Introduction
Many WordPress site owners believe that disabling the comment section from the dashboard is enough to stop all forms of commenting. Unfortunately, that’s not the case. Even with the comment form removed from your pages, spambots can still submit comments by sending direct POST requests to WordPress’s core comment handler. This often leaves site owners puzzled when spam still appears in their moderation queue or database. In this post, we’ll explore why this happens and how you can stop it at the server level — especially when using Caddy instead of Apache. This site was a victim of spam-bot the other day and it was lucky they didn’t flood our comment section.
Note: I intended to disabled the comment section of all my blog post, If want you to reach me just message me in LinkedIn.
Why it happens and how
1️⃣ Disabling comments in the UI doesn’t stop direct POST requests
- When you “disable comments” in Settings → Discussion or per post/page, you’re mainly removing the comment form from your site’s visible pages.
- Spambots don’t care about your forms — they send HTTP POST requests straight to
wp-comments-post.phpwith fake comment data.
2️⃣ Some old posts or custom post types may still allow comments
- Even if new posts have comments disabled, older content might still have
comment_statusset toopen. - This can happen with pages, media attachments, or custom post types created by themes/plugins.
3️⃣ Your XML-RPC endpoint can accept comments
- If
xmlrpc.phpis enabled, bots can send trackbacks, pingbacks, and sometimes comments through XML-RPC methods likewp.newComment.
4️⃣ Plugins/themes re-enable or bypass comment settings
- Some themes ignore the global setting and leave the comment template active.
- Plugins (especially importers or content tools) can insert comments directly into the database.
🔒 How to stop it completely
Before Stopping at Caddy here is our curl output respond 200 OK..
🔒 Hard-lock comment posting in Caddy
Here’s how you can do it:
yourdomain.com {
root * /path/to/wordpress
php_fastcgi unix//run/php/php8.2-fpm.sock
file_server
<...>
@block_wp_sensitive {
path /wp-comments-post.php
# Optional: Block XML-RPC if you don't use it
# path /xmlrpc.php
# you can add more path /path/test.php file here
}
handle @block_wp_sensitive {
respond "Oops! This page went on vacation without telling us." 404
}
<...>
<...>
}
What this does:
@block_wp_sensitive path /wp-comments-post.php→ Matches any request for the comment submission file and returns HTTP 404 Page not found or 403 Forbidden Site .- Optional XML-RPC block → Stops bots from using the XML-RPC API for spam.
After Implementing the code block from my Caddyfile this how it would look like:
404 Custom Message
Final Thoughts
Disabling the comment section in WordPress only removes the visible form for visitors, not the underlying functionality that processes comment submissions. Persistent spam bots exploit this gap by targeting WordPress’s backend endpoints directly. The most effective solution is to block access to these endpoints at the web server level, which instantly stops spam before it reaches PHP. For Caddy users, a few lines in the Caddyfile can permanently solve the problem, making your site more secure and reducing server load.
