In this article, we take a detailed look at comment spam and the different ways you can mitigate and manage the problem in WordPress.
What is Comment Spam in WordPress?
Comment Spam is when a third party posts an unsolicited message, often of a commercial nature, as a comment on your WordPress website. The comments are often automated in nature, with the perpetrator often able to post thousands of comments an hour via their automated software.
How to Identify Spam Comments in WordPress:
If you are new to WordPress or blogging, you may be wondering how you can identify Spam Comments. Is someone genuinely interested in your post, or are they just spamming? Do you risk deleting the post and upsetting a potential client or reader, or reduce the authority of your post that user engagement brings? Luckily there are a few different tips we can give to help you identify those spammy comments:
- Is the author of the comment using their real name? Many spam comments will use keywords instead of their name as quite often the author name is linked back to the author’s website. Using keywords for link anchor text was (not now with the Google Penguin penalty that specifically targets keyword rich link anchors) the “go to” way to build links.
- What kind of link is the Author Link? Would you mind your readers clicking on it? If it is a spammy link to a drug-related or other commercial type websites, it is a sure sign of a spammer. As a general rule, we do not allow any links in the comments unless the author is someone we know, and the website they are linking to is relevant to our readers.
- Is the comment generic and duplicated? Some of the
best automatedsoftware provide specimen spun (a comment that has multiple variations for each word phrase) comments for spammers to use. While they encourage you to create your own comments, many use the prepackaged ones. Quite often if you search for the comment, you will find hundreds of similar comments in the search results. Often the comments are very generic in nature so that they can apply to any website post.
- Is the email address valid, or is it from a free account such as Gmail? Many spammers will use a fake email address, such as “firstname.lastname@example.org” or use a Gmail or Yahoo email. While using a free email account is not a guarantee it is spam, coupled with other indications above it can certainly help with the diagnosis.
Why do Spammers Try to Post Comments on your website?
To understand the motive behind spammers, you need to understand a little about Search Engine Optimization. In the past (several years ago), Google incorporated a system called Page Rank. The higher the Page Rank, the more likely your page was to rank in Google for the targeted keywords. Page Rank was influenced by the numbers of backlinks pointed at the page from other people’s websites. Leaving comments on third-party websites containing a link back to their website was an easy way of gaining backlinks, and many automated systems were created (i.e. Xrumer, Scrapebox as two examples).
Also, the wording of the link (anchor text) influenced the effectiveness of the links back to the spammer’s website, and you would see many links with words such as “Garden Tools” or “insert drug here.” Of course, recent Google Updates like Penguin have sought to penalize those who use over-optimized anchor text such as this, and, therefore, mass Spam via Comments is no longer as popular as it used to be.
However, regardless of this, mass comment spamming is still popular as the people who use this technique can still rank for their chosen keywords, make money, and as soon as Google penalizes their website they scrap the existing one and put the content on a new domain that isn’t penalized. We would recommend that if you value your website showing up in Google, you don’t try to emulate this technique!
Why Spamming Comments on websites is Bad
Chances are, if you have a relatively new website with not much user engagement, getting your first comments is a pretty big deal. It validates all the work and effort you have put into your website, and so when you start to see comments being posted it makes you feel great. So, instead of carefully moderating the comments, you want to approve those comments that may be spam or that do not bring anything further to your website. There are many reasons though why it is important to moderate your comments carefully, especially to get rid of any that may be spam:
- Avoid Google’s Wrath — Google has been cracking down on spam, but not just the websites that have the benefit of the links, but those websites that allow the links to be placed on their website.
- Lack of moderation. — Today, you need to give a good impression to readers. If they scroll down your website just to see hundreds of spam comments they are less likely to remain on your website, or comment themselves.
- Lose readers from linking to poor quality websites — What if there are links in some of the comments promising to give added value to the reader (related links etc.), but upon clicking the link, the reader is taken to a less than
respectfulwebsite. The reader is likely to be annoyed by this, and rather than come back to your website, they won’t.
What can you do to Stop WordPress Spam Comments?
There are quite a few options when it comes to stopping Spam on your WordPress Posts. Some solutions work better than others, however, to keep things as simple as possible we have first highlighted the methods we use. Afterward, we have commented on some other methods that others find successful, but ones we do not use ourselves.
