10 Ways to Stop WordPress Comment Spam

2

If you’ve ever run a blog or website, specifically on WordPress, you will know that comment spam is just a fact of life. Spammers will always find a way to break through the comment barrier and spam their links across your website. Whether it is in the website field in the comments or throughout the comment form itself, WordPress comment spam is bound to happen.

Running multiple websites that have gotten sufficient traffic, we know how to deter spam and have dealt with hefty amounts of it ourselves, even attacks among many other spam related issues. WordPress comment spam is not only annoying, but implements a heavy load on your server and wastes bandwidth, we will give you the 10 easiest ways anyone can beat and stop WordPress comment spam.

#1: Remove the Website Field From the Comment Section

Stop WordPress Comment Spam

Throughout months of testing, we found removing the Website field from our comment section deterred a large number of spam. Spammers have automated bots that just copy and paste the same comment form of Name, Email, Website, and Comment into the desired fields. Removing the website field hinders the bots ability to post and it may end up leaving the website without entering a piece of spam.

Removing the website field may vary depending on which WordPress theme you are using, or if you are using a Child Theme on top of a framework. Removing the comment section from a framework may be a bit harder, you may want to search “(FrameWork name) Remove Website Field” and it will appear. Regardless, if you are using a standard theme, go to Apperance>Editor>Comments.PHP. Scroll to the bottom or near middle and look for the tabs named Name, Email and Website. Remove the Website field entirely. Do not remove to much code of you may break the comment section of the theme.

#2: Use an Alternate Comment System

WordPress comment spam is nearly all automated. A vast majority of spam is set to target the three specific fields implemented on WordPress by default. Using an alternate comment system will deter nearly all spam as bots cannot target new-age comment systems. New-age comment systems not only deter spam, but have a range of tools built in.

If any spam does make it through, the comment systems will nearly always detect it or hold it for moderation as it appears suspicious. The best alternate comment systems that can be implemented into WordPress are:

  1. Disqus
  2. Livefyre
  3. Jetpack Comments

#3: Install Akismet Spam Protector

Akismet is a anti-spam comment protector that generally comes pre-installed with WordPress. To activate the plugin navigate to Plugins, find the Akismet plugin install and click settings. Follow the instructions and generate a token from the official Akismet website then input it in the token field. Click Save and Akismet will begin adding spam to your WordPress spam folder.

If Akismet is not installed, you can download it from their official site or the WordPress plugin community.

#4: Utilize the Comment Blacklist

Another great feature WordPress has built into their CMS is the Comment Blacklist. The comment blacklist lets you censor any range of words or combinations of words you desire. If a spammer or person tries to use any word found on the comment blacklist, it will not make it to the moderation que or even the spam folder. It will simply notify the user the word is ban. Comment bots will disperse and a person may re-write their comment and try not using a set of words they may know are ban.
Wordpress Comment Blacklist
To setup the comment blacklist, navigate the Settings> Discussion> Comment Blacklist. It may be near the bottom of the discussion page. To find words you wish to blacklist navigate to Comments and find the spam folder in the upper right hand corner. Find popular spam keywords and add them to the blacklist. In the photo above, we have blocked out a number of known keywords that are always used for spam comments.

We have found spammers commonly misspell their keywords or use variants to bypass the comment blacklist. It may be smart to consistently check your spam folder for newer keywords or different types of spam attackers use.

#5: Utilize CloudFlare

CloudFlare WordPress Spam

One of the best solutions we have found to combat WordPress comment spam is CloudFlare. CloudFlare offers a range of security services but we have found it to block a number of faulty WordPress commenters from even accessing the site. Want to stop spammers from ever reaching your domain and wasting your web-hosts resources?

CloudFlare protects websites from hackers while speeding up the site as a whole. CloudFlare can stop common hack attacks, DDoS Attacks, sophisticated attackers along with general comment spam. CloudFlare works at a DNS level, meaning no plugins are required. Simply sign up for a plan, CloudFlare offers free, pro, business and enterprise plans. CloudFlare’s free plan also stops WordPress comment spam, so if your a newer blog or on a budget, CloudFlare doesn’t mind and will still let you use their service. Once you’re signed up and have entered your DNS records, navigate to your domain registrar and change the nameservers. CloudFlare shows detailed steps on how to do the following.

CloudFlare offers free plans as it helps make their network smarter and realize more attacks to help free and paying customers.

We have found since implementing CloudFlare months ago, our comment spam went down from hundreds of spam per hour, to less than 30-50 a day.

pia red

#6: Ban Users IP Address

Some spammers will come back and use the same IP address over and over again. Some spammers just use free proxy IP’s they find online, meaning hundreds of different spammers may be using them to attack your blog and comment system. While some spammers may use fresh IP’s for every spam comment, it is still a good idea to block spammers IP address. This helps deter any attacks those public IP addresses may launch in the future or just stop the commenter from even being able to access the site in the future.

