Spam is a plague for many WordPress sites. While it’s not nearly as bad as it used to be, every WordPress user can testify to how annoying comment spam can be. And not just comment spam — spam in your forums, in your email and forms, everywhere!
But it’s not just irritating for you. Web spam can have far-reaching consequences: reducing engagement by driving users away from your comments and forums, hurting your reputation, and even damaging your SEO. You need to do something about it fast.
But if you have a spam problem, you’re probably hundreds of fake comments deep with more constantly coming. How can you possibly stop the onslaught? Read on, and we’ll give you nine ways to shut down spam and prevent it from ever coming back.
What Counts as Spam? Why Get Rid of It?
How do you know if you’re the target of a spam attack? And what does it mean for your site if you are?
A spam comment is often instantly recognizable; it’s blatant self-promotion with a link to a website or product. Usually it’s obvious that they didn’t read the article they’re commenting on at all, as they’ll say something generic like “Great post! Check out my website…”
Sometimes it isn’t as obvious. They may attempt to hide links in single letters or punctuation, hoping you won’t notice. Or they might even give you a personalized compliment, then link to some unrelated website.
Spam might also show up in your forums, or directly in your inbox through an unsecured form.
If you are getting website spam, it’s not a good idea to just let it go. These links are often full of viruses you don’t want your readers to expose themselves to. Hosting such links can also cause your SEO to crash, which means less traffic.
Plus, it kills engagement and damages reader retention. If someone scrolls down to the comments looking to join the conversation and instead finds a wall of garbage links, they’re just going to leave.
And last but not least, spam that goes unchecked just keeps getting worse and worse. Unmoderated comment sections are prime real estate for spammers, and the longer you let it go on, the more will keep coming.
Why Does WordPress Have So Much Spam?
Most spam posts are entirely automated. This makes it easy to target hundreds of websites, posting the same message over and over in the hopes of stealing as many clicks as possible.
But WordPress in particular is known to be prone to these attacks. While it has tightened security in more recent releases, older versions did little to combat spam. Now that Akismet comes preinstalled, it’s cleared up a lot. But since many users don’t do much to secure their site, spammers continue to target the platform.
Some people who post spam are also misinformed and attempt to use comments as a way to generate backlinks and increase their SEO. Since WordPress comments don’t pass any “link juice” this is a futile effort that helps nobody.
As for form spam, some attackers target forms looking for insecure websites. A poorly secured form is indicative of a website that may also be open to brute force attacks or full of security holes that could let them gain control. They may even be able to use your form to send spam from your email.
Time to do something about this.
How to Eliminate Website Spam
WordPress might be better at fighting spam than it was in the past, but bad comments can still slip through. Here are nine effective ways to stop them and prevent them from ever coming back.
1. Moderate Comments
The first step to fighting spam is located right in your dashboard under the Comments section. Here is where you can see an overview of submitted comments, mark them as spam and delete them, or approve them.
You might notice that there’s not much room for customization here. If you want to change your comment settings to make moderation easier, head over to Settings > Discussion.
You could turn on Comment must be manually approved to moderate every comment that passes through your website. For large websites, that’s not always ideal, but it means there’s no chance of anything slipping through.
A better solution is to also turn on Comment author must have a previously approved comment, so frequent trusted posters won’t need to have their messages approved every time.
What if you already have a huge backlog of spam to get through? You can delete them by going to Comments, clicking the checkbox near the top to select all, then clicking Bulk Actions > Move to Trash. Last, empty the trash.
You could also try the Delete All Comments plugin to get rid of them easily.
Whether you want to manually go through every post or just purge all your comments at once is up to you. When you’re overwhelmed by spam, it’s sometimes just easier to get rid of everything and start over.
2. Require Email or Registration
When you allow anonymous comments, you’re opening yourself up to spambots. A simple solution is to require commenters to leave their emails, and many lazy spam attacks will stop.
Under Settings > Discussion find the option Comment author must fill out name and email and enable it.
It’s perfectly possible to fill these boxes with garbage text, so it might not stop all spam. If you’re still experiencing issues, you could take it a step further and require registration to comment. This will take care of a majority of automated spam.
While this can discourage engagement from legitimate users, it’s a much more effective way to deal with spam.
Right below the setting mentioned before, you’ll see Users must be registered and logged in to comment. Tick it and you’re good to go.
3. Disable URLs in Comments
Still on the Discussion settings page, under Comment Moderation find the option Hold a comment in the queue if it contains x or more links.
Links are the entire reason why spammers spam, and you’ll almost never see one of their comments without one. So reducing the number of allowed links can make it easier to catch their messages.
If you want, you could even set it to 0 and ban links in your comments entirely. This is aggressive and can affect legitimate users, but it will pretty much get rid of most spam.
