How to Stop Comment Spam in WordPress

Comment sections can be goldmines for engaging with your audience. Yet unmoderated comments can quickly descend into chaos. If you don’t keep an eye out for spam, it may overrun every comment section on your website. These messages can scare real readers away, and prevent them from interacting with other users (and with you).

In most cases, spam is easy to recognize. Users or guests will leave links to other websites without explaining why, or start talking about products and services that have nothing to do with your content. If you put measures in place to stop these messages, you can keep your comment sections protected and valuable to your audience.

In this article, we’re going to take a good look at how spam appears in a comment section. We’ll show you how to identify spam comments on your WordPress websites, and talk about how they negatively affect your website. Finally, we’ll show you eight ways to prevent comment spam in WordPress. Let’s get to it!

What is comment spam?

If you use the internet, you’re already familiar with spam. You probably get dozens of emails per week advertising fraudulent products and offers. But spam messages don’t just come in the shape of emails — they’re everywhere on the web.

Spammers tend to gravitate towards comment sections because they offer the opportunity to target a broad audience. On popular blogs, it’s not uncommon to have comment sections with dozens of users engaging in discussion. A single spam comment pointing to another website can easily get a few clicks, and even more so if it blends into the conversation.

example of a spam comment in WordPress

Generally speaking, comment spam is any content with the sole purpose of pointing visitors towards other websites. Spam commenters may be trying to get people to buy or sign up for something, phish sensitive information from visitors, or install malware on their device. Occasionally you’ll see legitimate comments that point readers towards third‑party websites, but these links have to make sense in the context of the discussion.

It can be tempting to simply ignore comment spam, but that can have a negative impact on your website. If you visit a site and you see that its comment sections are overrun with spam messages, you might not trust its content or the business that owns it. We’ll touch on other ways that spam can affect your site, but first let’s talk about how to spot this type of comment.

How to identify comment spam

Spam comments tend to be very easy to spot. In a lot of cases, bots — not actual people — are behind them. These bots are programmed to target comment sections that don’t require any type of verification and post messages that will lead readers to third‑party websites.

example spam comment

If you’re ever on the fence about whether a comment is spam or not, there are several signs that you can check for. Signs of comment spam include:

  • The comment comes from a guest account or one with a generic name
  • The user doesn’t have an avatar
  • The comment includes links to third‑party websites
  • There are mentions of products, services, and benefits to readers
  • The comment has little or nothing to do with the discussion at hand

Trolls vs spam

Sometimes, you might get comments in poor taste or that don’t add anything to the discussion. Those commenters may be genuine in their opinions and honestly think that they’re contributing to the community, or they may be trolling. But those comments are not necessarily spam.

There are a couple of key differences between trolls and spam. Trolls are real people and spam is most often spread by bots. Also, a troll’s main goal is to disrupt discussion, sow division, and elicit emotional responses from other individuals. The main goal of spam is usually some kind of financial gain, whether it’s an unethical (but genuine) marketing tactic, or an attempt to scam people.

Why are comment spam bots targeting your website?

If you’re working on your first WordPress website, you may think that spam bots have it out for you. Unfortunately, comment spam is something that almost every website has to deal with (unless you turn comments off entirely). 

Bots crawl the web looking for comment sections that they can target. They don’t differentiate between sites that are and are not relevant to the websites, products, and services that they’re promoting. For spammers, it’s all a matter of numbers. If they leave thousands of comments across many different websites, at least some readers will take the bait.

Some of those users will go on to share personal information or even payment details that spammers can steal. In some cases, spammers might benefit directly from making sales to users who aren’t aware of their underhanded practices.

Comment sections can be an incredible source for engaging discussions and ideas within your website. They can encourage users to look out for new posts and build relationships with other commenters. On the other hand, the price that you pay for having a comment section is needing to deal with spam.

Luckily, WordPress empowers you with several tools and features that make dealing with spam comments that much easier. We’ll explore those in a second, but for now let’s talk about the rest of the ways that spam comments can affect your website.

Four ways that spam comments negatively affect your website

1. Spam comments diminish trust 

If you come across a website that looks credible, but it’s full to the brim with spam comments, you might believe that the site is abandoned. At the very least, you’ll tell yourself that its owners might not care about cleaning up their comment sections, or that they don’t pay attention to comments at all.

The more obvious the spam is, the more negatively it will impact your website’s image.

spam comment full of hashtags

Tech‑savvy users might not judge you too harshly for having spam on your website, since they understand where it comes from. But not all of your audience will know that they should ignore spam comments.

Some users will see spam and think that since it’s on your website, you’re endorsing it or promoting the offers the comments include. If that translates to them making a scam purchase or sharing personal information online, it will diminish their trust in you.

If you have a website with a comment section, it’s your responsibility to keep it clean, and not just so that your site looks better. You have to consider that some of your audience doesn’t have the technical know‑how to differentiate spam offers from real content, and it’s your job to ‘protect’ them while they’re on your site.

