Are you getting tired of dealing with comment spam on your WordPress blog?
You’re not alone. Spam comments are a huge problem for any website once you start getting steady traffic.
In this article, we’ll share the best WordPress comment spam plugins and helpful tips to combat spam comments in WordPress. These tips will save you a lot of time and will significantly reduce comment spam from your website.
Why You Need to Deal with Comment Spam in WordPress
Comment spam is a problem on many WordPress websites. These spammers hope to use your website to improve the search engine ranking of their own sites and get accidental clicks from unsuspecting visitors.
Many of these comments are left automatically by spambots, which are programs designed to comment on blogs and websites. Others are submitted by real people. They’re usually off-topic, poorly written, and contain links to third-party websites.
If you are not monitoring your website and these comments get published, then your actual users and search engines will be able to see them. And this affects your website’s reputation.
Users might consider your website to be low quality and spammy. And search engines can mark your site as unsafe if any of the comments link to viruses and malware.
That being said, let’s see how you can combat comment spam effectively so that you spend less time worrying about spam and more time on growing your online business.
1. Turn On Comment Moderation in WordPress
Let’s first make sure that comments can’t be published on your website without your approval. This step will ensure that comments don’t bypass any filters, and it will also give you full control over which comments appear on your website.
This solution is highly recommended for business websites such as law and accounting firms.
Head over to the Settings » Discussion page of your WordPress admin area. Next, scroll down to the ‘Before a comment appears’ section and check the box next to ‘Comment must be manually approved’.
Don’t forget to click the ‘Save Changes’ button at the bottom of the page.
All your WordPress comments will now be held for moderation and you will have to manually approve each comment before it appears on your website.
Now you may be wondering how long it will take to go through all the comments. In the next few tips, we’ll show you how to eliminate spam comments so that the comments you have to moderate will be mainly genuine.
2. Activate Akismet Spam Protection
Akismet is a spam protection plugin that catches the most common types of spam comments. It does this by filtering all WordPress comments on your website through a global spam database. Akismet comes preinstalled with WordPress, but it is not activated by default.
Personal blogs and small websites can use Akismet free of charge, but you will need to sign up for their API key.
You can learn the correct way to set up the plugin by following our step by step guide on how to set up Akismet.
3. Use Sucuri to Combat Spam Comments
Too many requests from comment spammers can slow down your website and affect performance. While Akismet is able to catch a lot of spam comments, it can’t stop spammers from accessing your website.
This is where Sucuri comes in. It is the best WordPress firewall plugin that allows you to block suspicious requests before they even reach your website.
This plugin can prevent automated bots and scripts from submitting comments. This reduces the load on your servers and the number of spam comments you receive.
Learn how Securi helped us block 450,000 WordPress attacks over a three month period.
4. Use Honeypot to Catch Spambots
Honeypot is a spam prevention technology that tests to see whether a commenter is a bot, rather than asking them to prove they are human. This strategy is inspired by the saying, ‘You can catch more flies with honey than with vinegar.’
Instead of making users perform a reCAPTCHA test to prove they are human, a honeypot provides a challenge that is visible to bots but not humans. If the challenge is attempted, then the commenter is revealed as a bot.
And once they are identified as a bot, they can be blocked before they post a comment.
Antispam Bee is a free honeypot plugin that can effectively identify spambots. It also has settings to trust approved commenters, validate IP addresses, mark BBCode (Bulletin Board Code) links as spam, and check public antispam databases.
You can learn how to set up the plugin in our guide on how to use Antispam Bee to block spam comments in WordPress.
5. Add Google reCAPTCHA Verification
Google ReCAPTCHA is an advanced form of CAPTCHA and can test to see whether a user is a bot or human. CAPTCHA stands for ‘Completely Automated Public Turing Test to tell Computers and Humans Apart’.
Users are required to click a checkbox to demonstrate they are not a robot. They will either pass right away or be presented with a second test, a set of images where they have to click on matching objects.
It is difficult for bots to pass the test because when Google detects a spambot, it gives them a much harder challenge. And while users find most CAPTCHA tests annoying, reCAPTCHA provides the best user experience.
