Placeholder canvas

The Anatomy of Comment Spam: Understanding the Tactics and Techniques

As much as we adore WordPress, the constant stream of spam comments is a major drawback of the software. WordPress comment spam is an issue that will need to be addressed at some time, regardless of the sort of business site you run. Comment spam is a reality of online life, sadly. You will have to deal with spammers if you permit comments on your website. Finding a solution to comment spam is crucial if you don’t want your site to give off a bad first impression.

What is comment spam (and why it’s such a problem):

comment spam

It’s common practice to spot spam comments by their general nature. You may expect to receive comment spam if you make your site open to user feedback. It’s possible that spam will become more of a problem as your site’s popularity increases. The vast majority of the comment spam online today is generated automatically by spam bots using brief, generic words as a cover to insert links.

Comment spam, in whatever form it takes, is problematic because:

  •  • It makes it more difficult for genuine visitors to participate in discussions when comment areas are flooded with spam messages.
  • Your site will seem unprofessional if spammers leave comments on your articles.
  • Many of these comments have malicious URLs that steal users’ personal information. Doing all in your power to prevent comment spam from showing up on your WordPress site is obviously crucial. Thankfully, this isn’t hard to accomplish if you know what you’re doing.

How to stop comment spam on your WordPress website

1. Completely Turn Off Commenting

comment settings

The simplest solution is to prevent WordPress from accepting new comments at all. Disabling comments might prevent you from receiving spam if your company doesn’t utilize or want them. To disable comments on new articles, go to Settings > Discussion and uncheck the box labeled “Allow people to post comments on new articles.”

To turn off comments altogether, uncheck the boxes in the Default post settings section of the Discussion settings screen.

All future comments on this post will be disabled. Pingbacks can be disabled if desired. It’s important to remember that disabling comments won’t affect content you’ve already published. You’ll have to disable them one at a time for each individual post if you want to stop receiving them. In a moment, we’ll explain the process in detail.

Move down to the bottom of the page and click “Save” to store your modifications. The ability to leave comments has been turned off.

2. Turn off Anonymous Comments

You may also choose to disable comments from strangers. By default, WordPress comments require a user to provide their comment, name, email address, and website. They won’t be necessary if anonymous comments are allowed. Spambots, which are programmed to automatically fill out online forms, will now have easy access to your site.

In WordPress, you may prevent anonymous comments by activating the feature found in Settings > Discussion called Comment author must fill out name and email.

turn off anonymous comments

This will make it more difficult, but not impossible, for automated comment-posting software (the primary source of comment spam) to post comments on your site. It might also prevent users from trolling your site or writing nasty comments.

3. Allow for Comment Moderation

WordPress comes equipped with built-in tools for moderation, which act as a protective barrier against spam comments.

The initial tool involves the ability to individually assess and authorize each comment. Although this won’t counteract spam, it ensures that only high-quality comments approved by you will be visible to visitors on your site.

The second tool involves a mechanism to grant approval to comments. If a comment contains an excessive number of links, for instance, it might be subject to moderation until those links are removed. You have the option to compile a list of words, names, URLs, IPs, etc., which will be placed on hold for moderation.

To set up these features, please refer to the “Before a comment appears” and “Email me anytime” sections.

Here’s how to implement comment moderation:

comment moderation
  • Check the box labeled “Comment must be manually approved” to activate comment moderation.
  • If you select “Comment author must have a prior approved comment,” posts from new commenters will require your approval before being published.
  • To receive email notifications whenever a comment awaits moderation (enabling you to promptly approve or delete it), ensure that the “Email me whenever…” box is selected. This option empowers you to choose whether a comment should undergo moderation.

4. Require registration for making comments

To impose stricter controls on commenting privileges, you have the option to configure your website so that only individuals who are logged in can post comments. This setup could be particularly useful for a membership-based community website aiming to facilitate discussions exclusively among its members, while maintaining a barrier against external parties.


To implement this, navigate to the “Other comment settings” section within the Settings tab. Here, you can enable the restriction by checking the box labeled “Allow comments only from registered users.”

Additionally, it’s advisable to consider the various user registration choices available, such as whether to permit open registration for anyone or to subject registration requests to a moderation process. You can manage these registration settings by accessing the “General” section under the Settings menu.

