Other WordPress anti-spam measures: rename wp-login.php, wp-comments-post.php, and wp-trackback.php

First published on November 1, 2006

You might have the best anti-spam plugin in the world, but that won’t stop spambots from visiting your site. If you have a WordPress blog, they will hammer your wp-comments-post.php and wp-trackback.php files automatically — you might not see the spam anymore, but the bloody spambots are still bogging down your server (10% of all hits to are spambots!).

One possible solution is to rename the files that accept comments and trackbacks! This way, the spambots encounter a “file not found” page when they are looking for your default wp-comments-post.php and wp-trackback.php locations. This is much easier on your server and if you do it correctly, your regular visitors won’t even notice as commenting and trackback capabilities will continue to work. However, make sure you change the references to these two files in your WordPress code. For most installations, here’s what you do:

1) In your base WordPress directory, rename wp-comments-post.php to something like wp-comments-roller.php, and rename wp-trackback.php to something like wp-trackback-hockey.php.

2) Edit your WordPress files that reference these two files. For most with WordPress 2.0, this means editing one reference of wp-comments-post.php each in your theme’s comments.php and comments-popup.php files (found in the folder wp-content/themes/yourtheme/); wp-trackback.php is referenced once in comment-functions.php (this is comment-template.php in 2.1.x) and twice in template-loader.php (found in the folder wp-includes/).


If you allow registration on your site, rename wp-login.php (this type was suggested by Kent). This file is the registration file (as well as the login file) — if you rename it and give its location only to potential members (that is, don’t link to it with a big “Register here” link) not as many spambots will be able to figure out where it is. Just remember to change all references to the file in the WordPress files, including:



Note: if you’re unsure of what you’re doing, back up your files first! When upgrading, remember to do this process over again. Also, if you have Notepad++ or some other program that can search source code, use that to find any overlooked references of your renamed files.


12 Responses to “Other WordPress anti-spam measures: rename wp-login.php, wp-comments-post.php, and wp-trackback.php”

  1. fruityoaty says:

    This is a great tip! I’ll try it out, after I backup my files. Thank you.

  2. Ajay D’Souza says:

    For quickly finding all references to wp-comments-post and wp-trackback you can use Notepad++ and ask it to search in the WordPress directory.

  3. Charly Silaban says:

    @Ajay D’Souza
    Macromedia Dreamweaver can do it smoothly too.
    Just hit Ctrl+F (Find) and choose your location option at “Find In” dropdown menu.

    Thx alot for this tips :)

  4. Christian Donner says:

    This is quite outdated, I must say. The bots that spam my blog actually parse the posting page for the correct name of the target. Minutes after I renamed the wp-comments-post.php, I got more spam:

    200.88.223.xx – – [09/Mar/2007:22:49:37 +0000] “GET /t-mobile-sda-smartphone-faq.htm HTTP/1.1″ 200 12831 “…./t-mobile-sda-smartphone-faq.htm” “User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
    200.88.223.xx – – [09/Mar/2007:22:49:41 +0000] “POST /wp-comments-allowed.php HTTP/1.1″ 302 5 “…../t-mobile-sda-smartphone-faq.htm” “User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

  5. John Apache says:

    Nice one, I changed my urls to wpcco.php and I am seeing intelligent spambots that issue a GET request for my blog page, then find the changed url by looking at the source! then they issue a POST full of spam to my renamed file! ahh.

  6. Magda says:

    thank you for that tip! and also for the anti-spam plugin. I’m using both for my site.

  7. Jimmy says:

    is it possible to trackback a site that doesn’t have the link on the page? If you guess it right will it go live?

  8. Peter says:

    Hi Jimmy,

    Yes, if you use the correct trackback link and that site has trackbacks enabled (my site doesn’t) it will work.

  9. Torgeir says:

    I was, well not actually spammed, but there where lots of visits on my site or wp-comments-post.php and I thought I should trick these spammers… So I made a copy of wp-comm… and wp-trackback…. and renamed the original files, then I altered the files these spammers would hit on, and wrote a simple refreshcode into them, sending the spammers to a site of my choice :D I just got lots of hits on a video I have on YouTube :D

  10. Alan says:

    Hi Peter,

    Suppose I do this. How does that then affect the automatic update from the control panel?

    I ask because last night, I just upgraded from Version 2 to version 2.8 (a delay of 3 or more years), which had to be done manually.

    My heart was in my mouth the whole time.



    Reply from Peter: You would have to rename the core files again. As for template changes, if you’re using a custom template you wouldn’t have to make any changes except as needed for any new features.

  11. Alan says:

    Thanks for the reply, Peter.

    At the risk of being tiresome, when you refer to renaming the "core files" again, I am assuming you mean renaming wp-login.php, wp-comments-post.php, and wp-trackback.php.

    So if I understand, the update would just load new versions of the above, and I would need to rename them.

    That’s it?



    Reply from Peter: Yes, that’s what I mean. Especially if you’re renaming wp-login.php, though, there are probably a few references you’ll need to change. As noted in the original post (which is getting quite old) you should also search through the WordPress files to see which files reference the ones you’re renaming.

  12. Alan says:

    Thanks Pete,

    Sorry for the delay in acknowledging this, and thanks for your helpful site. It is quite obvious you devote a lot of energy and dedication to this project, and I appreciate it.



Speak your mind

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word