can block 99% of spam with ANY captcha provider. The issue is the remaining 1% is real people who are getting paid to solve captchas whole day long. They cannot be blocked by ANY popular captcha/anti-spam providers.
The solution seems to be dual captcha where you have a own captcha to block at least 0.99% of the remaining 1% along with a popular provider blocking the 99%.
Note: All statistics numbers are made up.
Note 2: Information obtained from sources on shady forums offering jobs solving captcha.
Artificial intelligence is no match for our natural stupidity.
Time flies like an arrow; fruit flies like a banana.
I would just disable comment. No spams at all.
@somik
Cloudflare seems to be more effective than Google's reCAPTCHA. And it is a lot more stable compared to using a WordPress captcha plugin (the fewer plugins, the better). Also, it doesn't load anything until a "post comment" button is pressed, so it doesn't slow things down.
@lll
Comments are very helpful and useful on my websites. Both for readers and for me. Questions and additions & corrections is what they boil down to.
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
I'll give it a try then. I was using google captcha v3 on one of my website but I still had to use my own captcha for the contact form to reduce the number of automated comments.
Artificial intelligence is no match for our natural stupidity.
Time flies like an arrow; fruit flies like a banana.
I gave myself the liberty to test your contact page (the note is clearly marked as a test).
If this helps, I suppose you could make a Cloudflare WAF rule:
Field: URI Path
Operator: equals
Value: /contact
Action: JS Challenge
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews
Oh, I don't use cloud flare on this website. Need to see how to set it up I guess.
Got any step by step for dummies for cloud flare?
Artificial intelligence is no match for our natural stupidity.
Time flies like an arrow; fruit flies like a banana.
Yup.
The first "chapter" of the article I linked in the first post contains a list of other relevant CF articles (how to configure DNS, how to configure it for WordPress and similar).
Relja of House Novović, the First of His Name, King of the Plains, the Breaker of Chains, WirMach Wolves pack member
BikeGremlin's web-hosting reviews