Home > Help Center > Applications > WordPress > WordPress Comment Spam

WordPress Comment Spam

Comment spam is a fact of life if you have a blog. Using WordPress, you have not only solid built-in tools to prevent comment spam, there are also a wide range of comment spam protection and defense plugins and methods to choose from if you feel you need additional coverage and protection.

There is no one size fits all method that will protect your comments - spammers change constantly their approach so you must keep your choices updated.

However, WordPress developers have already developed a number of successful strategies to help you prevent spam comments from appearing on your site. In this article we'll take a look at some of these we think are the most effective.

Difference between ordinary mail spam and comment spam

Every internet user knows what is email spam - all those emails you didn't ask for and which are trying to sell you something.

Unlike email spam where you are the target, comment spam generally targets search engines.

Several years ago, Google pioneered a search technique called PageRank. Basically, in addition to looking at the content of the page being indexed, Google also takes into account who links to the page and what those links say. Because their ranking system relies so heavily on PageRank, people sometimes game the system using a technique called Google Bombing.

A google bomb is when a large number of different websites link to a page with the same link text to influence the ranking of that page for a search term.

A spammer might have a site that sells productx and wants to be at the top of search results for productx on Google. They leave comments on hundreds or thousands of weblogs linking to their site with the link text productx. They don't really care if you see their google bomb text - they just want the search engine to see it when they index your page.

Default WordPress Comment Spam Tools

Probably one of the most underrated strengths of WordPress is its built-in anti-spam functionality. With a bit of knowledge and forethought, you can configure your WordPress Discussion settings to act as a powerful and effective defense against spam comments.

The following are the default comment spam tools that come with every installation of WordPress, in addition to the Akismet WordPress Plugin. To modify the default settings go to the Settings > Discussion panel.

Default article settings

Disallow pingbacks and trackbacks

You can cut out a significant portion of spam by simply disallowing pingbacks and trackbacks:

wordpress comment spam

Enable/Disable comments generally

If you deselect the box in front of Allow people to post comments on new articles you will disable the comments generally for all new posts. You can manually enable comments for individual posts from Add New Post or Edit Posts screen by check the Discussion option in Screen Options:

wordpress comment spam

Other comment settings

Comment author must fill out name and email

If you check the first option you are going to get 90% fake data because WordPress does not validate the user input:

wordpress comment spam

Users must be registered and logged in to comment

Check this option if you are concerned about the quality of the discussion - competent and interested in the discussion visitors will register and log in to participate. Spammers will surely not.

Automatically close comments on articles older than ... Because blogging is time sensitive selecting more than 30 days is meaningless.

Email me whenever

A comment is held for moderation

Select this option if you are using the comment moderation filter or the next option is also selected: Comment must be manually approved

Comment author must have a previously approved comment

By selecting this option you are manually selecting the users allowed to comment. But be warned: if your site has thousands of posts and this is the only active anti spam filter some spammers will surely write one legitimate comment to get access and then will start spamming. Do not rely on just one tool, secure at least one other active option.

Number of Links in Posts

To change the number of links in comment posts, scroll down to Comment Moderation and set the number to 1 (the default is 2).

Note: Do not set this to zero or leave the field blank. It will send every comment to moderation.

Comment Moderation

You can specify a set of moderation keys which, if present in any part of the comment, will cause it to be held for moderation. These keys are specified one per line in the large text area, which is blank by default. Moderation keys can include Spam Words, swear words, IP addresses, and Regular Expressions.

Comment Blacklist

This is a list of words completely blacklisted from your blog.

Be very careful what you add here. If a comment matches something here it will be completely nuked and there will be no notification. These nuked comments will not appear on your blog, but they will remain in your database marked as [spam]. Comments that are marked as [spam] are held in your database to educate intelligent anti-spam plugins, such as Akismet.

Remember that partial words can match, so if there is any chance something here might match it would be better to put it in the moderation box. Blacklisting a word such as ass will automatically delete comments containing ass, asses, assistance, passionate, assumption, etc.

An unofficial curated blacklist is available on GitHub - (github.com/splorp/wordpress-comment-blacklist)

Inform Users When Comments are Moderated

When people submit comments, they expect them to appear on your blog immediately. Implementing comment moderation and not telling people will almost certainly result in some people repeatedly submitting the same comment as they think it has disappeared.

To prevent this from happening, and to avoid disgruntled and confused readers, inform people that their comment is under review by doing the following:

If you use popup comments, edit comments-popup.php and if you do not, edit comments.php.

Look for the following code:

<input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" />

Change that to the following, adding your own customization:

Comment moderation is in use. Please do not submit your comment twice -- it will appear shortly.
<input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" />


When choosing your anti-spam tools and strategies, do not expect immediate results. Take time to fine-tune the system while limiting the spam comments to a negligible level.

#email #security

Still not finding what you're looking for?

Contact our support team with any additional questions or concerns.

Contact support