Elegant Themes Blog

Stay up to date with our most recent news and updates

How to Reduce WordPress Comment Spam

Posted on February 5 by in Tips & Tricks | 91 comments

How to Reduce WordPress Comment Spam

Comment spam remains a problem for all WordPress users. It also affects other blogging software and platforms such as discussion forums, guestbooks and wikis.

Unfortunately, it is near impossible to completely stop spam software from attacking your website. Even if you completely disable comments, spammers can still submit spam to your website. Whilst these comments will not be displayed on your live website, they will take up space in your database, which will increase the overall size of your database and, in turn, slow your website down.

In this article, I would like to give you some tips on how you can reduce comment spam on a WordPress website. If you follow these steps, you should greatly reduce the volume of comment spam you receive.

The first four steps all involve configuring your discussion settings correctly on your website. You will find the discussion settings area in your main admin menu under Settings / Discussion. The direct URL for this area is www.yourwebsite.com/wp-admin/options-discussion.php.

1. Moderate Comments

There is a section in the WordPress discussion settings page entitled “Before a comment appears”. This section allows you to control which comments are sent to the moderation queue and which articles are automatically published on your website.

Moderate Comments

Moderation can be time-consuming, however it will give you better control over what comments are published on your website.

Enabling “Comment must be manually approved” means that every single comment must be manually approved. A lot of blogs use this setting as it gives full control over what comments are published. This essentially means that no spam comments will ever be published on your website.

As someone who comments on blogs semi-regularly, I find this option frustrating. Depending on how often the blog owner checks the comment moderation queue, it could be a few hours or even a few days before a comment is approved and published. This can slow down any discussions that are taking place.

The other option is “Comment author must have a previously approved comment”. I personally feel that this is a more practical option as it only sends a commenter’s first comment to the moderation queue. Once they have had a comment approved, all of their subsequent comments will be approved automatically.

This setup is not perfect as someone could technically submit a good comment and then submit spam later. However, in practice, the majority of people who leave a good comment initially will submit good comments in the future.

2. Hold Comments That Have Links

A high percentage of spam comments contain links. One way to take advantage of this is to send any comments with links to the moderation queue.

You can do this in the “Comment Moderation” section. A fresh WordPress installation will send comments to the moderation queue if they contain two links or more. I recommend reducing this to one as many spam comments only contain one link.

Hold Comments That Have Links

Spammers usually include links in their comments.

3. Use the Comment Blacklist

The comment blacklist is one of the most underused features of WordPress; despite it being available in every WordPress website. It allows you to blacklist the IP addresses of spammers who are persistently attacking you. You can also blacklist commenters by URL, email address, name and/or content.

Blacklisting someone is a good way of discouraging people who are submitting spam manually. I encourage you to use it when you can.

Use the Comment Blacklist

The comment blacklist is useful in stopping attacks from specific spammers and spammers who are promoting specific products.

4. Close Comments On Older Posts and Pages

Whilst comment spam does occur on new articles, it is more common for spammers to target older articles that have established traffic and a good search engine ranking. These articles can sometimes be years old, so you may not even notice that they have been attacked.

WordPress lets you automatically disable comments on posts and pages that were published a defined number of days in the past. In my experience, a couple of months (e.g. 100 days) is normally a good balance between keeping comments enabled on new articles and stopping spammers in their tracks.

Close Comments On Older Posts and Pages

Spammers target articles that have a presence in search engines.

5. Install Anti-Spam Plugins

Whilst I do believe that configuring your discussion settings correctly should be your first port of call when tackling spam, there are a lot of plugins available to help you when spam does get out of hand.

The most well-known plugin is Akismet; which comes packaged with every installation of WordPress. Developed by the makers of WordPress, Akismet is an an automated spam service that will filter spam comments into your spam folder. It is very effective and learns from what comments you mark as spam and what comments you mark as legitimate.

Due to how big a problem Spam is for WordPress users, there are hundreds of anti-spam plugins available for WordPress. There are way too many to list in this article, but here are a few good anti-spam plugins to get you started:

Be aware that some anti-spam plugins can hurt the commenting experience for genuine commenters by making them jump through hoops before they can submit a comment. Unfortunately, that is the price you may need to pay if comment spam is a major problem on your website.

