How to Stop WordPress Spam

Andrea Ferguson

President at AndiSites Inc.
Andi is founder and President of AndiSites Inc. She writes about website design and development, best practices, and random stuff her busy brain thinks would be useful.
Andrea Ferguson

Comment spam and registration spam are incredibly frustrating. They stuff your inbox with notification emails, and the bogus comments can damage your online reputation. Thankfully, spam can be thwarted in just two steps:

  1. Properly configure your WordPress Discussion settings.
  2. Install and activate a good anti-spam plugin (we recommend Akismet).

.

Step One:  Properly Configure Your WordPress Discussion Settings

First, go to the Settings section in your WordPress dashboard, then click “Discussion”.

If you don’t get many comments, check the box to manually approve every comment. This is a surefire way of making sure that all published comments are legit; however, if your discussions are active, it can be time-consuming and hold up the conversation. In that case, change the setting so that the first comment of a person must be manually approved; after the first approval, their subsequent comments will be published automatically.

You can also place any comments with links directly into the moderation queue, since these are often spammy. Comments can also be marked as spam automatically if they contain any banned words you specify in your blacklist (start with the words you often see in spam, like those related to little blue pills and knock-off watches and luggage).

We generally recommend that you disable public registration, since spammers can create thousands of unwanted accounts pretty easily, especially if you’re not using CAPTCHA (although even that can be gotten around). If you’re running a membership site, use a plugin like s2member to handle registration.  You can continue to create accounts manually for contributors, authors, and editors.

 

Step Two:  Install/Activate Akismet’s Anti-Spam Plugin

Akismet is so highly recommended that it’s automatically included with every copy of WordPress. Simply get a key from the Akismet website (free or cheap), enter the key into your plugin settings, and Akismet will start protecting your website from spam comments immediately.

Akismet checks every comment submitted to your website against their spam database. If a comment looks like spam, it’s placed in the Spam folder in your Posts or Pages section. In the case of a false positive, you can go into the Spam folder and mark a comment as Not Spam. You can also mark comments it missed as Spam in order to teach it what to look for in the future.

The Akismet settings page will give you stats on how much spam has been caught. For most websites, the accuracy rating is over 99%–the main reason why it’s so popular.

Additional Thoughts

Spammers are sneaky and sometimes very smart, so dealing with them can be a matter of trial and error.  In addition to the measures discussed above to stop comment spam, do the following: 

  • Include CAPTCHA on all forms on your site to prove the submitter is human.
  • Don’t include actual email addresses on your site; instead, use the word “Email” and have it link to the actual email address using a “mailto:email@domain.com” link format.
  • Regularly clean all spam comments from your database so that they don’t bog down your site performance and leave holes for other bad guys to come in through.
Back to Blog