Fighting WordPress Comment Spam

If you allow comments on any blog you’ll need to take spam into consideration. WordPress itself actually has a few built in features to help cut down on spam comments however there is also a few great plugins to make your life even easier such as Akismet which WordPress comes pre-installed with currently.

In this article we’ll run through identifying spam, WordPress methods of reducing spam, plugins to help reduce spam. Keep in mind however that there is no method of keeping all spammers out automatically, spammers change their methods and even manually add comments to try and bypass your protection.

How to Identify WordPress Spam Comments

You would think that identifying spam comments would be easy, and quite often it is. Take a look at this one with the links removed:

As I website possessor I believe the articles here is rattling great , regards for your efforts. cpanel reseller | whm reseller |

Here the poster is trying to link back to a website. A quick Google search inside “quotes” returns quite a few results where this spammer has wrote the same thing over and over again.

Here’s few pointers for manually identifying spam comments. Whilst sometimes a real comment might fall under one of these, they are generally good guidelines to follow.

  • Unrelated Links: If a comment has links back to an unrelated website it’s probably spam. Why would someone link to buying a new car on a bread recipe website?
  • Many Links: If a comment has more than one link then it may be spam - sometimes it can be real to link more than once but it is rare.
  • Generic Comments: If the comment content isn’t really related to the post or is very generic then it just might be spam.
  • Wow, you’re really awesome: Similar to the above point, if the post is very complimentary then it’s probably rubbish also.
  • Name Field: A big hint is in the name field. If someone says their name is “Car Seller Brighton” instead of “Jim Bobbins” then alarm bells should be ringing.
  • Multiple Comments: If the comment is posted twice on different articles they both are probably going to be spam.
  • Fake Quotes: Sometimes a spammer will quote your post or part of it without actually replying to the post itself.
  • Old Posts: If a post is old real posters normally don’t comment as they realise that the subject is dead.
  • Language: Posting in another language is often a big sign. If you’re site is in English why would someone reply in another language?

Using WordPress to Reduce Spam Comments

WordPress actually has a few useful tools built in to help reduce spam, without using any plugins. All of these methods are in some relation to the list above for identifying spam. The first one we’ll look at is what WordPress can do about Links.

Post Links. WordPress allows you to set the number of posts within a link which flags the comment for manual moderation. This attempts to stop spammers who leave multiple links. If you visit your WordPress Dashboard and go to the Settings > Discussion panel, under Comment Moderation you can set the number of links to 1, when the default is 2.

Spam Words. WordPress also allows you to block certain words. In the same area as before, Settings > Discussion, you can add words to the text area. WordPress has a list of Spam Words which you can use and add to. Put each word on a new line and be careful not to have any empty lines!

Blacklist Words. Similar to blocking words, you can create a Blacklist in the same area. This is more powerful because anything that matches a term wont even sit for moderation, it’ll be totally destroyed from view. The comment will still be in the database however marked as spam. It’s not really advisable to use the Blacklist unless you’re certain of what you want to destroy as partial words can match. If you put in “ass” words like “assistance” would result in a match.

Closing Comments. As mentioned before, sometimes spam comments are left on old articles. Under Settings > Discussion you can enable “Automatically close comments on articles older than X days” and enter in a value. If you are writing a personal blog perhaps comments only need to be open for about 90 days?

Moderate, everything. You probably don’t want to take this action for larger websites where you get a lot of comments, however on smaller blogs it’s fine. Ticking the box “An administrator must approve the comment” under Setting > Discussion will force all comments to be checked before going onto the site. You can take a similar approach by checking “Comment author must have a previously approved comment” - this is pretty self explanatory, anyone who leaves a comment needs their first one manually checked.

Registered User Comments. Forcing users to register before they leave a comment is a deterrence for spam comments, however it can also be a deterrence for real commentators. Visitors might not want to go through the bother of registering before leaving a comment, it’s something you need to weigh up - there is better alternatives out there. To enable this visit the Dashboard and under Settings > General panel select “Users must be registered and logged in to comment”.

WordPress Anti-Spam Plugins

Akismet. As mentioned before, WordPress comes bundled with Akismet. This works by using an algorithm combined with a community driven database to “learn” which comments are spam. To use Akismet you need to register with them over at to get your API Key. If you make money from your website you need to pay for your subscription however it is free for personal websites.

Bad Behavior. This plugin works well with Akismet as it provides a different type of protection. It acts as a blanket over your site to stop spammers from even looking at your site, never mind leaving comments. This helps keep your sites load down and keeps the logs clean. For more information check out the description on the plugin page of

WordPress Modifications to Reduce Spam

So your WordPress is all setup, your plugins are ready to rock, that’s enough right? Yes, it probably is enough however more protection wont hurt. This next step is not recommended for average users, you should really have an understanding of how WordPress works and editing files before doing any of this. As normal—take a backup of any files before you change or delete them in case you break something!

Deleting Files. If you want to totally remove comments you can delete wp-comments-post.php. This will effectively disable comments on your site. The end. If you have troubles with trackback spam, you can delete wp-trackback.php. Just like deleting the comments file, this will totally disable trackbacks.

WordPress Anti-Spam Check-list

Time to sum everything up into a check-list for combating spam on a WordPress site. Some of the methods have been left out of this check-list as I feel some of them are too drastic or are not that useful. The following check-list could be used in almost all setups:

  • WordPress: Limit the amount of links visitors can leave without being moderated from the Discussion panel.
  • WordPress: Setup your spam links from the Discussion panel.
  • WordPress: Close comments on old articles on the Discussion panel.
  • WordPress: Force all first timers to have their first comment moderated from the Discussion panel.
  • Plugin: Install, activate and sign up for Akismet.
  • Plugin: Install and activate Bad Behavior.
, .

Can’t get enough? Subscribe to the Newsletter.

Using the great power of the internet—and MailChimp—you can get what I write straight to your inbox. All things design, web, and even photography sometimes.

It’s very occasional, and if it turns it it’s not for you, you can unsubscribe with just one click.