Overview

Comment spam is an ongoing battle that most website owners have to face on a daily basis. Thankfully, if you configure your discussion settings correctly, few spam comments will actually be published on your live website.

Whichever moderation option you choose, be sure to check your moderation queue and spam folder on a regular basis as there is nothing more discouraging to readers than having a long detailed comment deleted :)

If you enjoyed this article, I encourage you to subscribe to our blog for updates on our latest content.

91 Comments

  1. Very good article regarding spamming comments on post :) Thanks Kevin for detail guideline

      • I’m about to embark on stopping spam myself. Thanks for the read.

    • Loved it. I personally use Askimet! It works wonders for WP!

  2. I also was used in past plugin called “Antispam Bee” and he do great job.

    Now i switch to social comment system – G+ and Facebook and have zero spam since then.

    • I use “Antispam Bee” also, it’s a free plugin and do a good job!

  3. Hi Kevin
    Those automated spam comments can be a real pain!
    You can spend more time sifting through the comments than actually writing posts.

    I use the WordPress Simple Firewall plugin for lots of things including fighting spam.
    This is a short extract from the plugin page:

    “Comments and SPAM Protection
    Uses and builds upon tried and tested SPAM prevention and filtering techniques with some unique approaches found only in this plugin.”

    Well worth a try if people are having problems with spam.

  4. I recommend two plugins.

    Bad Manners
    WordFence

    Between them these stop comment spam and hack attacks. In doing so they can also reduce your sites bandwidth to a large extent.

    They are blocking 3000 malicious attempts per week on some of my sites.

    • Kevin Muldoon

      Wow. That’s a lot of attacks. Bandwidth is something I had not touched upon previously, but it can be a big problem.

  5. I had no idea there was a Comment Blacklist in WP. Where is it, and how do we use it?

    • Here: Settings –> Discussion – scroll down.

      • Rochelle, I had same question after banging my head on wall for over an hour! Matthias, thank you for resolving this!

        • i think this theme so beatifully SEO n best of best for you website or blog. Recomended

  6. Wondering, Kevin, why you may have left out Akismet as an anti-spam plug in?

    • He mentions it in the beginning of the plugins section :) The following links are suggestions of other, possibly lesser-known, plugins that can also be a great help.

  7. Nice article. For german readers and bloggers the plugin Antispam Bee is a good alternative.

    German law is a little bit special … the Akismet plugin should not be used in Germany.

    • Can you explain the differences in Germany when dealing with spam?

      Curious.

      Thanks

    • Kevin Muldoon

      I was not aware of that. Why can Akismet not be used?

      • This is an article from the “WordPress Deutschland” site which explains the problem using askimet in germany. (Translation via Google Trans):

        “Akismet collects a lot of data (IP, Comment name, comment, mail address, comment, Browser, and many more), sends and stores them on servers in the United States. This is allowed under the German and European data protection laws only with a consent of the commentators, because the USA is considered according to our law as a country without adequate level of data protection.

        Consent must be explicit, ie in the form of a checkbox. Furthermore, the sender of a commentary in the run must be informed that personal data are collected and stored on foreign servers.”

  8. If you don’t use comments at all on your website, you can re-name or remove wp-comments-post.php and possibly wp-trackback.php from your site.
    Stops the spammers in their tracks.
    I had a problem where they somehow exploited the contact form / page even though comments were disabled.
    Removed the two files and the problem stopped immediately and the site works fine. Just remember that when you up date wordpress, to remove or rename the files again.
    Hope this helps those that use WordPress only for a website without comments.

    • Kevin Muldoon

      Great suggestion.

      I had one website in which comment spam was getting through despite comments being disabled. It was a real pain (to say the least).

  9. Kevin,

    Thanks for another great post. You’ve quickly become must reading in my book.

    Suggestions for future topics:
    – form submissions (many options, what to look for)
    – image management e.g., optimizing images for WordPress (both before and after uploading)
    – eCommerce integration options

    Many thanks!

    • Kevin Muldoon

      Great suggestions. I’ll speak to Nick and see if we can accommodate some of those :)

  10. With all the great plugin suggestions, I’m wondering if they all play together nicely or if I would run into problems installing 2 or 3 of the suggested plugins. How much of an arsenal does a website need to stop the spam with everything turned off?

