Codex

Interested in functions, hooks, classes, or methods? Check out the new WordPress Code Reference!

Combating Comment Spam

Comment spam is a fact of life if you have a blog. Using WordPress, you have not only solid built-in tools to prevent comment spam, there are also a wide range of comment spam protection and defense plugins and methods to choose from if you feel you need additional coverage and protection.

There is no "one size fits all" method that will protect your comments; spammers use many tactics. Consider using multiple defenses. Remember spammers change the way they attack so you must keep your choices updated.

Disclaimer: The plugins and codes listed are not endorsed by anyone other than the plugin author. No responsibility is taken by WordPress for anything untoward that may occur.

Criteria for listing: For any code to be listed here, it must have already been posted to the WordPress Support Forum OR to the Hackers mailing list, and then received an independent follow-up message of "works as expected for me without error."

ANY code or links added to this page that have not satisfied the above criteria will be deleted.

Akismet Comment Spam Fighter

This section has been requested to be merged into Plugins/Akismet.

Current versions of WordPress come with Akismet installed by default. Akismet uses a unique algorithm combined with a community-created database to "learn" which comments are comment spam and which are legitimate.

To enable Akismet on your WordPress blog, go to the Plugins panel and activate the Plugin. You will be prompted to get an API key from Akismet.com after you sign up for a payment plan. After Akismet is activated, you'll see a menu added to the Comments Panel that holds a list of "caught" comment spam.

If comment spam gets through Akismet's net, mark it as comment spam in your Comments Panel. Do not delete it. By marking it "comment spam", the information is sent to Akismet and added to the community-created database.

Frequently check through the caught comment spam in the Akismet Panel to look for legitimate comments (false positives) that have been caught by Akismet. Mark them as Not Spam to remove these comments from the list.

My Comments Get Caught By Akismet

Akismet learns by those who mark comment spam as comment spam and legitimate spam is despammed. If your comments are being caught by Akismet, remove them from the Akismet Panel. It might take two or three times, but it will learn and automatically not designate your comments as spam.

Commenters on your blog may have their comments caught by Akismet. If you do not regularly check your Akismet Panel, have an easy way of allowing readers to email you if their comment did not appear.

With updates to the database and major changes to the software, this process may have to be repeated.

If you continue to have problems with Akismet catching your comments or too many of your readers' comments, contact Akismet for more assistance.

Combating Comment Spam FAQ

Default Comment Spam Tools

The following are the default comment spam tools that come with every installation of WordPress, in addition to the Akismet WordPress Plugin.

Number of Links in Posts

To change the number of links in comment posts, which may help stop comment spammers who include dozens of links in their comment posts, you can change the setting for the number of links permitted in a comment.

  • Go to the Settings > Discussion panel.
  • Scroll down to Comment Moderation.
  • In the section which covers the number of links in a post, it is set to 2 by default. You could lower to one.

NOTE: Do not set this to zero or leave the field blank. It will send every comment to moderation -- not the desired effect.

Comment Blacklist

Included on your Settings > Discussion panel is a section called the Comment Blacklist. This is a list of words completely blacklisted from your blog.

Be very careful what you add here. If a comment matches something here it will be completely nuked and there will be no notification. These "nuked" comments will not appear on your blog, but they will remain in your database marked as [spam]. Comments that are marked as [spam] are held in your database to educate "intelligent" anti-spam plugins, such as Akismet.

Choose your blacklist words wisely!

Remember that partial words can match, so if there is any chance something here might match it would be better to put it in the moderation box. Blacklisting a word such as tramadol will automatically delete any comments containing tramadol, tramadols, bigtramadol, etc. But, blacklisting a word such as ass will automatically delete comments containing ass, asses, assistance, passionate, assumption, etc.

An unofficial curated blacklist is available on GitHub.

Moderate All Comments

Depending upon the amount of comments and control you want over comments on your WordPress site, you may want to moderate all comments on your site.

In the Settings > Discussion panel, check the box next to An administrator must approve the comment (regardless of any matches below).

Pre-approve Comments from Old Commenters

You can also set your Settings > Discussion panel options to allow previously approved comments to avoid moderation. Check Comment author must have a previously approved comment.

Restrict Comments to Registered Users

If you allow only registered users to comment, you can restrict comments to only registered users.

  • Go to the Settings > Discussion panel
  • Under Other comment settings, select Users must be registered and logged in to comment.

Inform Users When Comments are Moderated

When people submit comments, they expect them to appear on your blog immediately. Implementing comment moderation and not telling people will almost certainly result in some people repeatedly submitting the same comment as they think it has disappeared. To prevent this from happening, and to avoid disgruntled and confused readers, inform people that their comment is under review by doing the following:

If you use popup comments, edit comments-popup.php and if you do not, edit comments.php.

Look for the following code:

<p>
<input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" />
</p>

Change that to the following, adding your own customization:

<p>
<blockquote>
Comment moderation is in use. Please do not submit your comment twice -- it will appear shortly.
</blockquote>
<input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" />
</p>

Spam Plugins

There are many plugin options to choose from to add to WordPress' built-in comment spam protection and found in the Official WordPress Plugin Directory.

Comment Spam Hacks

The following are not recommended for average users.

Denying access with .htaccess 
While drastic, you can make modifications in your .htaccess file if you are using an Apache server. Check the Internet and Apache for more information.
Use nofollow 
The nofollow attribute is another method used to strip spammers of their page ranks. According to Google, "when Google sees the attribute (rel="nofollow") on hyperlinks, those links won't get any credit when we rank websites in our search results." Under WordPress v1.5, the nofollow attribute is automatically added to all links in the comments section.

See Also

External Resources