Web Development / WordPress

How to Stop Comment Spam WordPress

Jan 04, 2023
18 min read
Stop Comment Spam WordPress

In this article, we take a detailed look at comment spam and the different ways you can mitigate and manage the problem in WordPress.

What is Comment Spam in WordPress?

Comment Spam is when a third party posts an unsolicited message, often of a commercial nature, as a comment on your WordPress website. The comments are usually automated, with the perpetrator able to post thousands of comments an hour via their automated software.

How to Identify Spam Comments in WordPress:

If you are new to WordPress or blogging, you may be wondering how you can identify Spam Comments. Is someone genuinely interested in your post, or are they just spamming? Do you risk deleting the post and upsetting a potential client or reader or reducing your post’s authority that user engagement brings? Luckily there are a few different tips we can give to help you identify those spammy comments:

  • Is the author of the comment using their real name? Many spam comments will use keywords instead of their name as, quite often, the author’s name is linked back to the author’s website. Using keywords for link anchor text was (not now with the Google Penguin penalty that specifically targets keyword-rich link anchors) the “go-to” way to build links.
  • What kind of link is the Author Link? Would you mind your readers clicking on it? If it is a spammy link to a drug-related or commercial website, it is a sure sign of a spammer. As a general rule, we do not allow any links in the comments unless the author is someone we know and the website they are linking to is relevant to our readers.
  • Is the comment generic and duplicated? Some of the best-automated software provide specimen spun (a comment that has multiple variations for each word phrase) comments for spammers to use. While they encourage you to create your own comments, many use prepackaged ones. If you search for the comment, you will often find hundreds of similar comments in the search results. The comments are often very generic, so they can apply to any website post.
  • Is the email address valid, or is it from a free account such as Gmail? Many spammers will use a fake email address, such as “[email protected]” or a Gmail or Yahoo email. While using a free email account is not a guarantee it is spam, coupled with other indications above, it can certainly help with the diagnosis.

Why do Spammers Try to Post Comments on your website?

To understand the motive behind spammers, you need to understand a little about Search Engine Optimization. In the past (several years ago), Google incorporated a system called Page Rank. The higher the Page Rank, the more likely your page was to rank in Google for the targeted keywords. The number of backlinks influenced page Rank pointed at the page from other people’s websites. Leaving comments on third-party websites containing a link back to their website was an easy way of gaining backlinks, and many automated systems were created (i.e. Xrumer, Scrapebox as two examples).

Also, the wording of the link (anchor text) influenced the effectiveness of the links back to the spammer’s website, and you would see many links with words such as “Garden Tools” or “insert drug here.” Of course, recent Google Updates like Penguin have sought to penalize those who use over-optimized anchor text such as this, and, therefore, mass Spam via Comments is no longer as popular as it used to be.

However, regardless of this, mass comment spamming is still popular as the people who use this technique can still rank for their chosen keywords and make money. When Google penalizes their website, they scrap the existing one and puts the content on a new domain that isn’t penalized. We would recommend that if you value your website showing up in Google, you don’t try to emulate this technique!

Why Spamming Comments on websites is Bad

If you have a relatively new website with little user engagement, getting your first comments is a big deal. It validates all the work and effort you have put into your website, so when you start seeing comments posted, it makes you feel great. So, instead of carefully moderating the comments, you want to approve those comments that may be spam. There are many reasons, though, why it is important to moderate your comments carefully, especially to get rid of any that may be spam:

  • Avoid Google’s Wrath — Google has been cracking down on spam, not just the websites that benefit from the links, but those that allow the links to be placed on their website.
  • Lack of moderation. — Today, you need to give a good impression to readers. If they scroll down your website to see hundreds of spam comments, they are less likely to remain on your website or comment themselves.
  • Lose readers from linking to poor quality websites — What if there are links in some of the comments promising to give added value to the reader (related links etc.), but upon clicking the link, the reader is taken to an unsafe website? The reader will likely be annoyed by this, and rather than return to your website, they won’t.

What can you do to Stop WordPress Spam Comments?

There are quite a few options for stopping spam on your WordPress Posts. Some solutions work better than others.

Here are some of our suggested options:

1. Stopping Spam via WordPress Moderation

Some default anti-comment spam moderation tools are integrated into the core WordPress installation. You can get to the moderations settings via Settings -> Discussion as shown below:

Wordpress discussion settings to reduce spam comments.