You can add reCAPTCHA to the WordPress comment form using the Simple Google reCAPTCHA plugin. To learn how to set it up, see our guide on how to add reCAPTCHA to the WordPress comment form.
6. Prevent Imposter Comments
When some spammers leave comments, they try to fool you by filling in the username and email address of a registered user on your website. They do this hoping that you recognize the other person’s name or Gravatar and approve their comment.
The easiest way to prevent imposters from commenting in WordPress is to install and activate the Impostercide plugin. For more details, see our step by step guide on how to install a WordPress plugin.
Once the plugin has been installed, it will prevent all unauthenticated users from leaving a comment with a registered user’s email address or username. Instead, they will be shown an error message.
You can customize the error message by visiting the Tools » Impostericide page.
7. Remove Website URL Field from Comment Form
The website URL field in the comment form attracts those who wish to use backlinks to boost their search engine rankings on specific keywords. Their goal in leaving a comment is just to get the backlink, not to add any real value to the discussion.
This means their comments usually contain a line or two of irrelevant nonsense, and the comment author name will contain a keyword or a combination of a real name with keywords such as ‘Sally from Dunder Mifflin’ or ‘John @SEOconsultants’.
When you remove the website URL field from your comment form, then commenters will not get the value of a backlink, and this should result in less comment spam. Real users will leave a comment on your articles whether they get a backlink or not.
To learn how to do this, see our guide on how to remove the website URL field from the WordPress comment form.
8. Disable Comments on Media Attachments
WordPress automatically creates an attachment page for each image and media file that you upload to your website. Users can leave comments on these pages.
This can be useful if images are a central part of your content. If not, it’s just another opportunity for spammers. If you don’t need users to comment on images, then you should turn off comments on media attachments.
The easiest way to do this is by installing and activating the Disable Comments plugin. For more details, see our step by step guide on how to install a WordPress plugin.
Upon activation, you need to go to the Settings » Disable Comments page and check the box next to ‘Media’ option.
Make sure you click on the ‘Save Changes’ button to store your settings. The plugin will now disable comments on your WordPress media files and attachments.
9. Disable HTML in Comments
By default, WordPress allows certain HTML tags within the comments, and these can be used to hide spam links. You can discourage this by disabling HTML in comments.
That means that any HTML tags that are used in a comment will be seen as text, but will not be functional. For example, if someone uses the <strong> tag, then the tag will be seen in the comment and the text will not be bolded. It also means that links won’t be clickable.
To disable HTML comments you will need to add a text snippet to your theme files. If you need help adding code to your site, then refer to our beginner’s guide on how to paste snippets from the web into WordPress.
You need to add the following code to your theme’s functions.php file or a site-specific plugin.
function wpb_comment_post( $incoming_comment ) {
$incoming_comment['comment_content'] = htmlspecialchars($incoming_comment['comment_content']);
$incoming_comment['comment_content'] = str_replace( "'", ''', $incoming_comment['comment_content'] );
return( $incoming_comment );
}
function wpb_comment_display( $comment_to_display ) {
$comment_to_display = str_replace( ''', "'", $comment_to_display );
return $comment_to_display;
}
add_filter( 'preprocess_comment', 'wpb_comment_post', '', 1);
add_filter( 'comment_text', 'wpb_comment_display', '', 1);
add_filter( 'comment_text_rss', 'wpb_comment_display', '', 1);
add_filter( 'comment_excerpt', 'wpb_comment_display', '', 1);
remove_filter( 'comment_text', 'make_clickable', 9 );
Here’s our guide on how to add code snippets via the free WPCode plugin because it’s the easiest method available.
This code changes HTML code into HTML entities that are displayed in the comment and not parsed by the browser.
10. Set a Minimum and Maximum Comment Length
We once ran into a comment spam problem where a spammer was leaving hundreds of comments per hour with a single word: ‘hello’.
Akismet and Sucuri were not able to block this because the comment looked natural. Antispam Bee slowed the spammer down but wasn’t able to entirely block the attack.
