What's The Best Way to Stop WordPress Comment Spam?

Blog comments are a bit of a hit-or-miss prospect.

• On the one hand, if you have an active community, people commenting on your posts can add content and keywords, foster discussion, help you generate more blog post ideas, and keep your audience engaged.
• On the other hand, blog comments can be full of spammy garbage, which can be a ton of work to clean up. And sure, there are a bunch of different plugins to help you deal with comment spam, but as everyone who has faced this battle knows, it's never a sure-fire thing. Some will slip through, and it's up to you to moderate those comments to avoid tanking your site's reputation.

How can you get rid of blog comment spam without hurting your site? Well there are a few options, so let's go through them. I also created some custom code that will eliminate WordPress spam entirely.

Option 1: Disabling Blog Comments

For many site owners who are just tired of dealing with comments, the option to disable them entirely comes to mind.

I don't think it's a good choice since comments are one of the most underrated bits of a website that help SEO (in my humble opinion and from my 15+ years of blogging experience), but we'll get to that in a moment.

WordPress makes it easy to do, too:

• Log into your site.
• Go to your settings panel.
• Go to Discussion Settings.
• Under Default Post Settings, uncheck the box marked "Allow people to submit comments on new posts."
• Save your changes.

This disables comments on any new posts but doesn't affect old posts. For that, you need to go to each individual old post, click on the title of the post to open up editing, and in the post settings sidebar, change the Discussion setting to Closed.

Alternatively, in the general discussion settings in the step-by-step above, click "Automatically close comments on old posts" and choose a short number for the timing for closing them.

Here's my hot take, though: I think closing blog comments is a bad idea.

In fact, I wrote a whole blog post about exactly this discussion. You can read it here. For those who don't want to click through, I think there are seven major reasons why blog comments are good to have.

1. They're a signal Google can watch that displays engagement, and Google loves sites with engaging content.
2. They're content added to the page. Google indexes that content and counts it as part of your page, as long as it's not tripping spam flags. Good discussion is extremely valuable!
3. That content brings with it keywords you might not have thought to use, but now allow your page to be indexed for those keywords.
4. On an intellectual level, thoughtful commenters can add points you hadn't thought of and might want to consider and can foster ongoing discussion.
5. Existing blog comments help encourage further blog comments. Most people don't like to break the ice at a party, but once it's broken, everyone dives in.
6. New comments, even months or years after you published the content, can help keep your page fresh and updated.
7. Comments also help encourage social proof, like sharing on social media.

All of these are very good reasons not to disable blog comments entirely.

But that leaves us back at square one: how do we filter out spam comments without having to trawl through them manually?

Option 2: Use a Third-Party Comment System

Another option is to offload your comments to a third-party embedded system and let them handle the spam. I also happen to think this is a bad idea since JS is harder for search engines to parse and index than HTML ones, especially when they're hidden or paginated. I also have seen first-hand that Disqus isn't the best for SEO compared to the native comments system.

You've definitely seen this before. The two most popular options are Disqus and Facebook Comments.

These handle spam in a few ways. The first is by being a third-party embedded plugin, so all of the comments are processed and filtered by the main company's systems rather than your own or whatever plugin you use. Facebook has its own filtering, right?

Downside: They kinda don't. Disqus and Facebook are both pretty bad at filtering spam comments. They catch the most obvious garbage, but they also let a lot of junk slip through because they don't really care.

Another issue is they require third-party accounts for commenters to comment. A lot of people don't want to create those accounts or don't want to tie one identity to another with Facebook or something of the sort.

It also cuts out a lot of the actual value of having comments.

• It's a roadblock to someone leaving a comment, which is already very susceptible to small amounts of friction.
• It doesn't render or allow indexation by default, so all of the SEO, keyword, and Google perception value you get out of comments evaporates.
• It can feel disconnected if people comment on your post on Facebook and assume Facebook comments will show it on the post on your site.

On top of all of this, these plugins very frequently slow down your website fairly significantly, and that leaves you hurting more than the comments help.

Option 3: Use an Anti-Spam Plugin

Anti-spam plugins are fairly sophisticated, but they also often fall flat.

One of the biggest names in anti-spam is Akismet. It's so big that most managed WordPress installations come with it preinstalled. It's effectively the default anti-spam – it's even developed by Automattic, who also makes WordPress. Why it isn't rolled into WordPress as a default functionality, I have no idea.

I don't think Akismet is the best option, though. It's good, but it isn't perfect, and I wrote more about why over here. The TL;DR is that spam evolves faster than Akismet can keep up, and when spam strategies change, spam can slip through.

Two plugins I've found to be somewhat more useful than Akismet are WP Armour and Antispam Bee. Both of these have a feature called a honeypot that catches 99% of spam.

A honeypot is just a form field in the comment section. The thing is, that form field is invisible to normal users but wide open to bots that fill out spam comments. Legitimate commenters, since they don't see the field, won't put anything in it, and their comments can get through just fine. Spam bots, meanwhile, fill out every field and automatically flag themselves as bots.

