WordPress comment and contact form spam blocking using Cloudflare

bikegremlin

OK, we all know that Cloudflare is (another) big brother that smiles warmly upon us (for now) giving a lot of free goodies.

Being less than thrilled with Google reCAPTCHA, I decided to try doing the same using Cloudflare, for as long as it's free.

It boils down to creating a WAF rule:
Field: URI Path
Operator: contains
Value: wp-comments-post.php
Action: JS Challenge

So far so good.

All the details (how to configure and test it) are in the article:
Stopping WordPress comment spam with CloudFlare

It's a constant cat-and-mouse game, but so far so good (says a man falling from a 10-storey building ).

somik

@bikegremlin said:
It's a constant cat-and-mouse game, but so far so good (says a man falling from a 10-storey building ).

It seems you can block 99% of spam with ANY captcha provider. The issue is the remaining 1% is real people who are getting paid to solve captchas whole day long. They cannot be blocked by ANY popular captcha/anti-spam providers.

The solution seems to be dual captcha where you have a own captcha to block at least 0.99% of the remaining 1% along with a popular provider blocking the 99%.

---

Note: All statistics numbers are made up.
Note 2: Information obtained from sources on shady forums offering jobs solving captcha.

lll

I would just disable comment. No spams at all.

bikegremlin

@somik
Cloudflare seems to be more effective than Google's reCAPTCHA. And it is a lot more stable compared to using a WordPress captcha plugin (the fewer plugins, the better). Also, it doesn't load anything until a "post comment" button is pressed, so it doesn't slow things down.

@lll
Comments are very helpful and useful on my websites. Both for readers and for me. Questions and additions & corrections is what they boil down to.

somik

@bikegremlin said:
@somik
Cloudflare seems to be more effective than Google's reCAPTCHA. And it is a lot more stable compared to using a WordPress captcha plugin (the fewer plugins, the better). Also, it doesn't load anything until a "post comment" button is pressed, so it doesn't slow things down.

I'll give it a try then. I was using google captcha v3 on one of my website but I still had to use my own captcha for the contact form to reduce the number of automated comments.

bikegremlin

@somik said:

@bikegremlin said:
@somik
Cloudflare seems to be more effective than Google's reCAPTCHA. And it is a lot more stable compared to using a WordPress captcha plugin (the fewer plugins, the better). Also, it doesn't load anything until a "post comment" button is pressed, so it doesn't slow things down.

I'll give it a try then. I was using google captcha v3 on one of my website but I still had to use my own captcha for the contact form to reduce the number of automated comments.

I gave myself the liberty to test your contact page (the note is clearly marked as a test).
If this helps, I suppose you could make a Cloudflare WAF rule:

Field: URI Path
Operator: equals
Value: /contact
Action: JS Challenge

somik

@bikegremlin said:

@somik said:

@bikegremlin said:
@somik
Cloudflare seems to be more effective than Google's reCAPTCHA. And it is a lot more stable compared to using a WordPress captcha plugin (the fewer plugins, the better). Also, it doesn't load anything until a "post comment" button is pressed, so it doesn't slow things down.

I'll give it a try then. I was using google captcha v3 on one of my website but I still had to use my own captcha for the contact form to reduce the number of automated comments.

I gave myself the liberty to test your contact page (the note is clearly marked as a test).
If this helps, I suppose you could make a Cloudflare WAF rule:

Field: URI Path
Operator: equals
Value: /contact
Action: JS Challenge

Oh, I don't use cloud flare on this website. Need to see how to set it up I guess.

Got any step by step for dummies for cloud flare?

bikegremlin

@somik said:

@bikegremlin said:

@somik said:

@bikegremlin said:
@somik
Cloudflare seems to be more effective than Google's reCAPTCHA. And it is a lot more stable compared to using a WordPress captcha plugin (the fewer plugins, the better). Also, it doesn't load anything until a "post comment" button is pressed, so it doesn't slow things down.

I'll give it a try then. I was using google captcha v3 on one of my website but I still had to use my own captcha for the contact form to reduce the number of automated comments.

I gave myself the liberty to test your contact page (the note is clearly marked as a test).
If this helps, I suppose you could make a Cloudflare WAF rule:

Field: URI Path
Operator: equals
Value: /contact
Action: JS Challenge

Oh, I don't use cloud flare on this website. Need to see how to set it up I guess.

Got any step by step for dummies for cloud flare?

Yup.

The first "chapter" of the article I linked in the first post contains a list of other relevant CF articles (how to configure DNS, how to configure it for WordPress and similar).