5. Create a List of Blacklisted Words

blacklisted words

If you want to allow comments but restrict them on specific subjects, you have the option to create a list of prohibited terms. This list may encompass common keywords used by spammers and any content you’d prefer not to appear on your site, including offensive language. Be cautious not to go too far, especially if you choose not to mention or link to your competitors’ products or websites.

In the “Comment Blacklist” section, you can input the words or phrases you want to prevent others from seeing, one per line. It’s worth noting that these entries can encompass various forms of content such as words, email addresses, web addresses, IP addresses, and more.

To streamline this process, you can utilize a preexisting list of terms favored by spammers. Beforehand, it’s advisable to check if the terms you wish to retain are already on the list. For instance, if you own an accessories business, you wouldn’t want to restrict the word “handbag.”

If you prefer, you can include this list in the “Comment Moderation” box, which allows you to oversee comments containing these terms instead of outright blocking them. This approach prevents automated spam filters from automatically discarding comments that contain the specified keywords. Alternatively, you have the flexibility to use both fields by distributing the words between them.

6. Limit or Eliminate the Use of Links in Discussions

In the realm of spam comments, it’s quite common to encounter links embedded within the content. These links are typically included by spammers with the intention of either promoting their own websites, services, or products, or directing unsuspecting users to potentially harmful sites. To counter this, WordPress provides options for managing comments that contain links, allowing you to maintain control over the quality and safety of content on your site.

One approach you can take is to decide whether you want to completely prevent comments with links or if you’re open to allowing a certain number of links within a comment. This decision largely depends on your site’s policies and the level of engagement you want to encourage.

Inside the “Comment Moderation” settings of WordPress, you’re given the authority to set a threshold for comment moderation based on the number of links included in each comment. Let’s break this down:

  1. Link Threshold: WordPress offers you the flexibility to determine the threshold that triggers comment moderation. For instance, you might select a threshold of 2 if you’re comfortable with allowing comments that contain just one link. On the other hand, if you’re concerned about spam, you can set the threshold to 1, which means that any comment with a single link will be flagged for moderation.
  2. Variations: If you find that the default thresholds don’t align with your moderation strategy, you can adjust the threshold according to your preferences. If a comment exceeds the specified link limit, it will automatically be held for moderation. This control mechanism is particularly useful in preventing comments loaded with multiple links, which could potentially indicate spam.

7. Turn Off Commenting on Single Posts

When you’re looking to disable comments on a published post in WordPress or wish to prevent comments on specific articles, the post editing screen is where you’ll make the necessary adjustments. This feature can be especially valuable when dealing with sensitive topics or managing a post that has attracted an influx of spam comments.

To modify a post, follow these steps:

  1. Go to “Posts” and find the post you want to update.
  2. Click “Edit” under the post’s name to open the post editing screen.

Within the right-hand Document panel, locate the “Discussion” tab and click to open it. By unchecking the “Allow comments” box, you effectively prevent comments from appearing on this particular post.

After you’ve edited the post and click “Update,” the post’s comments will be deactivated and will no longer be visible. Additionally, you have the option to disable the ability for users to submit website addresses within the comments section.

To achieve this, you can utilize a plugin by following these steps:

  1. Download the plugin.
  2. Activate the plugin through your site’s administration on the “Plugins” page.

It’s important to note that the compatibility of this plugin with your theme’s comments functionality may vary. While it should work with WordPress themes that use the default comments form, it might not function properly with themes that have customized comments programming. If you’re unsure, you can resort to using a third-party plugin to achieve the desired comments management.

Lastly, a word of caution: If you’re not working with a custom theme, it’s recommended to avoid modifying theme files directly. Modifying theme files could result in the loss of your customizations when the theme is updated. To learn more about safe customization practices, you can refer to our comprehensive tutorial on developing child themes.

press multisite

8. Using a Plugin to Disable WordPress Spam Comments

Utilizing a plugin can prove to be an efficient strategy for managing spam in your WordPress comments. This approach enables you to maintain comment functionality without the concern of dealing with or displaying spammy comments. Below are a few anti-comment-spam plugins available for WordPress:

  1. Akismet

Akismet is an automatic plugin developed by the Automattic team that comes pre-installed with WordPress. It provides real-time protection by leveraging data from a vast network of sites and communities. It’s highly regarded in the WordPress plugin landscape and comes free for individual bloggers, with business options starting at just $5 per month. With over 5 million downloads and a perfect 5-star rating, Akismet is a dependable choice. If it’s not already on your site, you can easily obtain it from the WordPress repository or your WordPress dashboard under Plugins > Add New. Akismet’s longevity has allowed it to refine its spam detection, ensuring that legitimate comments shine through.

