Five Ways You Can Keep Your WordPress Site Spam-Free

Keep WordPress Spam Free

WordPress and spam go together like highways and traffic jams. Everyone agrees that the former is indispensable, but desperately wishes it could exist without the latter.

The good news is that unlike with gridlock, there IS something you can do about WordPress spam. Quite a bit, actually. And that’s where we come in.

First, Install An Antispam Solution

The most obvious solution to our problem is to take a look at one of the many anti-spam plugins available for WordPress, as installing one will deal with a lot of the more obnoxious bots that target WordPress sites. As for which one you should install?

Honestly, it’s really a matter of preference. WP Spam Fighter is a pretty decent choice, though Akismet is largely held to be the best tool on the market. There are others, of course – the best advice I can give here is to do a bit of research, and see which one catches your fancy.

Second, Tweak Your Comment Settings

If your anti-spam plugin doesn’t seem to be stopping EVERY spammer (or you just want to make absolutely certain your WordPress blog has ironclad protection) then your next step is to modify your comment settings. You’re going to want to do the following:

  • Hold comments for moderation (optional): Most anti-spam plugins are made to block bots. Holding comments for moderation will let you pick out human spammers, as well.
  • Close down comments on older posts: This will reduce the volume of spam comments you have to sift through and delete, in addition to giving spammers fewer avenues through which they can attack your site.
  • Only allow comments from registered users: Not surprisingly, most spambots don’t have WordPress accounts.

Third, Ban Spam IP Addresses

Next up, install a plugin like WP-Ban. This utility can be used to ban any IP address that tries to spam your blog. Over time, this will allow you to create a blacklist of spammers and reduce the volume of bots targeting your site. You can also do this manually, if you really want to, but I wouldn’t recommend it – especially on larger sites, it can get overwhelming.

One word of caution here, as noted by Soumen Halder of Make Tech Easier, is that you shouldn’t get too generous with your bans. Remember that banning an IP means that every visitor from that particular hostname is unable to access your blog. It’s therefore recommended that you only focus on banning repeat offenders.

Fourth, Use .htaccess To Block Bots

Our fourth tip, courtesy of Mastermind Blogger, is to modify your core WordPress files to tighten your blog’s security. By adding a few lines of code, you’ll automatically deny access to anything that visits your site without a referrer. Bots, in other words.

Write the following into your .htaccess file, replacing with your actual URL:

# Protect from spam bots

<IfModule mod_rewrite.c>

RewriteEngine On


RewriteCond %{REQUEST_URI} .wp-comments-post\.php*

RewriteCond %{HTTP_REFERER} !* [OR]

RewriteCond %{HTTP_USER_AGENT} ^$

RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]


Lastly, Try A Bit Of PHP Magic

Our last tip comes to us courtesy of Mozilla’s senior web developer, David Walsh. And it’s definitely a doozy. According to Walsh, there was a time when his blog was receiving over 8,000 spam comments a day, and nothing was working to prevent them. He tried every single tip in the book save for locking comments behind CAPTCHA.

Eventually, he grew frustrated and took matters into his own hands.

My solution was allowing the generic anti-spam solution: adding an INPUT to the form which should remain empty during the submission process,” writes Walsh. “Empty in value but present via key:  the premise is that bots that read form inputs would populate the form field values with rubbish just to make sure submissions weren’t rejected based on empty values.”

At this point, he added the following isset check to his site’s PHP:

function preprocess_new_comment($commentdata) {
if(!isset($_POST[‘is_legit’])) {
die(‘You are bullshit’);
return $commentdata;
if(function_exists(‘add_action’)) {
add_action(‘preprocess_comment’, ‘preprocess_new_comment’);

Comments that fail that check are automatically rejected. Now, he admitted that this means users without JavaScript support are unable to comment. In the interest of addressing that issue, he also included the following JavaScript code, configured to execute upon comment submission:

var form = $(‘comment-form’);

new Request({
   url: form.action,
   method: ‘post’,
   onRequest: function() {},
   onSuccess: function(content) {},
   onComplete: function() {}
}).send(form.toQueryString() + ‘&is_legit=1’);


According to Walsh, in the two weeks since he implemented his solution, he received no spam comments whatsoever.

Closing Thoughts

Spam is an unavoidable fact of hosting a website on WordPress. It doesn’t need to adversely affect your users, though. Thankfully, there’s no limit to the range of available tools and tactics with which you can moderate it.

Image: Flickr/freezelight