Many guides and tutorials you will be along the lines of “10 tips to prevent WordPress spam comments” or “10 Must-have Plugins to prevent WordPress Spam”. Where this tutorial differs, is that we have given you a great combination of 4 methods that work, and works well. It is this combination that we use ourselves. We hope you find it useful!
1. Stopping Spam via WordPress Moderation
There are some default anti comment spam moderation tools that are integrated into the core WordPress installation. You can get to the moderations settings via Settings -> Discussion as shown below:
Recommended Moderation Settings
The settings below are what we use. However, some of the settings are based on personal preference, and you won’t go wrong in modifying some of the settings to suit your personal preference:
- Default article Settings — Leave as default (all selected).
- Other Comment Settings — We always prefer to have the comment author complete their name and email. The email they leave can be a telltale sign of spam, such as fake emails, or even free email accounts. We do not require people have an account to leave comments, as this will unnecessarily complicate the whole process, and at the end of the day, we want to make commenting as easy as possible. One thing that you may want to consider (depending on the type of content) is close old posts articles to comments after a set time. The default recommendation they make is 14 days, but you could easily set this to two or three months.
- Email me whenever — We prefer to know whenever a comment either an approved comment is posted or is held for moderation. This enables us to respond to the reader without delay, double check the comment is not over promotional, and keep an eye on things.
- Before a comment appears — Unstick these boxes, so that subject to other settings below, the readers comment will appear immediately. You could select that a comment author has a previously approved comment before they automatically appear, or that the WordPress comment must be manually approved but our personal preference is against this.
- Comment Moderation (Moderation Queue) — Set to “Hold the comment in the queue if it contains 1 or more links”. The default settings will hold for moderation any comment that has 2 or more links in the comment body. We are of the opinion that any comment with a link in it is potentially spam, so we have set this to “1” so that any comment with a link is held for manual approval.
- Comment Moderation (Spam Words) — You can add in this section any words, name, URL, email or IP so that any matches will be held in the moderation queue. Because we use other anti-spam tools plugins, we just leave this blank. However, if you have a particular type of comment that escapes all your anti-spam settings, then you can use this or the Comment Blacklist (see below) to add relevant words to be filtered. Note that words such as “press” will match “WordPress” or “pressed,” so care does need to be used when using this feature.
- Comment Blacklist — Like the Spam Words Moderation above, the comment blacklist will designate any matches as spam. Again, we leave this blank as standard.
You can see a screenshot of the settings we use below (we haven’t included the spam word boxes, as they are just left blank):
2. Stopping Spam Using Akismet
Akismet is a WordPress anti-spam plugin. There are a few others that you can use, which we will discuss later, but Akismet is by far our favorite. The WordPress plugin automatically detects the WordPress Comment Spam and marks it automatically. Akismet has many factors it considers to determine WordPress spam comments, and it learns from both actions you take (i.e. you designate something as spam), but also learns from all users of Akismet as a whole.
The Akismet anti-spam plugin will also report statistics so you can see just how effective it is. For instance, on our website we have 99.7 percent accuracy within the last six months over 54,018 spam comments blocked, with only 158 missed spam comments, and one false positive. This is
How to Install and Setup Akismet
Fortunately, signing up for Akismet is incredibly simple. Just go to https://akismet.com/plans/ and sign up for the relevant plan. If you have a personal blog or another
When you sign up, Akismet will invite you to make a donation if you choose the Personal Plan. However if you cannot afford it, you can simply slide the donation amount to zero and the payment parts of the form will disappear. Complete the sign-up process, and you will be taken to a page showing your API key. You will need this to enter your details into the Akismet plugin in WordPress. A copy of the API key is also sent to your email address that you used during the sign-up process.
Once you have the API key, you will need to activate the Akismet Plugin. By default, it is preinstalled, but you will need to activate it via the Plugins menu:
Once you activate the Plugin there will be a Blue “Activate your Akismet account” button at the top of the Plugins page:
You then just need to “Manually enter an API key” in the box shown, and press the use this key. The API key was sent to your email after signing up for your Akismet plan.
Once you have entered in the API key, you will be taken to another page where you can choose to show the number of approved comments beside each author. Whether you choose, this is a personal preference. Also, you get the option to choose the strictness of the plugin. You can choose to put all Spam in the Spam folder for review, or silently discard the worst spam. We choose the latter, as Akismet is very accurate at discarding the worst of the spam, and there is no need to review it.
Statistics will show once the Plugin starts blocking spam comments.
