Disclosure: This page may contain affiliate links. If you purchase something using those links, we may receive a commission, but it will not cost you anything extra.
There won’t be a single internet user who hasn’t heard the word spam. They often look like unnecessary or misleading messages containing hyperlinks to illegitimate websites. You can see such messages often in email inboxes and on social media platforms.
WordPress sites are also a frequent target. Not just WordPress, spammers target any website or platform that allows the public to post comments.
According to a report published by Kaspersky, around 50% of mail traffic contained spam in 2020. Even during the pandemic when many businesses are down, spammers are actively employing different techniques to mislead people. The aim can be anything from stealing credentials, money, spreading malware, or even identity theft.
Similar to spam emails, comment spams are also potentially dangerous. Most blogs and forums allow URLs in the comment forms, which spammers misuse.
Why they spam?
The reasons behind posting spam comments are many.
- If one of your legitimate users clicks those links, it can potentially compromise their security. Even if that doesn’t happen, spam comments are ugly and can negatively affect the credibility of your website.
- Blackhat SEO is another motive behind spamming. Leaving their links on your website can give them an SEO advantage.
So, if you are a website owner, you should never overlook implementing proper spam prevention methods on your site. In this article, we will discuss the different methods you can use to stop spam comments on WordPress websites.
Are you tired of spam comments?
Then here are some measures stop them on track.
1. Use an Anti-spam Plugin
An anti-spam plugin analyzes all the incoming comments and filters out the spammy ones. These plugins employ various algorithms and techniques to do this. Some sophisticated ones even make use of machine learning to identify newer patterns in spams. Email spam filters also work the same way.
Two of the most popular spam plugins available today are:
Akismet already comes pre-installed when you install WordPress. So it is the most obvious solution for most websites to start fighting spam.
With Akismet, much of the processing takes place on their cloud servers. While that approach takes the burden off of your server, it may not be ideal for everyone from a privacy standpoint.
Also, Akismet is free only for personal websites. Commercial websites (i.e, any website that makes money) are advised to purchase a paid plan.
It is technically possible to use Akismet on any website, including commercial ones. But doing so will be against their policy.
So, another plugin that you can use as an alternative to Akismet is Antispam Bee. It is maintained by a group of volunteer developers at Pluginkollectiv. The plugin doesn’t even offer a paid version and is completely free to use on commercial sites.
Since it works entirely on-server, there won’t be any privacy issues either. Antispam Bee uses the Honeypot technique, in addition to checking the comments against the local spam database.
I cannot say which plugin is more effective in stopping spam – Akismet or Antispam Bee. But I have been using the latter for while and it has been highly efficient.
2. Implement Honeypot
A simple yet highly effective technique. That’s honeypot.
If you are not aware, the majority of the spam comments come from bots, not humans. That’s where honeypot becomes successful. As the name suggests, it is a trap for spambots.
Here is how it works:
Just add one more field to your comment form (or any other form). Then make it hidden using CSS. So, real humans won’t see that field and leaves it empty when they comment.
But bots, which work by looking at the HTML code, won’t know that it is a hidden field. So they fill it up and prove themselves as fake.
I highly suggest you use Antispam Bee to implement the honeypot. The feature is included in the plugin. Otherwise, there are a few other plugins like WP Armour.
Some people have mentioned that they could stop more than 99% of spam using honeypot. My experiences are also not much different.
However, remember that this technique cannot stop human spammers. Also, some bots may be intelligent enough to circumvent honeypot traps.
So, it is not a complete solution. If you are still experiencing lots of spam comments after implementing honeypot or Antispam Bee, then try other methods, such as captchas.
3. Install a Captcha Service
Captchas are little challenges your users have to solve before submitting a form. The downside is bad user experience. Because of the difficulty in completing a challenge, legitimate users may abandon forms.
In recent times, Captcha solutions have improved a lot. Two such solutions you can consider are:
Both the solutions require the users to click a checkbox to solve the captcha. More suspicious visitors get an image challenge.
The latest version of Google ReCaptcha, ReCaptcha V3 is one step ahead. It does not involve any user interaction. Instead, it returns a risk score for each visitor, based on which you can take necessary actions. You can try this plugin to integrate ReCaptcha with WordPress.
In case Google’s privacy practices are not sufficient for you, then hCaptcha is a great alternative. It won’t track your website visitors, thereby offering better privacy. The hCaptcha WordPress plugin makes it easy to integrate the solution with your comment forms and login forms.