    • Kevin Muldoon

      Some plugins will clash if they are tackling the same issue. You just need to test them out to see how they play together.

      How strong your antispam setup should be really depends on how much spam you are receiving. As I said, a lot can be stopped by simply configuring your settings correctly.

  11. Good article. Nice to know that I already do everything suggested here. It just seemed like common sense to me :)

    I’ve never really understood pingbacks and trackbacks. Planning to cover this in a future post? Curious to know if I should allow them or if this is just another form of spam. Do they have any benefit to your search ranking?

    • Kevin Muldoon

      I’m not sure if it is worth writing a full post on pingbacks and trackbacks as they are not used by blogs that often any more (ironically, because they are used by spammers).

      They were originally intended as a way for bloggers to let other bloggers know when they were discussing the same topic. So if you write a blog post and I was writing about it too, I would link to your post and send a trackback. This allows readers of your post to see what other blogs had linked to the article.

  12. Thanks for this post! Very helpful…

  13. Thanks, I used to set my comment days between 20-30days and use antispam plugin (works beautifully) because I suspected that if I use Akismet and I don’t pay, it wont work properly. Now I’m having problem with bandwidth theft, how can I stop this on sites I’ve setup?

    • You might want to look at CloudFlare, specifically the ScrapeShield component.

    • Kevin Muldoon

      I have no reason to believe that Akismet will not function correctly unless you pay for it. Are you saying you are losing bandwidth due to spammers attempting to leave comments or by people hotlinking your images?

  14. I tried WordFence. It was fine for about a month and then it started resetting the server constantly. When I disabled it, the problem went away, so I found a better solution and removed it. I’ve been using iQ block countries. By far most of my spam comes from Russia, Ukraine, and China. Block those three and about 90% of my spam disappears. Plus it has a feature to disable anyone from accessing the backend which is a nice feature. I check the logs everyday to see what files they were trying to access. Very informative.

    • Kevin Muldoon

      Sounds like you were getting a heavy volume of spam. Glad that you are managing it correctly :)

  15. CleanTalk is a great plugin. Thanks for the review !

  16. Very helpful and informative !

  17. Hi Kevin,

    Would be great if you could also do a post on WordPress security.

    Quite a few stories these days of sites blocked by Google for malicious code while their owners didn’t have a clue someone’s been tampering with their code.

    Would appreciate your help and preventative advice. :)

    Thanks and many cheers from the EU!

    • Kevin Muldoon

      I will speak to Nick about this and try and get a security post scheduled :)

  18. great article. most of the spammers inject comments for their spammy links and those infamous auto commenting software (or whatever it’s called) does that dirty job.. out of frustration, I just placed http:// in the blacklist box and boy!! without the use of any plugin, my comments just reduced to a few, sometimes none. those who are really interested in my articles, read them and leave a comment without any sort of link anywhere. .thus they come to my pending tab, i read then and then of course approve them. this really saves a lot of time for me. I understand by doing this I may lose some legit commentators but I felt no other way around due to those comment culprits.

    One, thing we can also to, is to totally disable URL section in the comment box and also, disable any html tags in the text area. Real commentators should not leave a comment with any forceful injection of any links. It makes good sense.

    • Kevin Muldoon

      I know of a lot of website owners who completely remove the URL field. It is something I am reluctant to do as I like to find out more about people who I am interacting with; and checking out their website is the quickest way to do that.

      • Hello Kevin

        I like all your posts. Thanks for the good job.

        Re: removing html tags in comments, I found this code in a post (thanks to google);

        add this code to functions.php:
        add_filter( ‘pre_comment_content’ , ‘wp_strip_all_tags’ );

        Is it doing the function you were mentioning ?
        Is it safe ?

        thanks

  19. a quick question that is missing in your great article : how to eradicate 3000 spam comments you ALREADY have…an easy way to clean that mess?

  20. Kevin have you tried to use on this blog module CleanTalk ? You do not need to pre-moderation, it is invisible and efficient

    • Kevin Muldoon

      I have tested Clean Talk but I have never used it for a prolonged period with my blog.

  21. Great article, helpful and informative, just changed my discussion settings.

    One thing I experienced, spam was attaching to some pictures in my blog posts, using the URL for the picture. I noticed in the Media Library unattached pictures throughout my site. So, I tidied it up and made sure all the pictures were attached to a page or blog post. I also removed the picture from the site. Now there is very little spam.