2. Disable Comments

disable comments

The Disable Comments plugin, available for free, presents a valuable capability: the ability to universally deactivate comments for specific post types within your WordPress site. This feature becomes especially advantageous when you seek to disable comments site-wide without having to undertake manual adjustments for each individual post.

This plugin essentially grants you control over the commenting functionality in a streamlined and efficient manner. By applying it to specific post types, you can swiftly and comprehensively restrict the comment section’s availability, whether it’s for pages, posts, or other content types. This is particularly beneficial for scenarios where you wish to steer discussions away from certain content, or during periods when you want to temporarily suspend comments across your entire site.

  1. Antispam Bee
antispam bee

Antispam Bee is a potent plugin that has been intricately designed to combat the persistent nuisance of spam comments and trackbacks on your WordPress site. Notably, its scope extends beyond mere comment filtering, encompassing a comprehensive approach to safeguarding your site from spam-related threats.

In addition to its robust defense against spam comments, Antispam Bee also effectively thwarts fake sign-ups and shields against deceptive contact form submissions. As an open-source solution, this plugin is available for free, empowering site administrators with a powerful and accessible tool to maintain the integrity of their online communities.

D. WPBruiser {no-Captcha anti-Spam}

wp brusier

WPBruiser, a cutting-edge spam protection plugin, takes a unique approach to spam prevention by employing a range of advanced filters and algorithms. One distinctive advantage is its ability to prevent spam comments and trackbacks without necessitating users to complete often cumbersome and user-unfriendly captchas.

By integrating sophisticated mechanisms, WPBruiser identifies and mitigates spamming attempts in real-time, ensuring that your comment sections remain clean and free from unwanted distractions. It offers both a free version, which delivers effective anti-spam capabilities, and a premium version boasting enhanced features for users seeking even more comprehensive protection.

9. Using a Plugin to Hide Your Name From a Commet’s Author Link

Beyond combatting spam, you might also consider enhancing user engagement by hiding author names from comment author links. This thoughtful strategy encourages genuine interactions with your content, as readers are not deterred by non-linked author names, thereby encouraging meaningful discussions.

To enact this feature, you can craft a straightforward plugin following these steps:

  1. Generate a plugin file within the wp-content/plugins subfolder, naming it something like Nestify Comment Author Link.php.
  2. Embed the provided code into the plugin’s source.
  3. Download and activate the plugin through your site’s administration, accessible via the “Plugins” page.

It’s crucial to acknowledge that the effectiveness of this plugin might be influenced by your theme’s comment integration. While seamless integration is expected with WordPress themes utilizing the default comments form, themes with custom comments programming may exhibit varying results. In cases of uncertainty, it’s wise to explore third-party plugins that align with your desired outcomes.

Furthermore, if you haven’t personally developed your own theme, exercising caution with theme file modifications is essential to avoid unintended consequences. Altering theme files directly could jeopardize your customizations when the theme undergoes updates. To navigate this intricacy, consult our comprehensive tutorial on developing child themes, which offers insights into preserving your modifications while ensuring theme stability.

10. Add a Captcha to Your WordPress Comments to Prevent Spam

Employing a CAPTCHA is a widespread practice to verify user authenticity by presenting a form or question. Integrating this strategy into your WordPress site is effortless with various high-quality plugins, most of which are free of charge.

However, users might have reservations, particularly when required to identify objects in images. To address this, a growing number of websites use captchas that only entail clicking an “I’m not a robot” checkbox before submitting. You can seamlessly incorporate this method into your WordPress site using excellent plugins, the majority of which are also complimentary.

  1. BestWebSoft’s reCAPTCHA for Google’s

Google’s reCAPTCHA is a notable enhancement over the conventional CAPTCHA, as it offers user-friendly experience without cryptic queries or distorted fonts. To prevent site abandonment due to frustrating CAPTCHAs, consider integrating Google Captcha (reCAPTCHA) by BestWebSoft plugin if you’re using WordPress.

This plugin eradicates the need for deciphering unreadable text or recognizing objects in images; users simply need to tick a box confirming their non-robot status. The verification process requires manual confirmation.

