If these are spam comments then turn off spam. If these are contact form spam then add some questions to the forms, although you'll have to change them every now and then. If the spam is really brute force dictionary attacks trying to log in, then rename the login page. Running a firewall via PHP script is CPU-expensive. If they control their own server they should have a firewall running. Learn how to tweak it.