Comment spam is one of the most annoying issues in blogs and content management systems. Even if you hide the comment form in the frontend, the WordPress comment endpoint (wp-comments-post.php) remains active by default – and can still be accessed directly.

I’ll explain the details and show you how to prevent comment spam.

To illustrate how to post a comment using curl

A simple way to test how comment spam works is by using a curl request. This allows you to send a comment directly to WordPress – regardless of the visible form:

curl -X POST https://example.com/wp-comments-post.php \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "author=John Doe" \
  -d "email=spam@example.org" \
  -d "url=https://example.org" \
  -d "comment=Dies ist ein SPAM Kommentar per curl." \
  -d "comment_post_ID=5" \
  -d "comment_parent=0"

• Instead of the domain example.com in the first line, you need to use your own WordPress domain.
• The fields author, email, url, and comment will appear in the posted comment.
• You can find the comment_post_ID by going to Posts > All Posts in the WordPress backend and hovering your mouse over the title of a post. In the browser’s footer, you’ll see a URL like this:
  https://www.example.com/wp-admin/post.php?post=5&action=edit. The value after post= corresponds to the comment_post_ID.

Such requests can be easily automated – by bots, scripts, or even unintentionally by legitimate tools.

Simple solution: Require registration for commenting

An effective and straightforward protection is to allow commenting only for registered users.

To do this, simply go to Settings > Discussion in WordPress and check the box that says »Users must be registered and logged in to comment.«

This effectively blocks any automated spam attempts – because without a valid login, the comment won’t be accepted, even if the POST data is correct.

The only thing left is to secure the user registration page

For this, I recommend the Simple Cloudflare Turnstile plugin.

With this plugin, you can protect the user registration page from spambots.

• Simple Cloudflare Turnstile-Plugin

Optional: Additional Protection Measures

For even more security, you can also:

• Disable user registration under Settings > General > Membership.
• Block access to the wp-comments-post.php file using a plugin or an .htaccess rule.
• Disable comments entirely if you don’t need them.

Conclusion

Even if no form is visible, the comment endpoint in WordPress remains active. This can be demonstrated — and exploited — with a simple curl command.

An effective protection against this type of spam is easy to set up: require user registration for comments. This allows you to block many automated attacks elegantly — without plugins or complex measures.