We were able to combat the spam by using the Yoast Comment Hacks plugin that lets you set a minimum and maximum comment length.
We simply enabled the Yoast Comment Hacks plugin and set the minimum comment length. After that, they received an error message when trying to leave a comment of just one word.
11. Disable Trackbacks in WordPress
As we said earlier, one main reason that people leave comment spam is to get trackbacks. However, for most blogs, it is not necessary to have trackbacks enabled.
You can choose to disable trackbacks on your entire blog or in an individual post. This is an easy way to significantly reduce comment spam.
Simply navigate to the Settings » Discussion page. Here you can uncheck ‘Allow link notifications from other blogs (wingbacks and trackbacks) on new articles’.
This will turn off trackbacks for all new posts. You should now follow our guide on how to disable trackbacks on existing posts.
12. Turn Off Comments on Old Posts
WordPress allows you to turn off comments on old posts. This is particularly helpful for websites publishing content that is timely, such as news or events websites.
Simply go to Settings » Discussion, and under ‘Other comment settings’ you will see the option ‘Automatically close comments on articles older than XX days’. Check the box next to this option and enter the number of days you want comments to be displayed on a post.
WordPress will now automatically close comments on posts older than the number of days you defined for this option.
If you need, you can override the comment deadline in WordPress for individual posts where you would like comments to remain open.
BONUS – 13. Switch Off Comments
Perhaps you have no need for comments on your WordPress site, or you find that comment moderation is taking too much time. You can always switch off comments in WordPress and avoid comment spam entirely.
To disable comments on new posts, you will have to go to Settings » Discussion and uncheck the box next to ‘Allow people to post comments on new articles’.
You will also have to switch off comments on all existing posts. To learn several ways to do that, check out our guide on how to completely disable comments in WordPress.
Frequently Asked Questions by Users
Why are they spamming me?
Don’t take it personally. Spammers want to get better search rankings or lure unsuspecting visitors to dubious and malicious sites. They think that by spamming they can get more links, and it will somehow positively affect their search rankings.
In most cases, it is not a personal attack against you. Rather, it’s a systematic process that targets many blogs.
What happens to comments that are marked as spam?
When you moderate comments, those you mark as spam will not be displayed on your website. Instead, they are moved to the spam list on your Comments page.
If you move a comment there in error, then you can recover it by clicking the ‘Not Spam’ link under that comment. There is also a link so you can delete a spam comment permanently.
Why is every comment going into the moderation queue?
When you follow the first tip in this article and turn on comment moderation, then you will need to approve every comment that is left on your website. This gives you absolute control over any comment that gets published on your website.
We hope this tutorial helped you learn how to stop comment spam in WordPress. You may also want to learn how to speed up your WordPress performance, or check out our ultimate WordPress security guide.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Evans Mary says
Great article. Thanks for sharing an informative article.
WPBeginner Support says
You’re welcome, glad you found our article helpful!
Admin
WPBeginner Support says
For what it sounds like you’re wanting, we would recommend taking a look into membership plugins to limit the posts to your logged in members. We would recommend taking a look at our guide below on starting a membership site:
https://www.wpbeginner.com/wp-tutorials/ultimate-guide-to-creating-a-wordpress-membership-site/
Admin
Agnes says
I maintain that a portion of my posts should be safeguarded with secret word. It is alright that I give a secret word, yet I believe that the extract of the post should be discernible for every one of the guests. is there a module for it or do u have some other plan to tackle it? thanks ahead of time.
Wendy says
so without overloading my site with plugins, how does one decide which of these to implement?
I have Akismet and Sucuri.
WPBeginner Support says
For your concern about the number of plugins, we would first recommend taking a look at our guide below:
https://www.wpbeginner.com/opinion/how-many-wordpress-plugins-should-you-install-on-your-site
As some of the plugins would not cause any change to your site’s speed due to their functionality. But for which to use, it would depend on the goal you are looking for with your site as the plugins have different uses and not all sites would want to use every option.
Admin
Jos says
I copied and pasted the url filter code into a site plugin, however, the website field still displays. Wondering if this could be caused by another plugin or if there is something missing.
