How To Stop WordPress Comment Spam: Best Tips and Tricks

Imagine you’ve just poured your heart and soul into crafting the ideal blog post for your WordPress website.

You hit publish. And you’re eager to hear what your community has to say.

A few hours later, you decide to check the comment section to see if anyone’s said anything.

But instead of insightful feedback or thoughtful questions, it’s riddled with comments with random links and promotions of odd products. It’s not only an annoyance, but it could impact your website’s credibility.

Sounds like a common scenario? Well, the good news is that plenty of solutions exist to solve this dreadful problem.

Stick around to find out how you can combat WordPress comment spam.

Here’s what we’ll cover:

WordPress comment spam 101

WordPress comment spam is unsolicited and often irrelevant content posted in the comments section of your blogs, forums, or contact forms. Much like that mysterious flyer in your mailbox promoting a product or service you didn’t ask for, these comments clog up your website with messages advertising services, promoting questionable links, or spreading malicious content.

The real culprits behind this deluge of digital junk? Bots.

Automated software applications, aka comment spam bots, scan the internet looking for websites to drop comments in hopes of achieving their goal. This practice results in tons of spam comments across YouTube, Reddit, and WordPress websites.

WordPress comment spam: Associated risks

You might be thinking, “My website gets spammy comments here and there. Big deal, right?”

However, comment spam could negatively impact your WordPress website and its search engine optimization (SEO) strategy by harming visitor trust, promoting scams, and adding irrelevant keywords to your webpage.

In particular, you want to get rid of WordPress comment spam to avoid the following.

Bad reputation

Spammers aren’t acclaimed for top-tier content. When your comment section is jam-packed with irrelevant or inappropriate spam, it tarnishes your website’s reputation. If you have a messy kitchen, others might lose trust in the food you cook.

Poor SEO

Search engines like Google appreciate and reward quality content. A comment section littered with spam can drag your SERP rankings down since the irrelevant keywords in the comment sections might send mixed SEO signals to Google.

User experience

The user experience your website provides is central to the feeling your visitors get when browsing your website. However, if you’ve had thoughtless discussions due to spam comments on your blogpost, it’s hard for website visitors to share their experiences with others.

With spam protection, you can induce thought-provoking conversations, improve the user experience, and build better bonds.

Where do WordPress spam comments come from?

Spam comments on your WordPress website typically originate from automated bots and paid spammers. Occasionally, you might also receive spam comments via exploited WordPress features like trackbacks and pingbacks.

Automated bots typically have a single goal — and for WordPress websites, it happens to be backlinks. Although WordPress adds a “no-follow” tag to every comment since WordPress 5.3, spammers behind these bots still try.

On the other hand, paid spammers are individuals promoting a particular product or service. Typically, you might see such spammers promoting cryptocurrency projects or get-rich-quick schemes.

Lastly, trackbacks and pingbacks are WordPress features spammers use to lure you into posting spam links on your website. The spammers initiate a fake trackback or pingback message, hoping you’ll reciprocate or website visitors will click their link.

And you don’t want to be responsible for visitors clicking spam links, so it’s important to stop them — more on that in the next section.

How to stop WordPress comment spam

1. Enable comment moderation

2. Disable trackbacks and pingbacks

3. Limit or ban links in comments

4. Require user registration

5. Disable comments

1. Enable comment moderation

Think of comment moderation as your frontline defense against spam. Your comment filters are like a checkpoint, holding comments for approval before they go live.

To enable comment blacklists, head to the Discussions area of Settings in the WordPress dashboard. Once there, you can enable settings like forcing commenters to fill out a name and email or log in to their account.

Additionally, you can enable comment moderation, where you manually review all comments getting posted. Just find the Before a comment appears section and click the parameters you’d like to set.

While comment moderation gives you all the control, monitor your comments regularly. Certain spam comments can still make it to your website if you’ve opted for lenient comment moderation, so it’s on you to remove such spam.

2. Disable trackbacks and pingbacks

Trackbacks and pingbacks alert you when another blog links to your content. Sounds useful, right? Well, not always. Unfortunately, spammers exploit this feature and use it for spam.

To disable trackbacks and pingbacks, head back over to your WordPress Discussion Settings. You’ll find a section labeled Default post settings, where you can uncheck the box for allowing pingbacks and trackbacks — you can also uncheck the box for sending pingbacks and trackbacks to other blogs.

However, disabling this setting means cutting off legitimate notifications from other blogs. It’s a bit of a trade-off, but in many cases, the spam it prevents makes it worth it.

3. Limit or ban links in comments

You know the saying, “A little goes a long way”?

For WordPress comment spam, just limiting or banning links often does the trick. Since many spammers try to use links in their comments, banning or limiting links considerably reduces their incentive for spam.

You can limit or ban links by navigating to Settings > Discussion > Comment Moderation. You can configure it to only allow comments with less than a certain number of links.

In the example above, we set the limit to two links per comment. But you could take that to zero links if you’d like. It all depends on the amount of spam you receive.

4. Require user registration

Preventing spam comments on your WordPress website involves making it difficult for spam bots and spammers to perform the task. We’ve discussed disabling comments with links and enabling comment moderation — but the functionality of requiring user registration makes for an excellent layer of friction to deter spammers from leaving comments.

