Spammers want to post garbage on your website. They have busy little programs cruising around looking for fields to fill in and buttons to click. They will make comments on your posts, if you allow comments, and spam your contact form. If you post your email address on a page, they’ll copy it to a spam email list.
The more spam you filter out automatically, the better, providing you don’t filter legitimate comments or make it difficult for people to participate in discussions. Earlier I showed how to activate spam control on your contact form, and my setup program also (optionally) installed a plugin to block spam in comments. If you find you’re still having problems, you may want to do more.
Table of Contents
To Comment or Not?
The easiest way to prevent spam in your comments section is to disallow comments. This also prevents idiocy and hatred in your comments section.
You can disallow comments on a specific post from the post editing screen.
To disallow comments generally, go to Settings > Discussion in your dashboard, uncheck “Allow people to post comments on new articles,” and save changes. You can still engage with people on social media, and they can respond to your post there, if you share it. Note: this doesn’t affect older articles, which might still receive comments.
If you prefer to allow comments, this screen also contains fields where you can set a time limit on discussions (which does apply to older posts), and enter word lists to either block all comments containing those words, or hold them for moderation. This is especially useful for blocking trolls and haters, who tend to use words unlikely to appear in desirable comments.
There are also plugins available to redisplay Facebook comments people make about your post on your own site. Disqus is another popular alternate commenting system, a free, advertising-supported service.
My preference is to allow on-site comments and not have other companies owning that content, or data mining it for advertisers, or posting ads on my site I might not agree with. So I use the built-in comments function in WordPress. But you have these alternatives to take the spam control issue off your hands, if it becomes too big a problem.
If you do disallow the built-in comments function, also deactivate the Antispam Bee plugin, as it’s no longer needed.
Set Your Discussion Settings
As mentioned above, you have some options to control the built-in commenting system. These are in the Settings > Discussion page of the dashboard. My setup program has set these for reasonable defaults that allow comments. Visit this page review the settings.
To disable commenting altogether, uncheck the option “Allow people to post comments on new articles” near the top.
Otherwise, there are two fields to flag certain words as suspicious (hold for moderation) or banned.
By default, comment authors have to enter their email address. They can opt to store this information in a cookie to avoid retyping for later comments. You may consider this too nosy, but it does limit spam to a great extent when combined with the option “Comment author must have a previously approved comment.”
Comments held for moderation are visible in the dashboard, and you’re notified there are comments awaiting moderation by a number in a circle on the dashboard (and also by email if you choose).
The default view of comments (“All”) shows all comments that are either already visible or held for moderation (“Pending”). The ones on hold are marked with a red bar. If there are a lot of comments awaiting moderation, click the Pending tab to view only those on hold.
Adjust the Spam Blocker Plugin
The most popular tool to block comment spam is the Akismet plugin. However, Akismet causes site slowdown and has known issues with invisibly blocking legitimate comments (the poster doesn’t know they’ve been blocked, and the comment is just gone so you have no way to tell either). Akismet used to have a free option for “personal use” but I can no longer find it. And they seem to have a habit of invalidating one’s setup without notice and letting the spam flow on through.
So I don’t like Akismet. Instead, I gave you Antispam Bee, which is both smarter and a breeze to set up. It’s also completely free, GDPR compliant, and you don’t have to create yet another account.
If you haven’t already, activate Antispam Bee from the Plugins screen of the dashboard. Then visit Settings > Antispam Bee in your dashboard and review the settings. Nearly all are just checkboxes, and self-explanatory (look for a link to the online manual if needed). Set the options as seems best to you.
The default setting is to hold fishy messages in a spam folder for you to look at. Find the spam folder in the Comments screen of the dashboard. You can set for them to be automatically deleted if you take no action after a certain number of days. I suggest you try it with the default settings for a while until you’re confident it’s filtering messages correctly. Then reduce the length of time spam is held, and forget about it unless you have reason to think there are legitimate messages being blocked. In that case, brace yourself and go browse the spam folder.
Antispam Bee and your moderation “stop word” lists work in tandem. AntiSpam Bee scans the messages first and moves some to the Spam folder. The remaining messages are filtered by the moderation rules you create in the Settings > Discussion screen.
In addition to Antispam Bee, my setup program installs the plugin Hide Comment Author Link by Ataul Ghani. This plugin is based on the idea that the main reason spammers post comments is so they can insert their scammy URL into the “Website” field of the comment form. To remove the temptation, this plugin gets rid of that field. Of course, visitors entering comments manually will also be unable to enter their website URL, but you might see this as a benefit also. Anyway, if you like the idea, activate the plugin, and if not, delete it.
Comment Spam Control with reCAPTCHA and Alternatives
ReCAPTCHA is a free tool provided by Google. It’s popular, but I don’t like it because it’s supported by data mining your website visitors, and because it displays a Google icon on every page, even if there’s no comment form there. A newer alternative, hCAPTCHA, is paid for by the image recognition work your visitors are doing; better for privacy.
There are many plugins to hook WordPress up to these tools. This is the next step, if you find the measures in the previous sections aren’t stopping enough spam.
This is a last-resort option, because while adding a tough humanity test to a form will weed out non-humans, it may also discourage humans from bothering to comment. Still, reCAPTCHA can be invisible to users Google already recognizes, so you might decide it’s worth it.
It’s on my to-do list to review plugins to add CAPTCHAs. There are several, no preference at the moment.
To use reCAPTCHA, you must register your site with Google. Go to google.com/recaptcha and follow the steps to login and sign up for reCAPTCHA access. This will give you a “site key” and a “secret key” to fill in when setting up plugins.
The process is similar for hCAPTCHA, once you install a plugin that supports it.