This works for a huge amount of spam, but not all spam. Some spam is also caught because it matches spam definitions for the plugin, like obvious SQL injection text and that kind of thing. Very, very few spam comments can make it through this setup, and it usually takes the spammer manually acting first, before turning to their bot. Since most spammers don't want to do that, it doesn't really happen.

All of that said, anti-spam plugins can only do so much, and a clever spammer can get around it.

Cutting out spam preapprovals.

One of the biggest issues with spam right now is that spammers are using AI to generate legitimate-looking comments that don't trip spam flags and intentionally submit them while only filling out required form fields to avoid honeypots.

If the comment looks legitimate, why does it matter? One pesky little WordPress setting. If you go to the Discussion Settings menu, you can find the option labeled:

Before a comment appears: Comment author must have a previously approved comment.

This is automatically checked in WordPress by default. And it's dangerous. 

It makes sense in theory: if you hold your comments for moderation, and you know you have people who are good commenters, you can use this to approve one comment from them and auto-approve anything else they make in the future. That makes moderation easier. Less work for you right?

The probelm is that spammers are weaponizing this. They post something innocous ("Great post!") which gets past your spam filter, then you approve their comment. Then they start commenting spam all over the place, and because you have this checked their comments get silently approved. They get backlinks to their site, and you don't even get notified about them because you acccidentally allowed this.

Oops.

Disabling this setting means you'll have to manually approve more legitimate comments. But you cut off an avenue of modern spam that is otherwise very hard to detect. It's a trade-off, but it's worth it. You don't want search engiens to see you linking out to thousands of spam sites overnight, trust me.

Option 4: Custom Code

In this case, I mean my custom code.

I wrote up a function in PHP that you can add to your functions.php file that will automatically nuke all of your spam comments. I used to get hundreds of spam comments every week, but now I don't get any, and I don't have to do any manual moderation of those comments. I just get a nice feed of new, legitimate comments and can easily engage with them.

Here's the code. Let's go through it (though the comments in the code help you, too.)

First up is the settings block. This has four lines:

• The first automatically deletes any comments where the website field is filled out. This is identical to the honeypot method I mentioned above.
• The second looks for any comment that has a link in the text and purges it automatically.
• The third is what happens to the comments flagged by the script. You can set this to delete them, send them to the trash where they could be recovered, or mark them as spam for later review.
• The fourth is the option to add keywords to filter comments that don't have links or trip the honeypot. I find it useful to flag common spam keywords about online pharmacies or crypto.

Below that, you have all of the actual functional code. You don't need to edit anything in there, but it shows you what the script does. If you know your way around PHP, feel free to tweak it yourself.

A couple of things to mention about this script.

First of all, in niche circumstances, it might either let some things slip through or stop the occasional legitimate comment. This is because of how it checks for URLs.

• If a spammer puts their URL in a text field so it's not a link (and doesn't fill out the website field), it won't be caught. You would have to add "http" to the filtered word list or something. In practice, I haven't found this to be an issue because the only thing spammers are after is the link, so if there's no link, they don't care.
• If a legitimate commenter wants to add a link for a valid reason, it will still get caught. This is unfortunate and means that certain discussions can be hindered, and certain legitimate comments can be caught up. You can help get around this by adding a line to your comment field saying "comments with links will be automatically removed" to warn them, but it does mean someone wanting to suggest another page will get hit.

In practice, this hasn't hurt me or my site at all, and neither case has been prominent enough to warrant worrying about. Still, it's something you should be aware of. This is just a script, not a plugin, so it's not super robustly featured for edge cases.

Another thing to know is that this script operates as an hourly cron job, meaning it executes on your site once an hour. You can change that if you want (it's the top line in the script content after the settings block), but you don't have to. Yes, it technically consumes a small amount of server resources, which would be unnecessary on a site that doesn't get many comments, but it's such a small impact it's not worth worrying about.

How do you set it up?

To implement this file, you need to go to your functions.php file in your web history and add it.

One note here is that by default, your WordPress site's comments will have a website field for people to fill out. This field would be hidden, and you would need to use a bit of CSS to hide that element. It's easy to do; just find the website input field and add "display:none" to it. You can right click on the "Website"  field and click "Inspect". Where that element is depends on your theme, though.

For example, in this screenshot example it shows the input id is called "website":

The ID has a hashtag in front of it, so the code would look like this:

#website {display:none;}

You'd simply add this to your style.css file in your theme and you're all set! Again, this is just an example, so make sure you look at the website field in your actual comments form. It may be different than the one pictured above.

To make this more resilient, I recommend using something like Code Snippets.

This allows you to put my code in a snippet box, which will be resilient in case your theme updates and replaces your functions.php file or you change themes. It's especially handy if you have more than one or two little tweaks and want to make sure you know where everything is and what it does.

What do you think? Will this solve your spam issues? It did for me and for a lot of my clients, so let me know how it goes for you!