How to Stop WordPress Comments Spam


Are spam comments getting out of hand on your site?

There we were. Our site used to receive 100 spam comments a day on average!

Well, we have been quite fed up with having to remove them manually. And I’m sure you, too, are.

We found what works best after experimenting with multiple ways to decrease the time and effort spent on moderating spam comments! We are going to explore how to stop spam comments on WordPress in this article.

You might be curious before we get started why you’re having spam comments in the first place. Don’t worry if so!

How To Prevent Comments Spam in WordPress

When you get hundreds of spam comments on a regular basis, pace is important. You need an easy-to-set solution that does the job, saving you valuable time and effort.

Here’s our recommendations based on the order of preference –

Preventing WordPress Comments Spam Using A Plugin

Using a plugin is the best way to block or delete spam comments. Mods are easy to set up and can dramatically save time.

Here are those that we liked:

Block Comments using Akismet for Free (Built-in)

Akismet is a plugin to avoid spam that has already been enabled on all WordPress websites. To evaluate user responses, it implements a self-learning algorithm. It eliminates apparent spam comments for your moderation and categorises the remainder.

Here’s how it should be activated:

  • From your Admin Dashboard, click on ‘Plugins’. In your list of plugins installed, you will see Akismet. Click the “Activate” tab.
  • Activate-Akismet-PluginYou will be asked to configure your account with Akismet. Tap on ‘Set up your Account with Akismet.’
  • Set-up-your-Akismet-Account-1You will be routed to the website of Akismet, where you can pick a schedule. They have a free plan for personal or non-profit blogs and commercial pages with payment plans. You will be asked to enter information after pick, such as site URL, email ID, etc.
  • Akismet-Pricing-and-Plans-PageAkismet sends an API key to your inbox until you’ve added all of the information. Return to the WordPress Dashboard now. Go to Plugins > Akismet and pick the ‘Config’ button. From the window that opens, select ‘Enter API Key Manually.’


  • Here, add your API key and you are saved!

Akismet is already configured and will automatically start blocking spam comments. For individual commenters, it will also show you behaviour and data to help you spot repeat spammers. For your moderation, it can even detect connections embedded into comments.

Block Comments Using Antispam Bee Plugin

Antispam Bee is another spam plugin for WordPress comments that specialises in filtering spam comments and deleting them. It provides a range of versatile solutions for categorising WordPress spam comments and moderating them. Any of the main features that the plugin provides are:

  • Geo-blocking remarks
  • Spam Via email alerts
  • Enable comments in a single language only.
  • Display spam statistics on the dashboard as a widget
  • Compare prospective spam comments to a local spam database

All you have to do is instal and allow it to trigger this plugin. You can then select whatever settings you want to activate.

Features-offered-by-Antispam-Bee-PluginBlock Comments By Adding A reCAPTCHA To The Comments Form

As an additional move, the reCAPTCHA in the WP comments form plugin applies a Google reCAPTCHA until a user submits a message to validate whether they are human or not.

This is one of the most effective ways to detect and block bots. It’s like attaching a lock on your front door to add a reCAPTCHA to your page-the bots don’t have the keys!

To trigger this function:

  • On the WordPress account, instal and trigger reCAPTCHA in the WP comments type plugin.
  • Add-reCAPTCHA-in-WP-comments-form-plugin-Similar to Akismet, to allow this function, you will need to obtain API keys. By going to Plugins > AntiSpam Bee > Configuration, you will find a step-by-step method to acquire and enable this feature.

Activating-reCAPTCHA-in-WP-comments-form-pluginOnce enabled, when it catches a spam comment, you can customise the configuration and select what you want the plugin to do. This is what reCAPTCHA would look like for a sample:

Sample-reCAPTCHA-in-WP-comments-formThe main downside of adding a reCAPTCHA is that it interrupts which can be irritating to the user interface. Real commentators can be dissuaded by an extra phase before making a statement.

Bonus Tip: We have partnered with them to provide Bot Security if you’re using Cloudways! This role blocks all kinds of malicious bots which send unwanted requests to your site. It also eliminates over 40 percent of the CPU consumption!

Here’s a screenshot of how bots were blocked when triggering this feature:

We can easily see how more than 15000 requests received in just one day were blocked by this feature. Check out the Cloudways Bot Security functionality announcement to read more about this function and how to use it.

We discovered in the above section that by using a plugin, we can effectively block WordPress spam comments. But if you don’t want the website to add another plugin, don’t worry! WordPress comes with various built-in features that can allow spam comments to be moderated and stopped.