3. Using CloudFlare to Stop Spam Comments
While CloudFlare alone is not an effective strategy to stop WordPress spam comments; it works very well with everything else here. Essentially, the security features within CloudFlare will prevent bots and spammers reaching your website. Not only does this reduce the load on your web server, but it will significantly decrease the amount of spam comments on your website. The great thing about it is that you can choose security levels from within CloudFlare, so if you find yourself under attack from spammers, you can temporarily increase the security to high. You can read more about CloudFlare features here.
If you saw the amount of Spam comments in the Akismet graph we had above, you will see that we suffered from a large spam attack in April and May, which reduced a lot during June. The reason for this, was the raising of our CloudFlare security level, and you can see from the following graph how many threats were stopped from reaching our website:
You can see how well CloudFlare works!
How to set up CloudFlare
There are two ways to set up CloudFlare, either via the one-click install from your web host control panel (which many decent hosting providers now offer) or directly via cloudflare.com. We will be doing a separate tutorial in due course to go through the CloudFlare sign-up process as well as settings. However, to get started, you can go the CloudFlare sign up page (https://www.cloudflare.com/sign-up) and follow the instructions on-screen.
You can see a screenshot below of the CloudFlare security settings screen that we use:
The main feature to prevent spam comments and other attacks are the “Basic Protection Level”. There are the following different levels:
- Essentially Off — This will only act against the most grievous offenders.
- Low — This will challenge only the most threatening visitors
- High — This will challenge all visitors that have exhibited threatening behavior within the last 14 days.
- I’m under attack! — This should only be used if under DDoS. All visitors will be directed to an intermediate page to prove they are human for approximately 5 seconds. You wouldn’t want to use this unless it is necessary.
We recommend that you start off at the Low setting, but if you find you are still getting lots of spam, you should raise it to Medium or High.
4. Prevent Spam by Removing website URL Option from Comment Form
OK, so far we have in Section 1 changed the moderation settings not to allow any URLs in the body of the comment. However, many forms will have the option to add a website that is then linked from the author name. Many spammers used to create keyword rich author names, so their link back to their website is much more effective. However, spammers are much more devious now (and adapted to Google Penguin which targets keyword rich anchors) so natural looking author name links are now often used. Also, many spammers will work very hard to make the comments unique and seem natural so it can be difficult to identify some.
So what is the solution?
Well, it is simple. Remove the incentive for spammers by removing the ability to leave a link entirely.
How to Remove website URL Field from WordPress Comments
Fortunately, there is a simple plugin that that does this for you — “Hide Comment Author Link” which you can download here. Once installed and activated there is nothing further that you need to do … the links will no longer show up when published. The only problem with this plugin is that when your readers fill out the comment form, the website field still shows.
Our preference is a custom function that we add manually to the functions.php file. In a default WordPress install the functions.php is easy to find by going to Appearance -> Editor and selecting the Theme Functions files (functions.php). The exact files showing here will vary depending on the theme you have installed, but there is always a
I have included two sets of code, one for a standard WordPress install (source), and the latter one we use for the Genesis Framework. You should add the relevant code at the bottom of the functions.php file as shown in the red box above.
The code (standard WordPress install)
The code (standard Genesis Framework install)
add_filter( 'genesis_comment_form_args', 'url_filtered' );
Final Thoughts on how we Stop Spam Comments in WordPress
Hopefully, you will see that our personal strategy is
Keep reading to see some other suggestions on how to stop spam comments.
Other Ways to Stop Spam Comments
Before we finish the article, we thought it would be a good idea to discuss briefly some other methods you may wish to use to help manage spam. Quite often the functionality of some of the things we will discuss can be duplicate via one of the methods already discussed above so we will highlight this as appropriate:
Other Comment Spam Plugins for WordPress
While we are big Akismet fans, there are some alternatives that you may wish to consider. They work by considering different types of factors that are used to consider whether a comment is
- Quiz — The Quiz plugin is probably one of our favorites, even though we do not use it (as we see no need to). The plugin adds a question and answer section to your comment form. Commenters must answer a question correctly before their comment will be accepted. You could ask questions that are obvious to the topic of the website, and you can specify multiple answers to cater for different ways of answering the question different spellings. The question is, with other ways of dealing with spam effectively, do you want to make it this complicated for a reader to post their comment?
