1. Code
  2. Coding Fundamentals
  3. Security

6 Easy and Efficient Ways to Combat Spam Comments

Scroll to top
Read Time: 6 min

One of the downsides of running a successful WordPress blog is that some people want to take advantage of your success by posting "spam comments" on your blog and trying to get more visitors. Sometimes they do it with robots, sometimes with home-made browser extensions, sometimes manually - just like a normal human being. Not cool.

But thanks to WordPress' flexible architecture, there are numerous ways to prevent them. In this article, we'll go through 6 easy and efficient methods to have a spam-free WordPress blog.

1. Akismet, the Boss of Antispam Plugins

What it prevents: Both automated spam and manual spam.

If we're going to cover methods of combating spam comments, it would be a shame if we don't start with the most popular one :). Well, it's the most popular one because it comes with the WordPress package, but it also earns the privilege with its great quality.

According to its website, it runs hundreds of tests (with its own servers) when a comment is posted on your blog. If the tests say "yay", the comment goes live and if they say "nay", the comment goes to the "spam" folder.

It just needs you to sign up with a simple form (you can choose the free version or pay for it) and start using the plugin as soon as you enter the API key on the options page.

2. Disabling Direct Access to wp-comments-post.php With .htaccess

What it prevents: Automated spam.

You can always disable direct access to the wp-comments-post.php file by adding this code to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*yourdomainname.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$

RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

(Credit: Cats Who Code)

The logic is simple: If the "referrer" isn't from your blog (don't forget to change the "yourdomainname" part!), it doesn't allow the file to be accessed. Another good thing about this code is, spam robots will not raise your server's resource usage, since they can't access the file.

3. The "Cookies for Comments" Plugin

What it prevents: Both automated spam and manual spam.

I know that I must remain unbiased about these anti-spam plugins but the Cookies for Comments plugin is by far the best I've used!

According to the plugin author Donncha O Caoimh:

"The plugin adds a stylesheet or image to your blog's html source code. When a browser loads that stylesheet or image a cookie is dropped. If that user then leaves a comment the cookie is checked. If it doesn't exist the comment is marked as spam."

Simple as that. Better yet, the plugin also checks how fast the comment is sent. So, for example, if the comment is sent within 3 seconds from when the post's page is loaded, it's probably spam. You can set the interval from the options page, along with the choice to deal with the "caught comments" - you can set them as "spam" or delete them directly.

4. Using a Different Comment System (Like Disqus or Jetpack)

What it prevents: Automated spam.

There's a nice thing about comment systems: Spam robots usually don't deal with them at all! Well, they probably "can't" do anything because the comment systems load inside an iFrame - or it might be something else. I don't know.

Anyways, you can and you should use other comment systems if you're getting lots of spam comments or lots of legitimate comments for that matter. They have more functionality, they look nice, they make visitors' happier and if we get back to our point, they're mostly immune to spam.

I can recommend Jetpack, Disqus and Facebook Comments.

5. Utilizing a Checkbox to Enable the Send Button

What it prevents: Automated spam.

Again, this is not a very strong measure to prevent spam but it might help with your problems and it doesn't really annoy the legitimate commenters.

First, you need to add a checkbox to your theme's comment form (which is most likely in the comments.php file), like this:

<label for="enable"><input type="checkbox" name="enable" id="enable" onClick="apply()" class="enable_checkbox"> Check this box to enable the send button</label>

It's a good idea to add it right above the submit button. By the way, note the value of the "name" attribute of the submit button and the <form> element. If you don't have a "name" attribute for the <form> element, add it with the value "commentform".

Next, add this code to your header.php file, inside the <head> element:

<script type="text/javascript">
function apply() {
	var form_submit = document.commentform.submit;
	var form_checkbox = document.commentform.enable;
	if(form_checkbox.checked==true) {form_submit.disabled=false;}
	if(form_checkbox.checked==false) {form_submit.enabled=false;}

Change the instances of "commentform" and "submit" if you have different name="..." values for the <form> element and/or the comment submit button.

That's it! If you need to style the checkbox, it has a class named "enable_checkbox".

6. CAPTCHA Plugins

What it prevents: Automated spam.

I have to say that this is my least favourite option (since it's kind of annoying for the legitimate commenters) but nevertheless, they are one of the most effective ways to prevent comment spam.

CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart" according to Wikipedia. There are loads of plugins out there but I'm going to cover two specific plugins:

Block Spam and Help Literature Grow: reCAPTCHA

reCAPTCHA takes a very different approach to the CAPTCHA system by using it do to something good. It basically does this: Google scans old books, magazines, documents etc. but of course, the OCR software can't always read the words and that's where we come in handy - it makes people read the words that OCR software can't! (For more information, you can visit Google's reCAPTCHA website.)

And reCAPTCHA for WordPress can make this curiously useful technique to your website.

Block Spam With the Power of Math: CAPTCHA

This is another good approach to prevent spam by requiring human feedback: It utilizes mathematical operations and leaves one bit of the equation blank so the user can (must) complete the equation to send the comment.


We can't prevent 100% of the spam - there are people out there who spam just like a normal human being, by typing legitimate comments and entering their websites to our comment forms' "URL" fields. So we can't deal with them all but I'm pretty sure that we can prevent 9 out of 10 spam comments with the techniques above! :)

Of course, this might not be a complete list to prevent comment spam. If you have anything to add to this article, your feedback is always welcome!

Did you find this post useful?
Want a weekly email summary?
Subscribe below and we’ll send you a weekly email summary of all new Code tutorials. Never miss out on learning about the next big thing.
Looking for something to help kick start your next project?
Envato Market has a range of items for sale to help get you started.