    Really good plug in that has reduced spam for me is Sweet Captcha. A human has to drag the correct icon to properly answer the fun question before they can submit a post.

    • Kevin Muldoon

      Wow. I had never heard of that. Spammers are persistent in their attempts of getting links.

      Thanks for the recommendation of Sweet Captcha.

  22. Hi Kevin and Elegant Themes crew!

    Fantastic post with amazing recommendations to avoid spam in our WordPress blogs.

    Thanks for sharing!

  23. Great article and I am being bombarded with spam onto my site and although Akismet is doing a good job, I want to try and stop it before it happens, looking at the comments then I can see a trend with the users and comments coming from a few IP addresses, so I have installed this onto my site and hope it will actually block the comments before they are even submitted:

    http://wordpress.org/plugins/ip-blacklist-cloud/

    Hope this is of use to others who want to try and prevent spam users and comments before they even happen.

    Reuben.

    • Kevin Muldoon

      Thanks for the suggestion Reuben. Looks like a great plugin.

  24. Hi Kevin and Elegant team!
    Great content and thank you for your sharing.
    I always use Akismet plugin to prevent spam comment for my blog.

  25. I have had a lot of luck with “Stop Spammers” plugin. I have a Q&A section on my site that was getting spammed a lot and this plugin didn’t just help, it completely eliminated it. My users are required to create a free account before using my Q&A section and this plugin prevents spam registration by checking ip address, email address, how quickly they are able to register to check if it’s a bot, etc. I recently had to disable it to allow a programmer access to my site from overseas and I immediately received over 20 spam user registrations a day without the plugin. Highly recommend.

    I would also highly recommend Disqus commenting instead of the built in WordPress. It’s free. They have a plugin that is easy to install and use. And they have a very good system for weeding out spam so you don’t have to. Also, users can log in using Facebook which I have found makes a big difference in participation.

  26. Hi Kevin,

    I just implemented your recommendations to a site I run with a business partner. We were getting hit with a lot of spam comments, and once those bots or sites latched on it was the same garbage over and over. I’m confident having put into place your anti-spam steps we should be good to go!

    Thanks for a very helpful post!

    – Cheers

    • Kevin Muldoon

      Glad to hear that Drew. Hope that stops the spammers in their tracks.

  27. Does anyone have experience with Dropbox? Their backup plugin would be nice but a simple unzip would display sensitive data for some of my clients. I’ve seen theme developers chatting about clients openly on WordPress.org. That doesn’t instill confidence in their professional ethics. I have a few sites that are getting big and Backup Buddy sometimes fails. An alternative would be nice if the price was low and the security was tight.

    • Kevin Muldoon

      I personally use VaultPress.com for all my websites. It’s affordable, reliable, and comes from the developers of WordPress.

  28. I have had an odd thing happen. Several people have contacted me and said they received the email thanking them for registering for an account on my shop. They did not register. When I checked, their email address had registered for an account, but with just an email. WooCommerce tells me it is not via their system, my host (Flywheel) is as baffled as I am. Has anyone else had this happen? I have been loathe to install a captcha, but suppose I have to. Do you think it could be someone who had all of the above people in their address book got hacked? Ideas are appreciated!

    • Kevin Muldoon

      That’s bizarre. I’ve never heard of that occurring before. It does sound like hackers have used someone’s contact details to enter emails into your registration form.

  29. Hi,
    I see a reference above to spammers inserting comments even if there is no comment form anywhere on the site. Any idea how they do that? It has happened on more than one of my sites.

    Thanks, Crucible

    • Kevin Muldoon

      They do this by targeting the core file wp-comments-post.php.

  30. I recommend you to use Akismet Plugin because of Akismet is considered is one of the best anti spam WordPress plugins and used by huge number of website owners.

  31. I am wondering something. I have comments on my site turned off but I suddenly started getting tons of email spam through WordPress from my site’s webmail address. If I click my email service’s spam button am I essentially spamming myself…and how are these spam comments being submitted when I have comments turned off in the site? any help is appreciated! Rosy

  32. I’m also annoyed with spam comments because it waste my time and more than that spam comments are very bad for SEO. I used many plugins but not plugin can complete protect us against spam. I’m using Growmap Anti Spambot Plugin, this plugin is bit useful to use.

