"...outstanding support!"
— Ivaylo Zhelev What They Say

How to Prevent Spam in WordPress

If you’re WordPress site has had a blog for any amount of time then you’ve probably asked your self this question.

What can I do about comment spam?

Automated spam is nothing new and since most WordPress sites allow commenting on at least blog posts, they become a target. Fortunately, there are simple measures that can be taken to keep this from becoming a massive problem. What follows is a three-fold approach that myself and others use to cut out nearly all spam with relatively little effort.

Require Moderation

Go to Settings > Discussion and you’ll see all kinds of options WordPress has for cutting down on comment spam. What you see below are some default options that are very helpful, so I recommend sticking with them.

discussion-options

When Johnny posts a comment, you get an e-mail then decide to approve the comment for display on your post. When Johnny comments again, his comment will show immediately, because you already trust him. If you want something more strict, check the box always requiring approval. I have never known this to be necessary, however.

Automatic Spam Detection

It turns out the first part of this strategy was already setup for you. Still, there is a huge problem which is that you might see a dozen new comments held for moderation each day. And they’re all spam! That means you’ll be wasting time weeding through a bunch of junk in hope of maybe or maybe not finding a real comment. Not cool.

Anti-spam Plugins

What you can do is install a plugin that automatically detects spam and flags it as such so that it’s never even presented to you for approval. These plugins consider different factors to determine whether or not each comment is spam. There’s little point in explaining how they do it, but I can say that they do it remarkably well, perhaps with 99% accuracy.

  • Antispam Bee – This is my pick. It’s free and I find with default settings it works very well. Don’t mind the plugin page being in German. The plugin itself is in English.
  • Akismet – This works well too but you need to sign up for service (free for personal use only) so it’s more of a hassle.

Good, Not Perfect

These plugins work very well, but they are not perfect. I want to warn you that sometimes they will let a spam comment through. That’s not a big problem though, since you’re requiring moderation. Just keep your eyes peeled for comments linking to shady prescription drug websites or that sound like they were written by a drunkard (spam bots often sound like that when they try to speak).

The bigger problem is when a legitimate comment is automatically flagged as spam. It will never be presented to you for approval. What I do is go to Comments in my WordPress admin area then quickly browse through those marked as spam every now and then, just to make sure no real comments got the hatchet. If I find one, I approve it then delete the whole archive of spam comments so that it’s easier to scan through the next time.

Disable Comments on Old Posts

Another strategy for reducing spam is to have WordPress automatically turn commenting off on a post after a specified number of days. Spammers can’t comment when commenting is disabled, right? Legitimate comments usually come in shortly after publication but spammers tend to start hitting a post after some time. Automatically disabling comments after a number of days can reduce the amount of spam you have to deal with.

Go to Settings > Discussion and look for Automatically close comments on articles older than and try a value of 90 days or less.

Contact Forms

You might have a contact form on your site that gets spam. There’s help for that too.

CAPTCHA, Maybe

If you’re using a contact form plugin, see if it has an option to enable CAPTCHA or see if there is a plugin that will add a CAPTCHA box (for example, the Contact Form 7 reCAPTCHA Extension). What I’m talking about is that annoying little box of garbled letters that takes five tries to enter correctly. Yes, they’re often difficult for humans to use and so that’s why they’re effective against bot attacks.

Frankly, I don’t like this approach. It makes things hard for the user and that’s not good for your endeavor.

Akismet Will Work

This morning I ran across an article explaining how to leverage Akismet’s service with your contact form. Read Akismet & Your WordPress Contact Forms for details.

I don’t do this myself because…

Best to Do Nothing?

Most email service providers have built-in spam filtering. I use Gmail and its ability to detect spam is phenomenal. I rarely see spam in my inbox and rarely see real emails in my spam folder. Its just works. I don’t use CAPTCHA or anything like Akismet for my contact forms. I just let Gmail take care of it.

My view is that it is better to just let that contact form spam roll right yet. If you’re email provider takes care of some of it, that’s great. In any case, I think it’s very important not to risk losing contact form messages (especially if you’re running a business) by being too aggressive with spam. It’s better to get all the messages and deal with a little spam than to get no spam and lose a few real messages.

Conclusion

Spam stinks. But you don’t have to suffer. Take a few measures now and it’ll make your life easier every day after.

Do you have any tips for preventing spam? I did little research in preparing this guide. This information is mostly just from my own experience so I’ll bet there are some great ideas out there that were not mentioned. Please share what works for you.

11 Comments

  1. I disagree with “Best to Do Nothing?” – I’ve found that if you get too much spam mail through a contact form, gmail starts to mark all incoming mail through that form as spam so you end up missing the good as well as the bad.

    I’ve not done any ‘scientific’ testing but when this happened to me, I tightened up spam control (and went through a week of marking things “this is not spam”) & I started receiving messages again.

    • Steven Gliebe (Author)

      That’s interesting. Thanks for sharing. Fortunately my contact forms have never generated much spam, which is actually quite surprising since I don’t use CAPTCHA or anything like that. I wonder if a form using AJAX helps cut down on spam in any way.

  2. I often put in a regular text input, with a common name like “homepage” or “e-mail”. I then hide that input with css so a normal visitor wouldn’t see it, but robots are often not smart not enough to notice and will give it a value.
    All it takes then is to check whether that hidden field was filled in, and if it was it has to be spam. It’s an ancient technique but works well in my experience.

    • Steven Gliebe (Author)

      Thanks for sharing. It sounds like a great plugin and I see some good things said about it by people who know their stuff.

  3. No doubt, these are awesome tips! But, I must recommended to install on plugin to stay away from Spammers is “Remove links from comments” – It’s awesome quite effective as well. By the way, thanks for the tips!

  4. Thanks for the post Steven, I am trying to protect my client’s WP site form Contact form spam and aside from Captcha (which I agree is totally annoying as a human with limited attention span!) I amfinding the contact form 7 plugin a potential solution, so thanks for the heads up on that.

    Also, and this may be a no-brainer really, maybe a statement next to the submit button stating “We dont accept solicitous emails” might…might discourage a few dodgy spammers to even bother writing the message …

  5. Thanks for this great write up.. I am getting hundreds of spam comments on daily basis.. This will surely help me in getting rid of spam and headache due to it… keep sharing such useful info..

Commenting has been turned off.