On the surface, user registration seems like a hassle for legitimate comment authors. However, it benefits them, too, since WordPress users who register are likely to contribute to a high-quality discussion.

User registration settings lie in the Discussion section of Settings. It’ll be under Other comment settings.

5. Disable comments

Sometimes, the best defense is a good offense. You can disable comments on your posts altogether to prevent spam comments from appearing. While a bold move, it’ll save you a lot of time and headaches from dealing with spammers.

Still, it’s a double-edged sword. You’ll be shutting out comments from your community. If you want, you can invite them to email you with comments. But there won’t be a community discussion happening on your WordPress website.

You’ll find the checkbox for allowing or disallowing comments at the top of the Discussion section of Settings, under Default post settings. For our example, we decided to continue to allow comments but placed heavy restrictions on commenters.

Best practices for stopping spam comments

If you can’t seem to beat the spammers with traditional WordPress settings, it’s time to try the next best options: plugins, tools, or advanced tactics.

Use plugins to stop WordPress comment spam

Anti-spam plugins provide the easiest, most cost-effective, and most reliable way to stop comment spam. They typically use different tactics than WordPress settings to prevent spam.


Developed by the creators of WordPress themselves, Akismet is the industry standard for handling spam. WordPress users have been using this plugin since the mid-2000s, so it’s got years of experience protecting websites from spam.

Akismet learns and adapts from all encounters with spam comments, constantly updating itself and improving its capabilities. Additionally, the Akismet plugin provides a weekly spam report detailing how many spam comments were caught in the given time period.

Antispam Bee

If you’re a stickler for user privacy and unwilling to compromise it in your battle against spam, Antispam Bee is for you. This plugin doesn’t require user registration or store personal data, ensuring your user data remains secure.

Antispam Bee is an excellent spam-blocking tool with several customized features to keep your website safe. For instance, you can block comments from specific countries, limit specific comment types, and receive detailed statistics. Plus, you can record the IP addresses of spammers and prevent them from commenting again.


If you don’t want to make your loyal readers go through CAPTCHA but still want a spam-free comment section, WPBruiser is for you. This plugin uses a complex algorithm to identify and catch bots and spammers before they can leave any comments.

WPBruiser includes several features, including WordPress forms protection, IP address tracking, and brute force protection. Additionally, it logs bot actions and can provide notifications with advanced reporting, meaning you’ll know immediately about potential threats.

Adopt available tools to stop WordPress comment spam

Besides using a WordPress plugin to stop WordPress spam, you can also rely on other tools.


A Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) can help you separate bot and human traffic. CAPTCHA is a pop-up quiz that asks users to identify a particular object out of a set of nine images.

CAPTCHA pop quizzes are relatively easy for humans and difficult for bots, making them a great method to prevent bot spam on your WordPress blog. You can typically set up CAPTCHA on your comment forms.

A version of Google’s reCAPTCHA is the easiest way to get started. It uses an advanced risk analysis engine to keep automated software from engaging in abusive activities on your website. Not to mention, it’s a WordPress plugin, making it a quick integration.

Still, nearly all of us have encountered a CAPTCHA that was simultaneously challenging and frustrating, so make sure to monitor CAPTCHA’s effect on user experience after enabling it.

Third-party commenting systems

Another unique approach to stopping WordPress comment spam is opting for third-party commenting systems.

Have you ever heard that Windows computers are “easier” to hack? It’s because the Windows operating system is more widespread and used by more people — meaning hackers focus more time identifying vulnerabilities with Windows.

The same goes for WordPress websites. Since 43 percent of all websites are made on WordPress, spammers and scammers spend more time targeting the vulnerabilities within the WordPress ecosystem.

To avoid being the target of comment spammers, you can turn to third-party commenting systems with more effective comment filters.

For instance, limiting comments to account-only typically lowers user interaction. However, Jetpack Comments helps you allow users to add comments using their social media accounts as a balancing act.

Similarly, you can also try wpDiscuz and Disqus as alternative commenting systems.

Configure a firewall

If you want to dive deeper into website security, setting up a firewall can be the most effective way to deal with spam comments.

A firewall is a barrier between your WordPress site and the data crawling on the internet. It prevents bad visitors like bots and spammers from visiting your website.

In particular, web application firewalls (WAFs) help identify and prevent spam by automatically blocking potential threats based on security rules. For example, posting a spam comment would get a user banned if you set up the WAF in that manner.

If you host your website with Nexcess, you can protect your site with Performance Shield powered by Cloudflare, which provides DDoS, WAF, and bot protection. Performance Shield starts at $5 per month.

Wordfence is a WAF that runs at the server application level. It blocks malicious traffic, filters banned IP addresses, and stops bots in real time. As an intuitive and easy-to-set-up WordPress plugin, it keeps your website free of spam.

Ideally, you want your WAF at the edge, not a WAF that runs at the server application level.

Final thoughts: Stopping WordPress comment spam

At first, navigating through WordPress comment spam may have been annoying and frustrating. But now you’re equipped with several methods for combating and preventing this spam for good. 

But spam prevention is still only one piece of the puzzle — that is user experience. You must also work on your website’s performance, security, and availability.

If you opt for Nexcess, you tick most other user experience checkboxes. For instance, Nexcess managed WordPress hosting offers you performance-optimized hosting servers, PCI-compliant security, and 100 percent uptime.

Check out our managed WordPress hosting plans to get started today.

Source link