WordPress Comment Blocklist: The Ultimate Guide

A lively comment section is great for visitor engagement and can even increase your position in search engines rankings. But spambots, internet trolls, and scammers can derail the discussion.

Fortunately, there are ways to automatically filter out unwanted comments. With the right tools and safety measures, you can reap the benefits of WordPress comments — without any of the drawbacks. 

In this post, we’ll take a close look at WordPress comment blocklists and why they’re important. We’ll then show you how to build a complete comment-blocking system in five steps. 

An introduction to WordPress comment blocklists (and why you need them)

Bad language, spam links, and irrelevant comments can devalue your site. To keep your comment section engaging and positive, you may want to consider creating a blocklist. 

A blocklist is a list of offensive words, potential link spam, controversial phrases, and other unwanted content. Every comment posted to your site will need to pass through this filter. WordPress will then examine the comment’s content, as well as the poster’s username, the associated site title, URL, email address, and IP address. 

If any of this content contains a blocklisted word or phrase, then WordPress won’t post the comment to your site automatically. Depending on how you’ve configured your blocklist, this comment may be placed in your WordPress moderation queue. This is a section of the WordPress dashboard where you can manually review all flagged comments. You can then either publish them to your site or send them to the Trash folder.

Alternatively, you might specify words that will result in a comment being sent directly to the Trash. This can ensure that you’re not wasting precious time reviewing every bad comment. 

While this blocklist is unlikely to catch every harmful comment, it can be an effective way to block the majority of unwanted content, or the most obvious examples of spam and harassment. This can minimize the time and effort required to maintain a pleasant, engaging, and informative comment section. 

How to create a robust WordPress comment blocklist

Out of the box, WordPress has everything you need to create a comment blocklist. However, it’s your responsibility to build this list and keep it up to date.

For the best results, you may want to use this built-in blocklist in combination with a few other tricks, techniques, and plugins. Let’s see how you can create a more robust WordPress comment blocklist, in five steps. 

Step #1: Identify harmful words

The first step to creating an effective blocklist is identifying the words and phrases that you want to block. Some may immediately spring to mind, like bad language.

Creating a complete list of every single harmful or offensive word can be a challenge. Fortunately, there are people who have already done all of the hard work for you. 

We recommend taking a look at the WordPress Comment Blacklist. This resource contains over 45,000 phrases, patterns, and keywords commonly used by spammers and comment bots.

WordPress comment blacklist in GitHub

Every website is unique and attracts its own unwanted comments. For this reason, you may benefit from examining the content that your site is already flagging as spam.

WordPress automatically conducts several tests on comments before publishing them to your pages and posts. If a comment fails, it will be added to a moderation queue to await your approval. 

To view your queue, navigate to Comments → Spam

comment in the WordPress Spam folder

By examining these, you may be able to pick up words or phrases that are commonly used in spam comments on your site. These are ideal candidates to add to your blocklist. 

If you do identify an unwanted message, then it’s smart to add its site title, URL, and email address to your blocklist. This can make it more difficult for this person or bot to target your site in the future.

Step #2: Use the WordPress built-in blocklist

WordPress comes with everything you need to create a simple blocklist. To build this list, navigate to Settings → Discussion.

WordPress discussion settings

On this screen, scroll to the Comment Moderation section. To start, you may want to place a comment in your moderation queue if it contains multiple links. Spammy profiles will often add several URLs to their comments, so this can be an easy way to pinpoint suspicious content. 

comment moderation queue in WordPress

Some people may abuse the comment system by using it for self promotion. For this reason, you may want to consider holding back all comments that feature a link, even if it’s just a single URL. 

After entering this information, you can add all of your blocklisted words to the Comment Moderation section. You can either type them into this box or use copy/paste, but you must only enter one word or phrase per line. 

Now, WordPress will hold comments back for moderation if they contain these words in their content, author name, URL, email, IP address, or the browser’s user agent string. You can review this moderation queue at any time by navigating to Comments → Spam

Step #3: Create a disallowed list

Some blocklisted words are more forgivable than others. For example, you may flag all comments that feature your competitor’s name. This gives you a chance to review this content to ensure that it’s not promoting the competition’s products or services. 

Having said that, there are scenarios where this content may benefit your site. For instance, a poster might compare you favorably to your biggest competitor. 

In contrast, there are some words that you’ll never want to appear on your website. This often includes derogatory or discriminatory terms. If there’s zero chance of you approving these comments, then you may want to send them straight to Trash

To bypass the moderation queue, scroll to the Disallowed Comment Keys section. Here, you can enter words and phrases that will result in a comment being forwarded directly to your site’s Trash.

