Reduce Comment Spam – iTheme Security Plugin Option results in 405 NGINX Error

I’m a big fan of iThemes Security Plugin for WordPress and I have been using it on all of my client websites. One of the interesting features of the plugin is “Reduce Comment Spam” option under the WordPress Tweaks settings.

Reduce comments spam

Reduce Comment Spam

According to the documentation, enabling the option will reduce the spam comments from bots with no referrer or without a user-agent identified. Once the option is enabled, the plugin adds the below rules in nginx.conf file

# Reduce Comment Spam - Security > Settings > WordPress Tweaks > Comment Spam
location = /wp-comments-post.php {
limit_except POST { deny all; }
if ($http_user_agent ~ "^$") { return 403; }
valid_referers server_names jetpack.wordpress.com/jetpack-comment/;
if ($invalid_referer) { return 403; }
}

NGINX Error: 405 Not Allowed

Unfortunately, enabling “Reduce Comment Spam” resulted in NGINX throwing “405 Not Allowed” when the comment form is submitted.

405 Not allowed

I understand the operation should not be allowed when the comment was posted by a bot or from a spam IP address. But I’m not sure why the comment submission was blocked for my IP. Well, I tried googling about the issue and found that I was not alone. This link explains that the rule added by the iThemes Security Plugin should return 403 and not 405.

But I see wp-comments-post.php, a core file that handles comments posted to WordPress returning “405 Method Not Allowed” when the “REQUEST_METHOD” is not “POST”. Below is the code snippet.

if ( 'POST' != $_SERVER['REQUEST_METHOD'] ) {
$protocol = $_SERVER['SERVER_PROTOCOL'];
if ( ! in_array( $protocol, array( 'HTTP/1.1', 'HTTP/2', 'HTTP/2.0' ) ) ) {
$protocol = 'HTTP/1.0';
}

header( 'Allow: POST' );
header( "$protocol 405 Method Not Allowed" );
header( 'Content-Type: text/plain' );
exit;
}

But submitting the comment via comments form should make POST request only right? For now, I have disabled the “Reduce Comment Spam” option and the comment form submission works fine. Now I’ll have to look for spam fighting plugins to prevent spam comments. Have you faced this issue and found a solution? Do let us know via comments.

Updated on June 10, 2020

Was this article helpful?

Related Articles

Leave a Comment