The settings below are what we use. However, some of the settings are based on personal preference, and you won’t go wrong in modifying some of the settings to suit your personal preference:

  1. Default article Settings — Leave as default (all selected).
  2. Other Comment Settings — We always prefer to have the comment author complete their name and email. The email they leave can be a telltale sign of spam, such as fake emails or even free email accounts. We do not require people have an account to leave comments, as this will unnecessarily complicate the whole process, and at the end of the day, we want to make commenting as easy as possible. One thing you may want to consider (depending on the type of content) is close old post articles to comments after a set time. Their default recommendation is 14 days, but you could easily set this to two or three months.
  3. Email me whenever — We prefer to know whenever a comment, either an approved comment, is posted or is held for moderation. This enables us to respond to the reader without delay, double-check the comment is not over-promotional, and keep an eye on things.
  4. Before a comment appears — Unstick these boxes so that the reader’s comment will appear immediately, subject to other settings below. You could select that a comment author has a previously approved comment before they automatically appear or that the WordPress comment must be manually approved, but our personal preference is against this.
  5. Comment Moderation (Moderation Queue) — Set to “Hold the comment in the queue if it contains 1 or more links”. The default settings will hold for moderation of any comment with two or more links in the comment body. We believe any comment with a link is potentially spam, so we have set this to “1” so that any comment with a link is held for manual approval.
  6. Comment Moderation (Spam Words) — You can add in this section any words, name, URL, email, or IP so that any matches will be held in the moderation queue. Because we use other anti-spam tools plugins, we leave this blank. However, if you have a particular type of comment that escapes all your anti-spam settings, then you can use this or the Comment Blacklist (see below) to add relevant words to be filtered. Note that terms such as “press” will match “WordPress” or “pressed,” so care does need to be used when using this feature.
  7. Comment Blacklist — Like the Spam Words Moderation above, the comment blacklist will designate any matches as spam. Again, we leave this blank as standard.

You can see a screenshot of the settings we use below (we haven’t included the spam word boxes, as they are just left blank):

WordPress moderation settings for comment spam.

2. Stopping Spam Using Akismet

Akismet is a WordPress anti-spam plugin. There are a few others that you can use, which we will discuss later, but Akismet is by far our favorite. The WordPress plugin automatically detects the WordPress Comment Spam and marks it automatically. Akismet has many factors it considers to determine WordPress spam comments, and it learns from both actions you take (i.e., you designate something as spam) and from all users of Akismet as a whole.

Akismet stats.

The Akismet anti-spam plugin will also report statistics so you can see its effectiveness. For instance, we have 99.7 percent accuracy on our website within the last six months, over 54,018 spam comments blocked, with only 158 missed spam comments and one false positive. This is an incredible performance.

How to Install and Setup Akismet

Fortunately, signing up for Akismet is incredibly simple. Go to https://akismet.com/plans/ and sign up for the relevant plan. If you have a personal blog or another noncommercial website Akismet is Free. Otherwise, you will need the business plan at $5 per month.

Akismet plans.

When you sign up, Akismet will invite you to donate if you choose the Personal Plan. However, if you cannot afford it, you can slide the donation amount to zero, and the payment parts of the form will disappear. Complete the sign-up process, and you will be taken to a page showing your API key. You will need this to enter your details into the Akismet plugin in WordPress. A copy of the API key is also sent to the email address you used during the sign-up process.

Akismet API key.

Once you have the API key, you must activate the Akismet Plugin. By default, it is preinstalled, but you will need to activate it via the Plugins menu:

Activate Akismet to stop spam WordPress comments.

Once you activate the plugin, there will be a Blue “Activate your Akismet account” button at the top of the Plugins page:

Activate your Akismet account.

Manually enter an API key in the box shown and press the “Use this Key” button. The API key was sent to your email after signing up for your Akismet plan.

Manually enter an API key.

Once you have entered the API key, you will be taken to another page where you can choose to show the number of approved comments beside each author. Whether you choose, this is a personal preference. Also, you get the option to select the strictness of the plugin. You can decide to put all spam in the Spam folder for review or silently discard the worst spam. We choose the latter, as Akismet is very accurate at discarding the worst of the spam, and there is no need to review it.

Statistics will show once the plugin starts blocking spam comments.

3. Using CloudFlare to Stop Spam Comments

While CloudFlare alone is not an effective strategy to stop WordPress spam comments, it works very well with everything else. Essentially, the security features within CloudFlare will prevent bots and spammers from reaching your website. Not only does this reduce the load on your web server, but it will significantly decrease the number of spam comments on your website. The great thing about it is that you can choose security levels from within CloudFlare, so if you find yourself under attack from spammers, you can temporarily increase the security to high.