WPBeginner Support says
You may want to try some of the other methods for removing it in our article below:
https://www.wpbeginner.com/plugins/how-to-remove-website-url-field-from-wordpress-comment-form/
Admin
Rick Bryan says
Thanks for the article. Can you explain about the comment spam industry; who and why and where. Almost all of the spam comments on my website or innocuous comments about “you’ve done a great job here! I was just reading about this topic.” Two or three each day; always with different wording but similar grammar and syntax, etc.
WPBeginner Support says
It is mainly people attempting to get backlinks to different sites and when programs start marking them as spam they send those thanks messages to try to make the different spam checkers think they are not spammers when people approve those comments. There are tools out there to automate what they are doing so not all of the comments are manual.
Admin
Brendan Ryan says
Just a quick question. In item 8 Disable HTML your code snippet uses “wpb-” as its functions prefix. I am guessing that is your “WPBeginner” wordpress installation prefix. And that each user here should edit that to reflect their installations prefix. For a standard installation of WordPress that would be just “wp-“.
WPBeginner Support says
You would want that to be a unique identifier, we use wpb in ours and others can too, we would not recommend using wp in case there is a future update to WordPress with a similar function.
Admin
Srinivas Reddy says
nice excellent thanks…
WPBeginner Support says
You’re welcome
Admin
EO4Wellness says
Yesterday, my website was spammed with a “new service” that described some type of software or online service where by a person pays to spam websites via their “contact us” forms. Apparently this is the “new” and up and coming attack, because yesterday alone I received 56 of these on my site. When I received your newsletter today with this article highlighted–I dropped by wondering if you have a specific trick or tip to overcome this new “Contact Us” spam attack which is unfortunately so common right now?
WPBeginner Support says
For that, you would want to check with your comment plugin to see if they have honeypot or CAPTCHA/reCAPTCHA that you can add to your form.
Admin
Jayanta Bhowmick says
It is really helpful.
On my new blog spamers are more active than real visitor. Some times it is difficult to distinguish between spam comment and real comment. At that time These plugins are very useful.
WPBeginner Support says
Glad our guide could be helpful
Admin
john miller says
this article will help you to solve your problem of spam comments on your WordPress website. you can control that.
Wesley Bergman says
Thank you for sharing the good news in preventing this happen to every one who have accounts in social media or in the blogs that we are posted in this internet world. Many are spam that making the sites a game for them to make your works turn down. You did the great job and I am thankful reading this article.
binny says
this post has been helpful and validation of some of the things I am doing right now. Thanks. I am facing some issue with my comment captcha, maybe you can help me. I am not using any plugin for captcha. Only JetPack and Akismet, and they both are doing a great job to block spam. The captcha for comments is proving to be a headache. It is a math kind and most of the people have complained about it not functioning well. I have not been able to replicate the issue. But i want to get rid of any captcha for comment. Please help me how to do so. Thank you so much!
WPBeginner Support says
Hi Binny,
Try our WordPress troubleshooting tips to figure out where the captcha is coming from and how to disable it.
Admin
Janeane says
This was great – very helpful. Thank you!
Rich D. says
As a new WordPress blogger, this article was extremely informative.
I only have a small amount of spam so far, which is why I Google and found this article, but wanted to get ahead of it.
I’ve implemented a few suggestions from this article.
If the spam increases, I will implement more.
Great article for WP Newbie!
– Rich
Felix Abur says
The cookies for comments plugin seems outdated. Can you suggest a more recent plugin with up to date support?
Nate Balcom says
I find adding an expiration date to comments and a good captcha option slow down the spam comments quite a bit. I recently installed Google’s “Recaptcha”. It’s pretty un-intrusive and doesn’t seem to bother commenters.
I considered removing the site URL link-back, but thought it would slow or stop people from commenting. It looks like that’s not the case here. Did you notice a slow down in comments when you did this?
Love the site. Keep up the good work. Do you ever accept guest posters?