- !WP-reCAPTCHA — This Plugin has a staggering 518,000 downloads at the date of writing, with an average rating of 4.1 out of 5. It adds a ReCaptcha box that needs to be completed before the comment will be accepted. While some automated and mass manual services can solve these, they are not usually used for comment spam and, therefore, it does a respectable job of keeping WordPress comment spam at bay. Editor’s Note: This plugin is no longer available, but a good alternative is WordPress ReCaptcha Integration which you can download here.
- Stop Spam Comments — This works in a similar way to the WordPress Simple Firewall but has just over 12,000 downloads and 4.5 out of 5 rating. Probably, best to go for the other plugin, but included it due to popularity. You can download the plugin here.
There are probably many decent anti-spam WordPress plugins around, so if you know of any great ones, please do let us know in the comments.
Change your Comment System
- Disqus — Disqus uses its own anti-spam system that like Akismet is designed to learn over time and becomes more accurate as you moderate your spam and other comments. Like the WordPress moderation tools, Disqus has features that allow you to state which types of comments need approval and whether links are allowed in comments. You can add blacklists and whitelists. Disqus is a great alternative to use as a WordPress anti-spam strategy. You can find the WordPress Disqus plugin here.
- IntenseDebate — This plugin has been recommended by quite a few people, but our experience with it is limited. It allows moderation similar to the WordPress inbuilt tools. It does, however, use Akismet as it’s spam filter, so at least, we know that is going to be powerful. This wouldn’t be our preference due to lack of experience with it more than anything else, but worth a look if you are looking for a different commenting system. It has some interesting features such as comment voting, reputation, tweet comments and commenter profiles.
- Facebook Comments — Facebook comments can be a great plugin to embrace the power of social media, but it depends on your audience as to whether it is a good idea. Posting of comments requires a Facebook profile, and so if your readers do not have a Facebook account it could make the whole commenting process a little complex. Because of this, it does cut down on the amount of spam being posted. We are not fans of this plugin, but it is more of a personal preference than anything else.
Deny Comments where No Referrer Requests
The .htaccess file is quite often used to strengthen WordPress security, and concerning WordPress spam adding a few lines of code that deny bots (automated comment spamming programs) can help significantly.
What happens when a comment is made is that the wp-comments-post.php file is accessed and creates the post. The browser will send a “referral” about this fact. A comment bot, however, generally does not leave a referrer as it usually hits the file directly, and therefore, we can be fairly certain that the comment is coming from a spammer.
So, what we can do is add some lines to a .htaccess file that will refer comments with no referrer request back to spam-bots originating server.
To use the code, open up your .htaccess file via FTP, and add the lines above. Change the yourdomain.com to your actual domain.
CloudFlare as part of its security features will block bots based upon the HTTP referrer headers. For this reason, we do not implement this option. However, it is one recommended by WordPress themselves, and, therefore, one that should be seriously considered if you have a comment spam problem.
Ban Spammers IP addresses
Whenever someone visits your website to leave a comment, their IP address is revealed along with the other information that the comment exists. If you have a particular spammer you wish to prevent from accessing your website, then you can block them using a .htaccess file. Again, you will need to open your .htaccess file via FTP and add some lines to the file:
Order allow,deny Deny from 184.108.40.206 Deny from 220.127.116.11/24 Deny from 18.104.22.168/16 Allow from all
The example above shows how to block three different IP addresses. If you want to block only one IP then simply comment out the other two by adding # in front of them or simply deleting the lines.
The problem with this approach is many spammers will use proxies that they change regularly. Simply blocking the IP may not help at all, but instead, actually block innocent readers, especially if the IP’s were hijacked. We, therefore, do not think this is a good approach unless you have a particularly prevalent spammer you can easily identify.
CloudFlare allows you to block specific IP addresses as well.
We’d love to hear your solutions!
If you have implemented a strategy to stop WordPress Spam Comments that works, we would love to hear about it in the comments, whether it is a combination of things, or recommended plugins. Please note that adding links will mean we moderate the comment manually, but don’t worry … we review all comments within a maximum of 24 hours.
Jonathan Griffin Editor, SEO Consultant, & Developer.
Jonathan Griffin is The Webmaster's Editor & CEO, managing day-to-day editorial operations across all our publications. Jonathan writes about Development, Hosting, and SEO topics for The Webmaster and The Search Review with more than nine years of experience. Jonathan also manages his own SEO consultancy, offering SEO developer services. He is an expert on site-structure, strategy, Schema, AMP, and technical SEO. You can find Jonathan on Twitter as @thewebmastercom.