If you saw the number of Spam comments in the Akismet graph above, you will know that we suffered from a significant spam attack in April and May, which reduced a lot during June. The reason for this was the raising of our CloudFlare security level, and you can see from the following graph how many threats were stopped from reaching our website:

Manually enter an API key.

You can see how well CloudFlare works!

How to set up CloudFlare

There are two ways to set up CloudFlare, either via the one-click install from your web host control panel (which many decent hosting providers now offer) or directly via cloudflare.com. We will be doing a separate tutorial in due course to go through the CloudFlare sign-up process and settings. However, to get started, you can go to the CloudFlare sign-up page (https://www.cloudflare.com/sign-up) and follow the instructions on-screen.

You can see a screenshot below of the CloudFlare security settings screen that we use:

CloudFlare helps prevent spammers.

The main feature to prevent spam comments and other attacks is the “Basic Protection Level”. There are the following different levels:

  1. Essentially Off — This will only act against the most grievous offenders.
  2. Low — This will challenge only the most threatening visitors
  3. Medium
  4. high — This will challenge all visitors that have exhibited threatening behavior within the last 14 days.
  5. I’m under attack! — This should only be used if under DDoS. All visitors will be directed to an intermediate page to prove they are human for approximately 5 seconds. You wouldn’t want to use this unless it is necessary.

We recommend starting at the Low setting, but if you find you are still getting lots of spam, you should raise it to Medium or High.

4. Prevent Spam by Removing website URL Option from Comment Form

In Section 1, we changed the moderation settings to not allow any URLs in the body of the comment. However, many forms will have the option to add a website linked to the author’s name. Many spammers used to create keyword-rich author names, so their link back to their website is much more effective. However, spammers are much more devious now (and adapted to Google Penguin, which targets keyword-rich anchors), so natural-looking author name links are now often used. Also, many spammers will work hard to make the comments unique and natural, so identifying them can be challenging.

So, what is the solution?

Well, it is simple. Remove the incentive for spammers by removing the ability to leave a link entirely.

How to Remove Website URL Field from WordPress Comments

Fortunately, there is a simple plugin that does this for you — “Hide Comment Author Link,” which you can download here. Once installed and activated, there is nothing further that you need to do; the links will no longer show up when published. The only problem with this plugin is that the website field still shows when your readers fill out the comment form.

We prefer a custom function that we add manually to the functions.php file. In a default WordPress install, the functions.php is easy to find by going to Appearance -> Editor and selecting the Theme Functions files (functions.php). The exact files showing here will vary depending on the theme you have installed, but there is always a functions.php file that you can edit. Below is a screenshot showing how to find the functions.php file, along with where the code should be placed:

Remove website URL Field from WordPress Comments.

I have included two sets of code, one for a standard WordPress install (source), and the latter one we use for the Genesis Framework. You should add the relevant code at the bottom of the functions.php file, as shown in the red box above.

The code (standard WordPress install)
add_filter('comment_form_default_fields','url_filtered');
The code (standard Genesis Framework install)
add_filter( 'genesis_comment_form_args', 'url_filtered' );

Final Thoughts on how we Stop Spam Comments in WordPress

Hopefully, you will see that our strategy is all-encompassing and very simple. Since adopting all of these methods, we rarely get any spam on our WordPress comments approved or have legitimate comments marked as spam. With CloudFlare, if you come under a spam attack, you can increase the security settings to deal with it without degrading your web server and potentially getting in trouble with your hosting provider.

Keep reading to see some other suggestions on how to stop spam comments.

Other Ways to Stop Spam Comments

Before we finish the article, we thought it would be a good idea to briefly discuss other methods you may wish to use to help manage spam. Quite often, the functionality of some of the things we will discuss can be duplicated via one of the methods already discussed above, so that we will highlight this as appropriate:

Other Comment Spam Plugins for WordPress

While we are big Akismet fans, there are some alternatives that you may wish to consider. They work by considering different types of factors that are used to consider whether a comment is spam. We won’t go into too much detail, as our experience with these plugins is limited.