To implement this, you must register your site using Google’s Captcha API, selecting between reCAPTCHA v2 (a checkbox) or reCAPTCHA v3 (a JavaScript-based captcha that operates invisibly).

Upon registration, you’ll obtain a site key and secret key to input in the plugin’s settings. Within the “Enable ReCAPTCHA for” section, opt for “Comments Form” and save your changes. Subsequently, users will be prompted to validate their humanity by clicking the “I’m not a robot” box before posting comments, including for forms such as registration, login, and password reset. The plugin is compatible with trusted networks, supports right-to-left languages, and is highly customizable.


Following this, you will be provided with a site key and a secret key, both of which should be inputted into the plugin’s settings page. Within the “Enable ReCAPTCHA for” segment, opt for the “Comments Form” option. Once decided, simply save your modifications by clicking the “Save Changes” button.

google reCAPTCHA

Subsequently, users will be prompted to affirm their human identity by selecting an “I’m not a robot” checkbox prior to submitting comments.

Moreover, these forms encompass various functions like registration, login, password reset, etc. It’s also possible to conceal the CAPTCHA for trusted networks and apply creative variations. The system is designed to support right-to-left languages (RTL) and offers compatibility with multiple languages, enhancing its versatility and accessibility.

11. Stop WordPress Spam Comments Using a Third-Party Commenting System

A) Disqus


Disqus has solidified its position as a preferred comment management solution among bloggers and website owners due to its well-established maturity. Originating in 2007, this service now boasts support for over 750,000 websites. An impressive 75% of websites utilizing third-party commenting systems rely on Disqus, as confirmed by a recent survey conducted by Lijit.

Whether you’re starting anew with Disqus or transitioning from another commenting system, incorporating it into your website is a straightforward process. Upon signing up, it’s advisable to promptly navigate to the Import/Export section, which provides guidance on seamlessly transferring comments from various platforms like WordPress, Blogger, Movable Type, and others, into the Disqus ecosystem.

2. IntenseDebate


IntenseDebate emerges as a compelling choice, especially when you consider its creators – the same innovative minds behind WordPress, PollDaddy, and Akismet. This pedigree underscores its credibility and positions it as an optimal selection for those seeking a third-party commenting system. Given its development and management by the architects of WordPress, IntenseDebate seamlessly complements your existing blog platform.

3. Livefyre


Entering the realm of third-party commenting and debate systems is Livefyre, a relative newcomer with significant potential. Despite its limited experience, Livefyre distinguishes itself and stands tall among its peers. Candidly speaking, LiveFyre is my top recommendation among the three options. Its user-friendly interface, simplicity, and streamlined functionality align closely with established commenting platforms like Disqus and IntenseDebate.

Moreover, Livefyre introduces a unique feature – the use of the ‘@’ symbol to “tag” other users in comments, akin to its application on Facebook, Twitter, and now LiveFyre.

12. Stop WordPress Spam Comments with a Web Application Firewall

Combatting web exploits and bot-driven threats is crucial, and Amazon’s AWS WAF offers a robust solution. Hosted on Amazon CloudFront, this WAF distinguishes itself by charging only for utilized rules and factoring in web request volume. It provides comprehensive, cost-effective security, and its adaptability is further underscored by the flexibility it offers in aligning with various application architectures.

  1. AWS WAF

As an integral part of your CDN setup, the AWS WAF operates through Amazon CloudFront. Notably, this WAF only charges you for the rules you actively employ. In addition, charges are related to the volume of web requests your application encounters.

Amazon’s AWS WAF delivers robust security for your websites at an economical cost. Its setup is user-friendly and easily manageable. Depending on your application architecture, security features can be seamlessly integrated, offering enhanced flexibility compared to other WAF options.

Best For: Businesses of all sizes utilizing AWS services. Helps Mitigate: DDoS attacks, SQL Injections, and Cross-Site Scripting (XSS).

  1. Cloudflare

Cloudflare stands as the industry benchmark for cloud-driven application security. Supported by a resilient WAF, it impressively thwarts around 57 billion cyberattacks daily.

With a global network boasting a remarkable 100 Tbps capacity, Cloudflare ensures unparalleled website safeguarding. Its multi-layered security protocols, personalized rule sets, and advanced threat detection contribute to making Cloudflare a fundamental pillar of application security.