2. Real comments can get lost among spam entries

If you’re a user trying to have a real discussion in a comment section, navigating spam can be frustrating. Genuine replies to the topic at hand can easily get lost as bots overrun the comment section.

That frustration can lead to users deciding that commenting on your content is simply not worth it. Comments can be a great source for critical discussion about your posts, questions that can lead to new content, and even users simply thanking you for your efforts.

If you allow spam to run unchecked on your website, you lose out on a lot of the value that comment sections can provide. At that point, you might be better off disabling comments altogether.

3. Spam can impact your website’s search engine optimization (SEO)

Getting a website to rank well on search engines takes a lot of time and effort. Often, it can take months or even years to grow a website to the point where it’s getting decent traffic from search results. That process involves dozens of SEO tasks, tweaking your pages and posts so they’re well‑optimized, and publishing better content than your competitors.

Unfortunately, spam comments can negatively impact your SEO if you leave them unchecked. Most spam includes links to external websites, and search engines can’t differentiate between those links and the ones that you include within your content.

From the search engine’s perspective, all they see is that your website suddenly includes a lot of ‘low-value’ links. Since links are one of the many signals that search engines use to determine rankings, spam comments can cause your site to plummet in the results. 

Considering how critical search engine traffic is to most websites’ growth, you can’t allow spam comments to linger on your site. That’s why you need to put measures in place to prevent spam, and to weed it out if it makes it past your defenses.

4. Spam can slow down your website

If you’re getting a lot of spam bots attempting to submit comments, these requests can affect your website’s performance. If your site is having to handle thousands of spam submissions a day, that can use up a lot of your site’s resources — especially if you’re on a budget hosting plan. Additionally, if you let spam comments pile up, you may end up with some serious database bloat, further slowing your site’s load times. 

If your readers have to wait a long time for your pages to render, they’re less likely to stick around to read your content, let alone leave a comment (unless it’s to complain about how slow your site is).

How to prevent comment spam in WordPress

At this point, we wouldn’t blame you if you’re very concerned. Spam causes a lot of problems, and it’s almost guaranteed that bots will try and post these types of messages on your site. So what can you do about it?

The good news is that WordPress offers a variety of ways in which you can prevent and filter spam comments from your WordPress website. In this section, we’ll explore all of the approaches that you can take to prevent spam and protect your comment sections.

1. Use a plugin to filter spam comments

The best way to deal with spam is to use a plugin that can automatically detect which comments are legitimate and which ones aren’t. That’s a lot to ask from a plugin, but it’s precisely what Akismet does.

graphic showing how Akismet works

When you use Akismet, the plugin analyzes each comment that visitors submit on your website. It accesses Akismet’s global database and checks to see if the comments match other known spam entries and sources.

All of that happens in the background, in a matter of seconds. If Akismet marks a comment as spam, it’s flagged and it doesn’t get published. Fortunately, you can also review these comments manually, to double‑check that no real entries get flagged by mistake.

comments flagged as spam

If you want to approve a comment, you can mark it for publication and it will show up on your website. But you save a lot of time by focusing only on the comments that Akismet flags versus reviewing every comment submission manually.

There is a free version of the plugin, which is perfect for most websites. On the other hand, if you’re running a commercial site or get a large volume of traffic, you’ll want to look into premium plans.

2. Disable WordPress comments altogether

If you want to stop spam altogether, you can disable comments throughout your website. This is an extreme approach, so we only recommend that you disable comments if you’re certain that they won’t contribute anything to your site.

To disable comments in WordPress, access your dashboard and go to Settings  Discussion. Look for the section that reads Default post settings at the top of the screen, and uncheck the Allow people to submit comments on new posts option:

discussion settings in WordPress

That setting will disable comments for every post that you publish from now on. But comments will remain active for old posts and pages. To disable those comment sections, go into the Posts or Pages tab. Select a post or page, and click on Quick edit below its name. You’ll see an option that reads Allow Comments.

Quick Edit section for individual posts or pages

If that option is checked, disable it. Repeat this process for every page and post where you want to disable comments.

Depending on the type of website you’re running, disabling comments altogether might cost you some user engagement. Fortunately, there are other ways to reduce spam.

3. Force users to register before they can comment

One of the best ways to reduce comment spam in WordPress is to make it more difficult for bots to make submissions. Forcing bots to register and log in before they can comment can go a long way towards reducing spam entries on your posts and pages.

WordPress enables you to do that by checking a single setting on your website. Go to Settings Discussion and scroll down to the Other comment settings section. Tick the box for the setting that reads Users must be registered and logged in to comment.

comment settings within WordPress

By enabling that setting, you force spammers and bots to go through the registration process if they want to submit anything on your website. In a lot of cases, that can be enough to deter spammers. But since spam user registration does happen, you may have to implement a few more preventative measures.

4. Hold comments for approval before publishing them

By default, WordPress publishes comments as soon as users submit them. It also comes with a moderation queue where you can review comments and approve or reject them before they go live.