    Regard
    WAQAS

  33. I always prefer Akismet WordPress Plugin for preventing Spam comments. I love to suggest my clients to install Akismet and most of the time i install this plugin to my client’s site….and so far it works like charm!

  34. Nice. Your post is very good and informative.Thanks for sharing.

  35. Hi,

    I was using the manual comments approval in WordPress initially. It was still bearable with 10 to 15 spams a day, but unfortunately it hit a high like over 1000 a day for the last couple of weeks.

    The problem is now gone after I installed the anti-spam plug-in. Not even a single spam got through for the last few days.

  36. Thanks for a nice and informative post. I use Akismet and my own plugin script, and hereby have reduce spam comments with 99% :)

    My script is checking for numbers in comment author name, and if its more then 3 the comment submission will not go through.

  37. Thanks for a nice and informative post.
    I have been loathe to install a captcha, but suppose I have to. Do you think it could be someone who had all of the above people in their address book got hacked? Ideas are appreciated!

  38. Ohh Thanks Kevin for great solution for blog spamming, appriciated

  39. Hi Kevin one quick question. Askimet was automatically installed with my wordpress account and it works great.
    It wants to know who’s spam and who’s not but I’m finding it hard to tell. Should I presume its all spam? I don’t want to be missing anyone genuine but why would they be in the spam folder in the first place right?
    Peter Cole

  40. Kevin, thanks for a concise article! Just to add my two cents… there are two other plugins you haven’t mentioned but they helped me in my practice: Akismet and Disqus. Disqus, in fact, does a bit more than preventing spam, it helped me get better at communicating with my audience. Thanks again for a great article!

  41. i just deleted over 10,500 spam :( I’m down to 509 to go….it’s been hell and I have Akismet :-/

  42. Great post with Nice recommendations to avoid spam in our WordPress blogs.
    Thanks for sharing!

  43. I too have implemented the above suggestions, and did so when I started my website. But still, I am daily deleting 100+ spam. Is there no foolproof solution?

    • I am in the same situation, getting tons of spam very day. It’s been more than a week since I installed goodbyecaptcha and it seems like this plugin is doing an excellent job. No spam at all

      • Thanks for this article to fight against WordPress spam comments.

  44. I also had to disable “Allow link notifications from other blogs (pingbacks and trackbacks) ” ase spamers seems to start using that as well for spams.

  45. I would put Akismet at the top of the list. 260K spam comments blocked in 6 months so far on my site! You can use it for free but I actually stumped up money for this service as it saves me hours a week dealing with junk.

    I enable all the WP moderation setting mentioned above. There are way too many spammers for blocking individuals to make any difference. They don’t care. I also see spammers posting “normal” comments in an effort to get past the first-moderated-comment hurdle. So I moderate everything. If it isn’t clear that the comment is directly related to the content it gets deleted. Compliments and vague questions about my website hosting are 99.9% spam.

    The keyword blacklist is quite useful as well as you can target keywords that should never really crop in genuine comments. For me this is a list of handbag and sport clothing designer brands. There are also a number of websites that people are trying to link to that I block (Third-party App stores etc).

    I hope this comment makes it through :)

  46. I have been using Akismet since the beginning of my blog. Recently I have installed a plugin which automatically add a captcha after the end of comment form. I noticed that after installing Akismet, The spam comments are posted around 3.7% and after activating Captcha code Its went under 1%.

  47. Thank you for this post. These comments are really irritating. I opened my admin panel today just to see I have over 30k comments on my blog.

  48. That is a valuable tip on closing comments on older posts. From pure convenience it makes a lot of sense. I am recording thousands of comment spam daily, while 99.9% is filtered by Akismet, which I highly recommend – there is a permanent load on the server and this should help ease it.

    Unfortunately there is not easy way of blocking them before they come in the front door.

Leave a Reply

Your email address will not be published. Required fields are marked *

Current ye@r *

Join 261,586 Happy Customers And Get Access To Our Entire Collection Of 87 Beautiful Themes For The Price Of One

We offer a 30 Day Money Back Guarantee, so joining is risk-free!

Sign Up Today

Pin It on Pinterest

Share This