Best For: Personal use, small to mid-sized businesses, high-level enterprises, and particularly beneficial for WordPress sites due to its WordPress WAF rules. Helps Mitigate: OWASP Top 10 vulnerabilities, Comment Spam, DDoS attacks, SQL injections, and more.

  1. Microsoft Azure

Microsoft Azure emerges as a significant player, offering a cloud-native WAF seamlessly integrated within the Azure ecosystem. It vigilantly addresses the OWASP top 10 vulnerabilities and allows customization through user-defined criteria.

The cost structure is based on time and data usage, with a lower initial investment compared to competing WAF providers. Key features include real-time environment visibility, security alerts, and the ability to automate DevOps processes through comprehensive REST API support. Azure’s WAF also provides strong defense against distributed denial of service attacks.

Best For: Both major and small businesses. Helps Mitigate: OWASP Top 10 vulnerabilities, DDoS Attacks, and customized rules.

  1. WPMU Dev

WPMU DEV offers a highly optimized WAF tailored to WordPress websites. Seamlessly integrated into hosting services, it ensures minimal resource consumption and doesn’t require coding knowledge, guaranteeing optimal site speed.

With over 300 firewall rules in place, WPMU DEV’s WAF employs rule-based logic, parsing, and signatures to prevent web application threats. It outpaces most plugin-based firewalls by 25% according to independent benchmarks. Moreover, this comprehensive protection against the OWASP Top 10 is included free of charge with every hosted account.

Best For: Small to major WordPress sites, hosting resellers, and agencies managing multiple websites. Helps Mitigate: Various attacks including SQL injections and XSS.

  1. Imperva

Imperva’s WAF excels in pinpoint precision, effectively blocking false positives and offering a global Security Operations Center for swift threat response. Covering a wide spectrum of threats, Imperva’s solution includes protection against OWASP Top 10 vulnerabilities and the Top 20 Automated Attacks.

Imperva ensures both cloud and on-premises app security, providing attack detection, SIEM integration, and detailed reporting.

Best For: Small to large-sized companies. Helps Mitigate: OWASP Top 10 vulnerabilities, Automated Top 20, and more.

  1. Prophaze

Prophaze presents a holistic security package featuring WAF, RASP, CDN, and DDoS protection. Its cloud-based solutions offer real-time security against modern attacks, instantaneously assessing vulnerabilities against the OWASP Top 10 and other threats.

Boasting limitless rulesets and notable features like a bot migration tool and machine learning-based threat intelligence, Prophaze is well-suited for midmarket to high-level enterprises.

Best For: A range from midmarket to high-level enterprise. Helps Mitigate: OWASP Top 10 vulnerabilities, DDoS, Bot Protection, and more.


In summary, safeguarding the credibility and reliability of your website’s content necessitates a proactive approach to combatting spam comments. Fortunately, WordPress offers a range of valuable plugins designed to help thwart the posting of spam comments.

It’s important to recognize that no single plugin, whether it’s Akismet, WP SpamShield, Antispam Bee, CleanTalk, WP Bruiser, SI CAPTCHA, or any other, can completely eliminate spam comments. The battle against spam is an ongoing endeavor, often requiring the combination of multiple tools and strategies to stay ahead of the challenge.

In this light, it’s essential to explore unconventional solutions when devising methods to counteract spam comments. To foster genuine engagement and feedback from your audience, consider experimenting with different plugins and configurations, regularly monitoring your site for spam, and actively engaging with your community. The maintenance of a spam-free website and the creation of a positive visitor experience demand diligent effort and the right resources.

FAQs on Comment Spam:

Can I block comments from specific users?

You have the ability to restrict certain users from commenting on your site using their IP address or email. To implement this, navigate to the “Comments” section in your WordPress dashboard, select the desired comment for removal, access “Quick Edit,” and input the user’s IP address or email into the “Author” field.

What are the common instances of spam comments?

Spam comments manifest in various forms, including those that link to unrelated or poor-quality websites, contribute nothing of value to ongoing discussions, consist of generic or incoherent text, or are blatantly the outcome of automated bot activity.

Want faster WordPress?

WordPress Speed Optimization

Try our AWS powered WordPress hosting for free and see the difference for yourself.

No Credit Card Required.

Whitelabel Web Hosting Portal Demo

Launching WordPress on AWS takes just one minute with Nestify.

Launching WooCommerce on AWS takes just one minute with Nestify.