Recently, Cloudflare has switched to hCaptcha, which ensures that the service is well-supported and here to stay.
4. Switch to a social comment system
By default, WordPress uses its native comment system. While it has its advantages, spam and fake names are the disadvantages.
So, another route you can takes is to replace this native comment system with social comments. The two popular choices are:
Less spam is not the only benefit of this approach. It also adds credibility to the comments. Because when someone comments using their Facebook or Disqus Id, they are revealing their identity. Whereas with native comments, people can use fake names or email addresses.
Disqus allows people to comment with Facebook, Twitter, and Google accounts.
Plugins are available to integrate these systems with WordPress:
However, a social comment system may not be suitable for all sites. Privacy is a major concern. Also, you are depending on a third-party system to store your site comments.
5. Use a Web Application Firewall (WAF)
As your website grows popular, attacks can also increase. In such a situation, ensuring more protection using a web application firewall is a wise move.
The firewall helps to block bad bots, hackers, and malicious users while allowing legitimate users. Two services you can consider are:
Cloudflare offers a free plan, which includes DDoS protection and DNS. Whereas the Pro plan, which costs $20/mo, comes with a web application firewall.
Sucuri is another well-acclaimed web security company. They do not have free plan, though.
In addition to the protection, both the services offer CDN also, which helps to speed up your website.
Overall, a firewall is not a direct spam prevention technique. But it helps to stop bad bots, which in turn reduces the spam.
6. Manual Moderation
Manually moderating each comment is another way to tackle spam. To enable it, go to Settings > Discussion in your WordPress admin.
Against ‘Before a comment appears’ section, you will see two options:
- Comment must be manually approved
- Comment author must have a previously approved comment
Check both the boxes, or only the appropriate one and save the changes.
When someone leaves a comment, it won’t get published right away. Instead, they will receive a notice saying the comment is awaiting moderation.
Later you can go to the Pending tab in the Comments page, where you can manually approve, delete, or mark the comment as spam.
Optionally turn on email notification also so that you can know when a comment arrives in the moderation queue.
However, this approach may not be practical for sites that receive a lot of comments daily.
7. Use the Built-in Comment Features
If manual moderation is not practical, there are still a few more built-in features you can try:
- Make email and name field compulsory: Check the box – ‘comment author must fill out name and email’. It is not that effective, but better than leaving it unchecked.
- Allow only registered users: If your site allows user registration, allow only registered users to comment.
- Close comments on older posts: Turning off comments on posts older than a set number of days can reduce spam to an extent.
- Disable/reduce links in comments: As we have mentioned, the goal of spammers is to post links on your site. So, not allowing links can demotivate spammers. Setting it to 0 disables all links. But sometimes genuine comments can also contain links, which adds value to your articles. So, 1 or 2 is a good setting.
- Create a list of disallowed words: WordPress gives two fields to enter spammy words. Look at the existing spam comments to find out which words have the most occurrences. Usually, comments with words like free, discount, offer, and adult-related words are spam. Enter each of them in those fields and save. WordPress will move such comments to the moderation queue or trash.
8. Disable the Website Field
The main thing spammers exploit is the URL field (a.k.a the Website field) in WordPress comment forms. Disabling it can turn them away.
There is no setting to do it directly. But WordPress gives a filter called ‘comment_form_default_fields’ to customize the form fields. You can use that to disable the URL field.
Add the following code to your functions.php file or to a site plugin. Another easy way is to add it using the Code Snippets plugin.
<?php
function remove_wp_comment_url($fields) {
if( isset($fields['url'])) {
unset($fields['url']);
}
return $fields;
}
add_filter('comment_form_default_fields', 'remove_wp_comment_url');
9. Disable Comments Altogether
And finally, comments may not be equally valuable for all websites. If it is not beneficial, why not disable it completely?
Not only spam from bots but there are also quite a number of real humans who spread spam. Manual moderation is the only way to tackle them. Some popular sites like Zenhabits are not allowing any comments because of this reason.
For existing posts, select all the posts from the Posts screen and bulk edit them. Then set the Comments field to ‘Do Not Allow’.
Conclusion
For most blogs, a reliable antispam plugin is all what you need. In addition to that, you can try a combination of several methods that we discussed above.
On this website, currently I use the Antispam Bee plugin along with the built-in WordPress features to fight spam. And so far, the honeypot system is taking care of most of the spam, both from comments and from the contact form.
In case I have missed any important detail, mention it in the comments.
