I tried creating a rule:
URI contains /wp-comments-post.php
Request method equals POST
Referer does not contain mydomain.com
Action chosed is Block
What are the steps to reproduce the issue?
I thought this rule might work, but sure enough, I got another comment spam. I was using Turnstile (successfully), but just recently it developed a problem with WooCommerce so I had to deactivate it. Is there a WAF rule I can use to combat comment form spam?
While on the others, I did developed a bit different way and not using a plugin at all.
I guess, the reviews or something else as spam is left onto your shop then?
Do you know from which countries you’ve got such comments?
We have to understand the source, or rather it happens on POST request for sure and over executing it onto the wp-comments-post.php file (path).
I guess you also have some words and would like to block any comment which contains some of those words, correct? That way we can “filter out” just like “email spam filters”.
May I ask if you’re using free or paid plan?
On Enterprise plan, we do have http.request.body field which would help you as it allows inspection of the content of the request body:
And we’d have to use the expression builder directly (textarea input field).
For lower tier paid plans and free plan, we have to adjust it a bit then.
Might want to modify it and add … AND country “is in” e.g. Russia, China, etc. as well, action “block”.
Or, if they’re spamming you with URLs, maybe to check if the query contains some URL such as http.
(http.request.uri.path contains "wp-comments-post.php" and http.request.method eq "POST" and http.request.uri.query contains "http:" and ip.src.country in {"CN" "RU"})
I might have to check and test this out first to see what kind of the query request goes to admin-ajax while commenting.
The other idea is to combine this with Rate Limiting rule if you’re getting a lot of spam comments on wp-comments-post.php request path.
You could combine if user-agent contains “bot” or some other like:
... or (http.user_agent contains "bot")
Would it be good to add action “JS challenge” for each of these wp-comments-post.php requests?
You coud try to combine and add if the referrer is empty, such as empty user-agent which is common thing as ... and http.user_agent eq ""):
(http.request.uri.path contains "wp-comments-post.php" and http.request.method eq "POST" and http.request.uri.query contains "http" and ip.src.country in {"CN" "RU"} and http.referer eq "") or (http.request.uri.path contains "wp-comments-post.php" and http.request.method eq "POST" and http.request.uri.query contains "http" and ip.src.country in {"CN" "RU"} and http.user_agent eq "")
Or if referer doesn’t equal to your domain - as you have.