However, we have chosen plugins to mention that have a significant number of downloads, high ratings and are not merely a skeleton of free features used to promote a premium paid version:

  • Quiz — The Quiz plugin is probably one of our favorites, even though we do not use it (as we see no need to). The plugin adds a question and answer section to your comment form. Commenters must answer a question correctly before their comment will be accepted. You could ask questions that are obvious to the website’s topic, and you can specify multiple answers to cater to different ways of answering the question with different spellings. The question is, with other ways of dealing with spam effectively, do you want to make it this complicated for a reader to post their comment?
  • !WP-reCAPTCHA — This Plugin has a staggering 518,000 downloads at the date of writing, with an average rating of 4.1 out of 5. It adds a ReCaptcha box that needs to be completed before the comment will be accepted. While some automated and mass manual services can solve these, they are not usually used for comment spam; therefore, it does a respectable job of keeping WordPress comment spam at bay. Editor’s Note: This plugin is no longer available, but a good alternative is WordPress ReCaptcha Integration which you can download here.
  • WordPress Simple Firewall — With over 52,000 downloads, regularly updated, and a perfect 5 out of 5 rating, this has to be a serious contender as a great anti-spam plugin. There are no settings or anything to configure. Just activate the plugin, which you can download here, and it will work to prevent spam bots. Looking at the code within the plugin, it looks to prevent all comments where JavaScript is disabled in the browser, which of course, will affect bots as they don’t tend to use a browser. This may catch a small number of legitimate users, but this is estimated at less than one percent. You can download the plugin here.
  • Stop Spam Comments — This works similarly to the WordPress Simple Firewall but has just over 12,000 downloads and a 4.5 out of 5 rating. Probably, best to go for the other plugin, but I included it due to popularity. You can download the plugin here.

Change your Comment System

  • DisqusDisqus uses its own anti-spam system that like Akismet is designed to learn over time and becomes more accurate as you moderate your spam and other comments. Like the WordPress moderation tools, Disqus has features that allow you to state which types of comments need approval and whether links are allowed in comments. You can add blacklists and whitelists. Disqus is a great alternative to use as a WordPress anti-spam strategy. You can find the WordPress Disqus plugin here.
Disqus moderation panel.
  • IntenseDebateThis plugin has been recommended by quite a few people, but our experience with it is limited. It allows moderation similar to WordPress inbuilt tools. However, it does use Akismet as its spam filter, so at least we know that will be powerful. This wouldn’t be our preference due to lack of experience with it more than anything else, but worth a look if you are looking for a different commenting system. It has some interesting features such as comment voting, reputation, tweet comments, and commenter profiles.
  • Facebook CommentsFacebook comments can be a great plugin to embrace the power of social media, but it depends on your audience as to whether it is a good idea. Posting comments requires a Facebook profile, so if your readers do not have a Facebook account, it could make the whole commenting process a little complex. Because of this, it does cut down on the amount of spam being posted. We are not fans of this plugin, but it is more of a personal preference than anything else.

Deny Comments where No Referrer Requests

The .htaccess file is often used to strengthen WordPress security, and concerning WordPress spam adding a few lines of code that deny bots (automated comment spamming programs) can help significantly.

When a comment is made, the wp-comments-post.php file is accessed and creates the post. The browser will send a “referral” about this fact. A comment bot generally does not leave a referrer as it usually hits the file directly. Therefore, we can be confident that the comment comes from a spammer.

So, we can add some lines to a .htaccess file that will refer comments with no referrer request back to spam-bots originating server.

RewriteEngine On

To use the code, open up your .htaccess file via FTP, and add the lines above. Change yourdomain.com to your actual domain.

CloudFlare will block bots based on the HTTP referrer headers as part of its security features. For this reason, we do not implement this option. However, it is one recommended by WordPress themselves and, therefore, one that should be seriously considered if you have a comment spam problem.

Ban Spammer’s IP addresses

Whenever someone visits your website to leave a comment, their IP address is revealed along with the other information that the comment exists. If you have a particular spammer you wish to prevent from accessing your website; then you can block them using a .htaccess file. Again, you will need to open your .htaccess file via FTP and add some lines to the file:

 
Order allow,deny
Deny from 123.123.123.123
Deny from 156.156.156.0/24
Deny from 189.189.0.0/16
Allow from all

The example above shows how to block three different IP addresses. If you want to block only one IP, then comment out the other two by adding # in front of them or simply deleting the lines.

The problem with this approach is many spammers will use proxies that they change regularly. Simply blocking the IP may not help but block innocent readers, especially if the IPs were hijacked. We, therefore, do not think this is a good approach unless you have a particularly prevalent spammer you can easily identify.

CloudFlare allows you to block specific IP addresses as well.