You should also remove the website field from comments as it’s basically just asking for spam links. With a plugin or a simple line of code, users will no longer have the option of linking to a website when they sign up to comment.
4. Update Your Blocklist
In your Discussion settings, you’ll find a blocklist, which can be a big help at stopping spam.
You may have noticed that a lot of these types of comments say the same thing or mention the same products. To combat this, you can add URLs, phrases, or words that appear repeatedly to the blocklist.
Put them in the Comment Moderation box and they’ll be held in the queue. Add it to the Blocklist and they’ll be instantly put in the trash.
Not sure what phrases to add? Try the Comment Blacklist for WordPress. Just copy the text file, paste it into your blocklist, and save.
5. Install an Anti-Spam Plugin
Most WordPress installations should come with Akismet preinstalled, but you may need to go to Plugins > Installed Plugins and activate it manually. Once active, Akismet is usually all you’ll ever need to cut down on spam.
But if you find that you’re still dealing with annoying comments, you could always try installing a new plugin. Antispam Bee and CleanTalk (requires premium subscription) are two viable alternatives.
You could also try Wordfence or All In One WP Security, which are primarily security plugins, but come with features like firewalls that can block known spam IPs.
6. Use CAPTCHA
Using CAPTCHA on your forms is the best way to stop bots from slipping through. By adding a short puzzle that only a human can solve, you’ll stop a majority of automated attacks.
While technology does exist to circumvent CAPTCHA, and it won’t stop spam campaigns driven by humans, it will get in the way of a majority of poorly coded spambots.
reCaptcha by BestWebSoft and Advanced noCaptcha are two great plugins for this. They allow you to add CAPTCHA anywhere on your website, from comment to contact forms, including invisible CAPTCHA that stops bots without disrupting users.
7. Try Third-Party Comments
If your WordPress comments are full of so much spam that all these settings and plugins aren’t helping, you could always try a third-party system. These have their own anti-spam methods in place, and are harder for automated bots to detect, so they can help a lot.
Disqus has long been the go-to third-party solution, though lately users complain of ads and the plugin hasn’t been updated in a long time. Instead, you could try Jetpack’s comment system, a smaller but still effective plugin like wpDiscuz, or a social comments plugin like Super Socializer.
8. Secure WordPress Forms
Mostly we’ve focused on locking out comment spam, but it’s important to protect your forms too. Whatever form plugin you may use, here are a few tips to stop spam from reaching your email.
- Don’t publicly publish your business email on your site. Use a contact form.
- Include a CAPTCHA on your form, or at least a verification question.
- Use a form with honeypot functionality. For Contact Form 7 users, try the honeypot plugin.
- Require some form of verification to submit the form: email, phone number, etc.
- Enable double opt-in to keep your mailing list users legitimate.
- Turn on input validation or put a text limit on form fields to prevent hackers from injecting code into your forms. If you have a file upload field, limit the types of files others can upload.
Last tip: Don’t just use these methods for contact forms. Also secure your user sign-up page to prevent spammers from getting at your forums and comments.
9. Disable Comments
If all this is just too much to deal with, you can just disable comments entirely and eliminate all spam.
First go to Settings > Discussion and untick the option Allow people to submit comments on new posts. This will disable comments for anything you post in the future.
For past posts, to disable comments in bulk, go to All Posts and click the checkbox in the top left corner to select all. Switch Bulk Actions to Edit and click Apply. In the editor, switch Comments to Do not allow and click to update. All your past posts should have their comments closed.
Comments submitted in the past will still show up. You’ll need to delete them to get rid of them.
If you’d rather, you can instead use Quick Edit to close comments only on posts that are spam targets.
Or you can automatically close comments on old posts, which limits vectors for spam attacks. Go to Settings > Discussion and find the setting Automatically close comments on posts older than x days. Change it to however long you want, and you only have to worry about spam on brand new posts.
Stop WordPress Spam Forever
Spam can be a seriously annoying detriment to a growing website. Besides potentially driving away visitors or stagnating growth by hurting your SEO, it can just be upsetting to log into your site and see a backlog of thousands of illegitimate comments.
However, with a few setting tweaks and some extra plugins, spam can be a thing of the past. Enable comment moderation, update your blacklist to block common spam keywords, require registration, and turn on CAPTCHA — this alone will put a stop to most spam attacks. You may get a rogue comment or two slipping through the cracks, but the influx of hundreds of them will stop.
If it gets to be too much even with that, you can run a different comment system like Disqus, try a new anti-spam plugin, or just turn comments off entirely and be done with it.
What’s your favorite anti-spam plugin besides Akismet? Let us know in the comments which plugin has worked best for you.