CloudFlare Block IP Address

pia red

If you have CloudFlare installed, blocking IP’s is easy as one click. Navigate to Comments and the Spam folder on your website. From there, go to your CloudFlare control panel, click threat control, scroll down to the “Add custom rule panel. Go back to your WordPress comment spam area, and copy and paste the IP’s to the threat control and hit block. As you may get hundreds or thousands of pieces of comment spam per day, look for IP’s that have been used multiple times and focus on blocking those IP addresses. It may also be helpful to block the IP addresses from the latest pieces of spam too, considering they may be back in the coming hours to add more spam. If a spammers IP address are blocked they will be navigated to a CloudFlare screen telling them they have been blocked. CloudFlare will not let them access your website which will also decrease the server load making your website faster for Google and human visitors.

#7: Require Comment Manual Approval

Wordpress Comment Manual Approval

Requiring manual approval on comments is another great way to stop WordPress comment spam. All comments, regardless if they are humans are spam, will be required to have their comments manually approved. While this may seem like a tedious job, installing a spam plugin, then using manual approval on top of the anti-spam plugin makes moderating comments seamless. If spam falls through the cracks, it won’t be posted and will require to be approved. From there you can mark it as spam and blacklist the IP address.

#8: Close Comments on Older Articles

Close WordPress Comments

A lot of spam generates across a number of articles, some even dating back to your first blog posts. Depending on the style of your blog, it may be a good idea to close comments on older posts or some that may not be as active. Inside the WordPress Settings>Discussion panel, WordPress allows an option to automatically close the comment section on older articles.

If you do not desire to close the comment section on all articles past a certain date, individual comment sections can be closed. While editing a WordPress post, at the top right of the screen you should see a Screen Options dropdown tab. Click it and put a check mark next to the Discussion field. Scroll to the bottom of the page and find the discussion tab that was just enabled. From there you can choose whether or not you want comments or trackbacks to be enabled on the post. To disable comments, uncheck the box next to Allow Comments. That will disable comments on that specific post.

#9: Hold Comments that have Links

Wordpress Comment Moderation

All spam is in hopes of grabbing a link on your blog, this helps the spammers domain gain ranking and authority, while degrading yours. Requiring comments that have links to be manually approved can be a great way to deter spam. Comments that have no links can be automatically approved if you wish to not have to manually approve them. Requiring comments that have links to be manually improved will cut down on the amount of comments you need to moderate as well as only hold back spam comments.

#10: Disable Trackbacks

Wordpress Disable Pingbacks

Trackbacks are one of the largest sources for WordPress comment spam, not only are they relentless, they are spammy, intrusive and downright annoying. Disabling trackbacks can help instantly disperse a number of spam appearing comments and cut down on the moderation que. While trackbacks and pingbacks can be a great way of knowing blogs are linking you, some spammers have found loopholes and have begun exploiting faulty pingbacks just to get a link on your website. Disabling trackbacks entirely can stop the whole issue.

CloudFlare also offers additional ways to stop trackbacks from ever reaching your site, challenging them with a captcha to disperse bots.

Conclusion

WordPress comment spam is a serious issue. Spam has taken the internet by hold and it is time to get rid the internet of it. Traditional spam is easy to get rid of as it cannot bypass current implemented systems, but we need to create a new infrastructure to disperse spam as a whole. The above methods are the top 10 ways to stop WordPress comment spam, alongside adding extra protection against pesky notifications.

Let us know your favorite methods in the comments or if any of the above methods helped you stop WordPress comment spam.

About Author

Brandon Stosh is the founder and CEO of www.freedomhacker.net. Stosh is a cyber security researcher and professional consultant who strives to provide reliable news on cyber-security based topics.

2 Comments

  1. Hey Brandon!

    Great article! Could you elaborate on this a bit?
    “CloudFlare also offers additional ways to stop trackbacks from ever reaching your site, challenging them with a captcha to disperse bots.”

    Specifically, how are you implementing this? at the CF rule level? and if so, what do those rules look like?

    Thanks!

    • Hi Dan,

      It is set at a Web Application Firewall (WAF) level, denying autposters the ability to access xmlrpc.php, the WordPress Pingback mechanism. Enabling CloudFlare’s WAF, and their WordPress security suite will allow users to enable what is called the “WordPress Pingback Blocker.” This means bots or humans trying to access xmlrpc.php will be hit with a CloudFlare captcha. As bots do not solve captchas, the pingback never reaches the site and CloudFlare thwarts the pingback.

      Pingbacks are commonly used for attacks, example, if massive attacks are launched towards the xmlrpc.php mechanism, they simply won’t reach it without having to bypass Cloudflare security and solve their captcha.

      Hope that helped!

Leave A Reply

Send this to friend