Just bear in mind that WordPress does match partial words and variations of blocklisted words. Therefore, it may incorrectly flag content as spammy or offensive. For this reason, you may want to add the majority of your words to the Comment Moderation section. This gives you an opportunity to identify legitimate comments that have been caught in the filter.

Step #4: Level up your WordPress comment blocklist with Akismet

Spambots, malicious third parties, and even internet trolls are constantly coming up with new and ingenious ways to trick comment blocklists. Therefore, it may help to have an advanced comment filtering plugin in your corner.

The Akismet plugin maintains its own database of unwanted words, plus thousands of blocklisted IPs, URLs, phrases, and links. Since this database is built into the plugin, you don’t have to download or configure a list manually. Akismet continuously adds to its database, so you’ll have up-to-date protection.

Many WordPress sites come with Akismet installed by default. If it isn’t, you can download it for free from the official WordPress repository. As soon as it’s up and running, Akismet will prompt you to create an account. 

If the plugin was installed on your site by default, but isn’t yet enabled, navigate to Plugins → Installed Plugins, locate Akismet, and click on Activate.

prompt to create an Akismet account

This launches a page where you can purchase an Akismet license. The Akismet team also offers a “pay what you can” model for personal use.

Akismet pricing page

After purchasing a license and verifying your email address, navigate to Settings → Akismet Anti-Spam. You can now click on Manually enter an API key. When prompted, type or copy/paste the API Key that Akismet sent to the email associated with your account.

Immediately, Akismet will start moderating your comment section, but there are a few simple settings that you can configure. To do this, navigate to Settings → Akismet Anti-spam.

Akismet anti-spam settings

Here, you can change the strictness level. If you receive a large number of comments, or experience a spike in comment spam, you may want to give Akismet the power to silently discard the worst offenders. This can make your comment queue more manageable. 

Step #5: Block access to wp-comments-post.php

Most legitimate visitors will read a post before leaving a comment. This means they’ll have loaded comments.php, which is your blog’s comment template. When this person clicks on Submit, WordPress will run the wp-comments-post.php processing file, which is located in the root directory. 

By contrast, spambots typically target wp-comments.post.php directly and bypass your comments.php file altogether. In this scenario, the comments are sent from an HTTP referrer and not from your domain. 

With this in mind, you may want to block requests for wp-comments-post.php that are not sent directly from your domain. This can immediately reduce the amount of comment spam that you receive. 

To prevent bots from accessing wp-comments-post.php directly, connect to your site using a File Transfer Protocol (FTP) client, like FileZilla

Then, download your .htaccess file. On your local computer, open this file in a text editor and add the following:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} wp-comments-post\.php
RewriteCond %{HTTP_REFERER} !(.*)example\.com(.*) [OR]
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* http://%{REMOTE_ADDR}/ [R=301,L]

Just make sure to replace “example.com” with your own domain. You can now save this file, and re-upload it to your server. 

Creating an effective WordPress comment blocklist 

As a website owner, attracting lots of comments and engagement may seem like the ultimate goal. However, without a comment moderation system in place, this dream can quickly turn into a nightmare, especially if you attract the attention of scammers and spambots. 

Let’s quickly recap how to create a robust WordPress comment blocklist:

  1. Identify harmful words.
  2. Use the WordPress built-in blocklist.
  3. Create a Disallowed List.
  4. Level up your WordPress comment blocklist using the Akismet plugin.
  5. Block access to wp-comments-post.php.

WordPress enables you to create a robust blocklist. If you want to ensure that your comment section is an enjoyable and safe place to be, then Akismet has everything you need to take your WordPress comment blocklist to the next level. 

Get Akismet spam protection for your WordPress site.

WordPress comment blocklist FAQs

You should now have a robust comment blocklist in place, but you may still have some questions. Let’s look at some of them. 

How do you remove words from a WordPress blocklist?

WordPress does match partial words and variations of blocklisted words. This means that you may need to adjust your blocklist if it’s incorrectly flagging content as spam. 

To remove an item from your blocklist, navigate to Settings → Discussion. Then, scroll to the Comment Moderation section. You can now delete the keywords that you no longer want to block, and click on Save Changes. 

Alternatively, there’s a chance you may have added these words or phrases to your Disallowed Comment Keys section. All comments that contain these words are sent straight to the Trash folder. 

If you’ve been experiencing issues with partial word matching and variations, then you may want to consider moving these items from your disallowed list to the Comment Moderation section. This will give you the opportunity to review these comments in your moderation queue. 

Can I use a WordPress blocklist to block links to specific websites or email addresses?

There are many scenarios in which you may want to block links to a particular website or email address. This may include competitor sites or the contact information of a known spammer.

To block this content, navigate to Settings → Discussion. In the Comment Moderation section, enter the emails and links in question. Then, click on Save Changes