You can configure WordPress so that your website requires you to approve every comment manually. To do so, go to Settings Discussion and scroll down to the Before a comment appears section. Enable the setting that reads Comment must be manually approved.

manual comment approval setting

There’s also another setting that tells WordPress it can automatically publish comments if you’ve already approved submissions from the same user. That setting can save you a lot of time, as you’ll only have to review submissions from each user once.

To access pending comments, click on the chat box icon in the top menu within the dashboard. That icon should display a number to its right, which shows the number of pending comments in the queue.

comment moderation queue

From this screen, you can review comments one by one and approve those that aren’t spam. If you see a spam comment, you can delete it permanently.

Generally speaking, there aren’t many situations where it makes sense for legitimate comments to include links. Your readers might want to point each other towards relevant content, but usually, comments that include links tend to fall into the spam category.

WordPress offers an elegant solution to that problem by enabling you to configure how many links a comment can include before it gets flagged as spam. You can find that setting on the Settings Discussion page under the Comment Moderation section.

comment moderation list

By default, WordPress will flag any comment that includes two or more links within its body. If you want to play it safe, you can reduce that number to one link. This means any comments that include links will go into the moderation queue to await your approval.

This section also enables you to set keywords that WordPress will use to flag comments. If it detects those words within new comments, WordPress will hold them in the moderation queue. Some common keywords that you can set include:

  • Buy/sell
  • Make/earn money
  • Offer
  • Stock and shipment

All of those keywords are pretty good indicators of spam comments. You can be as aggressive as you want when it comes to choosing what terms to filter, but keep in mind that this means you’ll need to spend more time approving comments manually.

Rather than deciding what keywords to ‘blocklist’ on your own, you can also benefit from the collective experience of the WordPress community. For example, you might download the recommended Comment Blacklist for WordPress that’s featured on GitHub.

6. Add a CAPTCHA to your comment sections

You may have noticed that a lot of comment sections force you to solve a CAPTCHA before you can submit an entry. CAPTCHAs are simple tests designed to stop bots from posting and ensure that you’re a human. 

WordPress doesn’t include CAPTCHA functionality out of the box. The good news is that you can easily add this feature using a plugin like reCaptcha.

This plugin enables you to add CAPTCHAs to multiple elements within your website. You can add them to comment sections, registration and login forms, contact forms, and more.

If visitors (or bots) can’t solve the CAPTCHAs, they won’t be able to submit comments. But CAPTCHAs don’t always catch every spam comment. Bots become smarter each day and often find ways around even the trickiest of puzzles.  

7. Use a third‑party comment system

The WordPress comment system works seamlessly and includes a lot of features to make your life easier. Yet it lacks things like social media integration and the ability for visitors to reply using images or GIFs, emoticons, and other options.

If you want to give your audience access to that type of functionality, you can replace the default WordPress comment system with a different one altogether. There are plenty of WordPress plugins that enhance your comment section:

  1. wpDiscuz: This plugin extends the native WordPress comment system and adds new options like custom layouts, live notifications, responsive comment sections, and more. 
  2. WP Social Comments: With this plugin, visitors will be able to use their Facebook account to leave comments on your website.
  3. Super Socializer: This plugin enables you to use the Facebook commenting system in WordPress and lets users log in with their social media accounts.
  4. Jetpack Comments: Visitors can log in using their social media accounts, like other people’s comments, and receive a notification when another user replies.

Comment plugins that include social media components offer a fantastic way to reduce spam in WordPress. By forcing users to log in through social media to comment, you make it harder for spammers to submit fake entries on your website.

8. Set up a web application firewall (WAF)

Using a WAF can help you prevent attackers from accessing your website. WAFs enable you to configure rules that govern who can use your site. That means you can block IP addresses, visitors from specific regions, bots that try to access your site repeatedly in short amounts of time, and more.

If you’ve ever run into a website that uses Cloudflare or Sucuri, then you’ve already seen WAFs in action. Most content delivery networks (CDNs) offer WAF functionality, since it helps them protect their users against malicious traffic.

Using a CDN will also help you improve load times throughout your website. Depending on which service you use, you might also get access to features like automatic image optimization, denial of service (DDoS) protection, and more.

Some CDNs will help protect your website against known bots and spammers. Simply enabling the CDN will block those known agents from accessing your website and being able to leave comments.

Spam is unavoidable, but it can be defeated

If you have comment sections on your website, you’re going to be faced with spam. Spam bots are everywhere, and if you ignore them, they can quickly overrun your comment sections with links to other websites and offers that will scare some of your real visitors away.

Fortunately, WordPress offers a number of ways to deal with comment spam. You can use built‑in settings to make it harder for spammers to submit responses to your posts and pages. You can also use plugins that automatically filter out easily recognizable WordPress comment spam, add CAPTCHAs to your comment sections, or require visitors to log in using their social media accounts.

If you want a simple but effective solution, you can begin by setting up Akismet. This plugin will automatically filter spam comments on your WordPress website, so you don’t have to spend time going over your entire moderation queue manually. Akismet also integrates with some of WordPress’ most popular plugins like Jetpack, Contact Form 7, Gravity Forms, Formidable Forms, and others.