How to Change the Comments Path and Block Comment Spam in WordPress with WP Ghost

Block comment spam bots by changing the WordPress comments path, hiding wp-comments-post.php, and adding reCAPTCHA protection with WP Ghost (formerly Hide My WP Ghost). Most comment spam comes from bots that POST directly to wp-comments-post.php, bypassing your comment form entirely. Change the file path, and those bots hit a dead end.

Every WordPress site processes comments through the same file: /wp-comments-post.php. Spam bots do not fill out your comment form like a human would. They send automated POST requests directly to this file using tools like cURL, completely bypassing honeypots, JavaScript checks, and front-end protections. Some site owners have reported server loads exceeding 190% during sustained comment spam attacks.

WP Ghost gives you three layers of comment protection: changing the file path so direct-POST bots cannot find it, hiding the original file so it returns a 404, and adding reCAPTCHA to your comment forms for front-end protection.

What Is the Comments Path in WordPress?

The comments path is the file WordPress uses to process all comment submissions. Every time someone submits a comment on your site, whether on a blog post, page, or WooCommerce product review, the form data is sent to this file: https://yourdomain.com/wp-comments-post.php

Why You Need to Secure the Comments Path

Default comments path (exposed)	With WP Ghost (secured)
Bots POST directly to wp-comments-post.php	Custom path, bots get 404 on old file
Spam floods bypass form-level protections	reCAPTCHA on comment forms blocks front-end bots
File confirms WordPress to scanners	Original file hidden, CMS fingerprint removed
Server load spikes during spam attacks	Requests blocked before reaching WordPress

Like xmlrpc.php and wp-login.php, the existence of wp-comments-post.php is a WordPress fingerprint. Bots and theme detectors check for this file to confirm your CMS. Hiding it removes one more detection signal. Beyond spam volume, comment spam can contain malicious links, phishing URLs, and script injection attempts that appear on your public pages if moderation is overwhelmed.

---

How to Secure the Comments Path with WP Ghost

Activate Safe Mode or Ghost Mode

Go to WP Ghost > Change Paths > Level of Security. Select Safe Mode or Ghost Mode and click Save.

---

Change the Comments Path

This replaces the wp-comments-post.php filename with a custom name. Comment forms on your site will submit to the new path instead. Every bot script targeting the default filename gets a 404.

Go to WP Ghost > Change Paths > WP Core Security. Find the Custom Comments Path field. Enter a custom name or keep the predefined one. Click Save.

---

Hide wp-comments-post.php

After changing the path, the original wp-comments-post.php file may still respond to direct requests. This step blocks it completely. Bots POSTing to the old path get a 404.

Go to WP Ghost > Change Paths > WP Core Security. Switch on Hide WordPress Common Files. From the Hide Common Files list, select wp-comments-post.php. Click Save.

Hiding wp-comments-post.php blocks direct POST requests to the file. It does not stop visitors from using your comment forms normally, since your forms now submit to the custom path.

---

Enable Comment Form Protection

For complete anti-spam protection, add reCAPTCHA to your comment forms. This catches bots that scrape your forms and submit to the correct custom path.

Go to WP Ghost > Brute Force > Settings. Enable Use Brute Force Protection. Switch on Comment Form Protection. Select your reCAPTCHA type (Math, Google V2, V3, or Enterprise). Click Save.

For detailed setup instructions for each reCAPTCHA type, see the Brute Force Protection tutorial.

---

Verify with a Security Check

After making your changes, verify everything is working. Go to WP Ghost > Security Check. Click Start Scan. The scan confirms the comments path is changed and the old file is hidden.

---

Frequently Asked Questions

Will changing the comments path stop all comment spam?

It stops the majority. Most comment spam bots POST directly to wp-comments-post.php. Changing the path and hiding the file blocks those bots completely. More sophisticated bots that scrape your forms and submit to the correct URL need to be stopped with reCAPTCHA on the comment form. Use both layers for complete protection.

Does this work with WooCommerce product reviews?

Yes. WooCommerce reviews use the same WordPress comment system and wp-comments-post.php processing. When you change the comments path, WooCommerce reviews automatically route through the custom path. Review submission, ratings, and display all work normally.

Do I still need Akismet if I change the comments path?

They complement each other. WP Ghost blocks bots at the path level so they cannot find the file to POST to. Akismet filters spam at the content level by analyzing what was submitted. Together they create two layers of protection.

Does changing the comments path affect SEO?

No. The comments path is a backend processing URL that search engines do not index. Reducing comment spam actually improves SEO by preventing spammy links from appearing on your pages.

Does WP Ghost modify WordPress core files?

No. WP Ghost never touches or renames any file. The wp-comments-post.php file stays in your WordPress root. Virtual paths are created through URL rewrite rules. Deactivating restores the default instantly.

---

Related Tutorials

Customize All WordPress Paths – change every WordPress path including comments, wp-content, wp-includes, and more.

Brute Force Attack Protection – set up reCAPTCHA on comment forms and login pages.

Activate Security Tweaks – hide HTML comments, version tags, and other WordPress fingerprints.

Firewall and Geo Security – block malicious traffic at the server level before it reaches comment forms.

Website Security Check – verify your configuration after making changes.