Comment spam is a fact of life if you have a blog. Using WordPress, you have not only solid built-in tools to prevent comment spam, there are also a wide range of comment spam protection and defense plugins and methods to choose from if you feel you need additional coverage and protection.
There is no "one size fits all" method that will protect your comments; spammers use many tactics. Consider using multiple defenses. Remember spammers change the way they attack so you must keep your choices updated.
Current versions of WordPress come with Akismet installed by default. Akismet uses a unique algorithm combined with a community-created database to "learn" which comments are comment spam and which are legitimate.
To enable Akismet on your WordPress blog, go to the Plugins panel and activate the Plugin. You will be prompted to get an API key from Akismet.com after you sign up for a payment plan. After Akismet is activated, you'll see a menu added to the Comments Panel that holds a list of "caught" comment spam.
If comment spam gets through Akismet's net, mark it as comment spam in your Comments Panel. Do not delete it. By marking it "comment spam", the information is sent to Akismet and added to the community-created database.
Frequently check through the caught comment spam in the Akismet Panel to look for legitimate comments (false positives) that have been caught by Akismet. Mark them as Not Spam to remove these comments from the list.
Akismet learns by those who mark comment spam as comment spam and legitimate spam is despammed. If your comments are being caught by Akismet, remove them from the Akismet Panel. It might take two or three times, but it will learn and automatically not designate your comments as spam.
Commenters on your blog may have their comments caught by Akismet. If you do not regularly check your Akismet Panel, have an easy way of allowing readers to email you if their comment did not appear.
With updates to the database and major changes to the software, this process may have to be repeated.
If you continue to have problems with Akismet catching your comments or too many of your readers' comments, contact Akismet for more assistance.
The following are the default comment spam tools that come with every installation of WordPress, in addition to the Akismet WordPress Plugin.
To change the number of links in comment posts, which may help stop comment spammers who include dozens of links in their comment posts, you can change the setting for the number of links permitted in a comment.
NOTE: Do not set this to zero or leave the field blank. It will send every comment to moderation -- not the desired effect.
Be very careful what you add here. If a comment matches something here it will be completely nuked and there will be no notification. These "nuked" comments will not appear on your blog, but they will remain in your database marked as [spam]. Comments that are marked as [spam] are held in your database to educate "intelligent" anti-spam plugins, such as Akismet.
Choose your blacklist words wisely!
Remember that partial words can match, so if there is any chance something here might match it would be better to put it in the moderation box. Blacklisting a word such as tramadol will automatically delete any comments containing tramadol, tramadols, bigtramadol, etc. But, blacklisting a word such as ass will automatically delete comments containing ass, asses, assistance, passionate, assumption, etc.
An unofficial curated blacklist is available on GitHub.
Depending upon the amount of comments and control you want over comments on your WordPress site, you may want to moderate all comments on your site.
If you allow only registered users to comment, you can restrict comments to only registered users.
When people submit comments, they expect them to appear on your blog immediately. Implementing comment moderation and not telling people will almost certainly result in some people repeatedly submitting the same comment as they think it has disappeared. To prevent this from happening, and to avoid disgruntled and confused readers, inform people that their comment is under review by doing the following:
If you use popup comments, edit comments-popup.php and if you do not, edit comments.php.
Look for the following code:
<p> <input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" /> </p>
Change that to the following, adding your own customization:
<p> <blockquote> Comment moderation is in use. Please do not submit your comment twice -- it will appear shortly. </blockquote> <input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" /> </p>
There are many plugin options to choose from to add to WordPress' built-in comment spam protection and found in the Official WordPress Plugin Directory.
The following are not recommended for average users.