6 Easy and Efficient Ways to Combat Spam Comments


One of the downsides of running a successful WordPress blog is that some people want to take advantage of your success by posting "spam comments" on your blog and trying to get more visitors. Sometimes they do it with robots, sometimes with home-made browser extensions, sometimes manually - just like a normal human being. Not cool.

But thanks to WordPress' flexible architecture, there are numerous ways to prevent them. In this article, we'll go through 6 easy and efficient methods to have a spam-free WordPress blog.

1. Akismet, the Boss of Antispam Plugins

What it prevents: Both automated spam and manual spam.

If we're going to cover methods of combating spam comments, it would be a shame if we don't start with the most popular one :). Well, it's the most popular one because it comes with the WordPress package, but it also earns the privilege with its great quality.

According to its website, it runs hundreds of tests (with its own servers) when a comment is posted on your blog. If the tests say "yay", the comment goes live and if they say "nay", the comment goes to the "spam" folder.

It just needs you to sign up with a simple form (you can choose the free version or pay for it) and start using the plugin as soon as you enter the API key on the options page.

2. Disabling Direct Access to wp-comments-post.php With .htaccess

What it prevents: Automated spam.

You can always disable direct access to the wp-comments-post.php file by adding this code to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*yourdomainname.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

(Credit: Cats Who Code)

The logic is simple: If the "referrer" isn't from your blog (don't forget to change the "yourdomainname" part!), it doesn't allow the file to be accessed. Another good thing about this code is, spam robots will not raise your server's resource usage, since they can't access the file.

3. The "Cookies for Comments" Plugin

What it prevents: Both automated spam and manual spam.

I know that I must remain unbiased about these anti-spam plugins but the Cookies for Comments plugin is by far the best I've used!

According to the plugin author Donncha O Caoimh:

"The plugin adds a stylesheet or image to your blog's html source code. When a browser loads that stylesheet or image a cookie is dropped. If that user then leaves a comment the cookie is checked. If it doesn't exist the comment is marked as spam."

Simple as that. Better yet, the plugin also checks how fast the comment is sent. So, for example, if the comment is sent within 3 seconds from when the post's page is loaded, it's probably spam. You can set the interval from the options page, along with the choice to deal with the "caught comments" - you can set them as "spam" or delete them directly.

4. Using a Different Comment System (Like Disqus or Jetpack)

What it prevents: Automated spam.

There's a nice thing about comment systems: Spam robots usually don't deal with them at all! Well, they probably "can't" do anything because the comment systems load inside an iFrame - or it might be something else. I don't know.

Anyways, you can and you should use other comment systems if you're getting lots of spam comments or lots of legitimate comments for that matter. They have more functionality, they look nice, they make visitors' happier and if we get back to our point, they're mostly immune to spam.

I can recommend Jetpack, Disqus and Facebook Comments.

5. Utilizing a Checkbox to Enable the Send Button

What it prevents: Automated spam.

Again, this is not a very strong measure to prevent spam but it might help with your problems and it doesn't really annoy the legitimate commenters.

First, you need to add a checkbox to your theme's comment form (which is most likely in the comments.php file), like this:

<label for="enable"><input type="checkbox" name="enable" id="enable" onClick="apply()" class="enable_checkbox"> Check this box to enable the send button</label>

It's a good idea to add it right above the submit button. By the way, note the value of the "name" attribute of the submit button and the <form> element. If you don't have a "name" attribute for the <form> element, add it with the value "commentform".

Next, add this code to your header.php file, inside the <head> element:

<script type="text/javascript">
function apply() {
	var form_submit = document.commentform.submit;
	var form_checkbox = document.commentform.enable;
	if(form_checkbox.checked==true) {form_submit.disabled=false;}
	if(form_checkbox.checked==false) {form_submit.enabled=false;}

Change the instances of "commentform" and "submit" if you have different name="..." values for the <form> element and/or the comment submit button.

That's it! If you need to style the checkbox, it has a class named "enable_checkbox".

6. CAPTCHA Plugins

What it prevents: Automated spam.

I have to say that this is my least favourite option (since it's kind of annoying for the legitimate commenters) but nevertheless, they are one of the most effective ways to prevent comment spam.

CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart" according to Wikipedia. There are loads of plugins out there but I'm going to cover two specific plugins:

Block Spam and Help Literature Grow: reCAPTCHA

reCAPTCHA takes a very different approach to the CAPTCHA system by using it do to something good. It basically does this: Google scans old books, magazines, documents etc. but of course, the OCR software can't always read the words and that's where we come in handy - it makes people read the words that OCR software can't! (For more information, you can visit Google's reCAPTCHA website.)

And reCAPTCHA for WordPress can make this curiously useful technique to your website.

Block Spam With the Power of Math: CAPTCHA

This is another good approach to prevent spam by requiring human feedback: It utilizes mathematical operations and leaves one bit of the equation blank so the user can (must) complete the equation to send the comment.


We can't prevent 100% of the spam - there are people out there who spam just like a normal human being, by typing legitimate comments and entering their websites to our comment forms' "URL" fields. So we can't deal with them all but I'm pretty sure that we can prevent 9 out of 10 spam comments with the techniques above! :)

Of course, this might not be a complete list to prevent comment spam. If you have anything to add to this article, your feedback is always welcome!

Related Posts
  • Code
    New wp-config Tweaks You Probably Don't Know8 new wp config tweaks you probably didnt know about 400
    The wp-config.php file: One of the most loved WordPress feature for some, one of the worst nightmares for others. There are countless tips and tricks in a plethora of articles, and you can't get enough of them; however, this article is aiming to be different. In this article, we're going to get familiar with eight new wp-config tricks that are less known than functionality such as turning off post revisions, increasing the memory limit, or other similar features.Read More…
  • Code
    An Introduction To Deploying WordPress with MinaImage400
    As a PHP application, WordPress is usually deployed by a very old method: uploading files via FTP. We have some deployment tools, but they often requires some type of Ruby skill. For example, one popular, powerful tool is Capistrano, but it's also very heavy with many Ruby/Rails related features. I also think that it's little bit tricky to install Capistrano for a PHP developer without any Ruby knowledge. So what options do we have as WordPress developers? In this tutorial, I will introduce you Mina: A small, light tool aims to fast deployment and server automation.Read More…
  • Code
    Creative Coding
    Using the Included Password Strength Meter Script in WordPressPassword meter 400
    WordPress uses a pretty nifty password strength script that is used to display whether the passwords you entered in the WordPress admin are: not the same, very weak, weak, medium or strong. Currently this script is only used when creating creating new users and when changing your password in your admin. In this article, I will be teaching you on how to use the WordPress' password strength meter in your own forms.Read More…
  • Business
    The Top WordPress Plugins You Need for Your Authority Blog5 preview authority blog wordpress plugins
    In the last post we got your blog setup with a unique-looking design courtesy of the Canvas theme framework. But aesthetics are just one piece of the puzzle -- in reality, any successful blog needs to function well in order to succeed. Although WordPress has great functionality out the box, its true power lies in its extensibility, which is exactly what we're going to cover today. I'm going to take you through the top WordPress plugins you can use to elevate your authority site to another level. We're going to cover everything from backups, to security, to search engine optimization, to post promotion and more. This step-by-step guide will show you how to install and setup each of the WordPress plugins I consider to be must-haves for authority site owners. Enjoy!Read More…
  • Code
    Creative Coding
    A Look at the WordPress HTTP API: A Practical Example of wp_remote_postDiagram http api
    In the previous article, we reviewed the previous articles regarding GET requests, the native PHP facilities for making requests, and reviewed WordPress wp_remote_post API function along with the arguments that it offers. In this article, we're going to make use of wp_remote_post such that we're actually able to see it in action. Remember that this - like wp_remote_post - is part of the HTTP API of which there are other functions worth reviewing. But, for now, we're going to put wp_remote_post to work. Specifically, we're going to do the following: When the page loads, we're going to submit some information to a custom script The script will examine the information and return it to our page We'll then display the data on the page Sure, it's a bit of a contrived example but it will give us the experience of creating a separate PHP script that can be used for operations triggered by the use of wp_remote_post. Anyway, for the purposes of this example, we are going to use the PHP $_SERVER collection to log when the user has submitted their preference rather than require that they have logged in. Finally, the source code will be made available on GitHub and accessible at the end of this series in the following article. For now however, let's get started with working on the plugin.Read More…
  • Code
    Quick Tip: After the Content - CommentsAfter the content solid
    What is the best way to get feedback from your readers? Social networks? Contact forms? Nope: Comments are the easiest and the most efficient way to get feedback about the content. In this final piece of our series, we're going to see the most important part after the content: comments.Read More…