Bek says
Thanks for the post! I have a question – I have been getting a lot of spam comments recently, most of them are rambling irrelevant posts about camping equipment or cam sites etc and I mark those as spam straight away. However some of the comments are actually relevant to the post and make sense but then have a random spam link thrown in at the end or in the ‘URL’ field – for those posts, I have been editing them – making sure that any links are removed and also changing the name to a non-keyword name (they usually use real email addresses so I can get their name from that) and then posting/approving the edited comments.
Does this effect my rankings in any way? And is it a clean way to post the comments or should I just trash/spam them all and not both editing?
Thanks for your help!
WPBeginner Support says
It does not effect rankings. However, perhaps it would be better if you don’t edit and fill in the name field yourself. If a user has used keyword in their name, then you should trash such comment. Editing comments to make them more readable is OK.
Admin
Bek says
Why though? Is there a reason that I shouldn’t be adding/approving these comments for my site? Will it effect me negatively? I am just removing any links and *occassionally* changing their name to their actual name based on their email address. Does this effect my website in any way?
WPBeginner Support says
It doesn’t. But changing the name a user has chosen to identify themselves seems a bit inappropriate. If their name was like ‘John Smith From Example.com’, then you can remove ‘from example.com’ off the name field. However, if their name was example.com or a keyword, then the user has given you no name to show. You can of course try and find out names, but may be the user didn’t want to use a name and by doing so you will be violating their privacy and rights. We think all this trouble is not worth the effort. There are other ways to get more and better engaged users to comment.
Muhammad Tabish says
Wow,Thanks For The Informative WordPress Comment Spam, Tutorial, Keep Sharing
Farrah says
Wonderful article. Thanks so much for sharing it!
AmiR Bin says
Hi,
I’ve just installed Akismet plugin, what should I do? It doesn’t do anything.
May you introduce more captcha plugins(easy for uneducated fools to fill)
Thanks
WPBeginner Support says
Akismet works in the background as a filter. Soon you will start noticing spam comments appearing under the SPAM filter on your comment moderation screen.
You can use CAPTCHA, but CAPTCHA is bad for user experience and discourages your users from commenting.
Admin
AmyPrint says
Just installed Askimet, Thank you very much!
Pradeep says
Good information. Hope to have less spam. Thanks
imVictorLee says
Thanks for the information. Have just installed Askimet. Hope it works for me.
Gulshan Kumar says
I’m coming to this post after 5 months approximately, according to your recommendation I started using using Cookies for Comment plugin and today I’m not getting a single spam comment. Thank you so much.
sig says
Hello, this is a little bit off theme…
I want some of my posts to be protected with password. It is OK that i give a password, but i want the excerpt of the post to be readable for all the visitors. is there a plugin for it or do u have any other idea to solve it? thx in advance.
Jennifer says
Thanks for the article. Great info and helped me stop a spam assault on my new blog instantly.
Shafiuddin says
this is a very informative guide sir,i have a niche blog even after installing askimet and other plugins i’m getting atleast 5 spam comments per day from one pager seo companies[mostly scam].I guess these comments are coming from bots.how could i ban those bots on my blog ?
Teguh IW says
akismet is enough to stop spam…
WPBeginner Staff says
It actually depends on each site. If a site owner feels that comments are not contributing to the discussions on their site, or not helping them grow, then they can decide to remove them.
Neil Ashworth says
Very comprehensive post – and I see you are still using Disqus for comments. There’s been some debate around closing comments all together recently (Copyblogger closed their comments in late 2014) – what do you think? is it something to consider for new blogs with little traffic/comments too?
Levent Cem Aydan says
I just uploaded Disqus to fight spam for my company blog, but these are a much better solution I guess. Thank you for this article.
Robert says
Hello, this is a little bit off theme…
I want some of my posts to be protected with password. It is OK that i give a password, but i want the excerpt of the post to be readable for all the visitors. is there a plugin for it or do u have any other idea to solve it? thx in advance.
Peter Cralen says
I still don’t understand why they spam comments in 2014. Ok, 20 years ago, but now ? wasting energy for them and blogger.
Kalpesh Makwana says
I think, still they are thinking that kind of spammy links will work for them.