Let’s dive inside!

Preventing WordPress Comment Spam Using Built-In Features

Turn on Comment Moderation

You can also afford to manually moderate them if you only receive a few spam comments every day. Before it is shown on the website, you can opt to manually authorise any comment.

Go to Settings > Topic and select “Comment must be approved manually.”

Turn-on-Comment-ModerationBoth comments will now be stored under the Comments section automatically. You will check them manually and only accept those that you agree are true.

Remove URL Field from Comment Form

Having a backlink from your blog is the most popular focus of spam comments. You may have seen several spam comments that appear to flatter the writer and leave a link to an unsolicited website afterwards. This is an SEO linking technique from Black-Hat. It excessively raises your website’s amount of outbound connections that are not suitable for your SEO.

By disabling the ability to add a URL in the first place, you can fix this issue!

You would need to change the code in your functions.php file to do this.

Before you make any code changes, it is often advisable to take a backup of the site. To keep the site backed up on their servers, you can use a secure backup plugin like BlogVault. You will use them to recover your page in literal seconds in case something goes wrong!

Here’s what you need to do if you have a backup:

  • On your WordPress Dashboard, mouse over the “Appearance” menu. Now, click on “Theme Editor” from the drop-down menu. This will take you to your present theme code.
  • Theme-Editor-in-Appearance-MenuThe folder functions.php is usually found at the top of the ‘Style Folders’ tab. Only press it.
  • Locating-the-functions.php-file-in-Theme-FilesAt the end of the folder, apply the following code. Then press the ‘Update File’ button.

//* Remove URL field from comments
function remove_url_comments($fields) {
return $fields;

Adding-code-in-functions.php-file-to-disable-URL-in-commentsAdd code to the functions.php file to deactivate the comment URL

This will mean that the URL area for the website on the comment forms is no longer seen.


Add a minimum and maximum limit on the number of characters

“Some spam bots are programmed to leave comments like “Hello” with one word. This comment can’t be picked up as spam by automatic spam blocking software because it is apparently harmless. You will hold these bots out by imposing a mandatory constraint on the number of characters!

You’ll need to change the code in the functions.php file to apply a character cap to the comments field.

  • Go to Appearance > Editor of Themes. Open the file functions.php now. At the end of the file, add the following code:

add filter( ‘preprocess comment’, ‘wpb preprocess comment’ );
function wpb preprocess comment($comment) {
if ( strlen( $comment[‘comment content’] ) > 5000 ) {
wp die(‘Comment is too long. Please keep your comment under 100 characters.’)
if ( strlen( $comment[‘comment content’] ) < 60 ) {
Wp-die(‘Comment is too brief. At least use characters, please.’);
$Comment Return;

Tap on ‘Update File’ now. The following message will be shown if anyone attempts to make a comment lower than the limit set.


Switch off Comments Permanently

If you would rather not waste your time on moderating spam comments, the safest way to go is to uninstall comments!

You can opt to delete comments on old posts on WordPress or even permanently disable comments on your blog.
Steps to Delete Older Posts Comments:

  • Go to Settings > Discussion.
  • Enable ‘Closing comments automatically on posts longer than X days’ under ‘Other Comments Settings’ and change the number of days to your convenience.
  • WordPress now blocks comments on posts that are older than the specified number of days.

Steps for Permanently Deleting Comments:

  • Go to Settings > Topic to permanently turn off the comments feature on your blog.
  • Now disable the “Allow people to submit comments on new posts” option.

Disabling-comments-on-new-postsUsers will no longer be allowed to apply any remarks to new entries.

Only one way in which bots are attempting to manipulate your website is to leave spam comments. Bots are also programmed to guess your website’s password and break into your site.

You must use a firewall to block all forms of bots and secure your website absolutely.

The firewall defence of MalCare is the most robust and reliable way to protect your website from bots of all sorts.

How this function, let’s learn.

Preventing WordPress Comment Spam using a Firewall

Real-time Firewall Security from MalCare uses different strategies to block bad bots from entering the web. The requests submitted to your site are continuously evaluated. As they prefer to use malicious IP addresses, MalCare detects spam bots and blocks them automatically. It also includes password security and holds an audit log of unwanted connections to the backend or WordPress Admin Dashboard.

Steps to enable MalCare’s firewall protection:

  • Create your account with MalCare from the Signup Page.
  • Add the URL of your website and instal the plugin. You can do this directly from the dashboard of MalCare or instal the plugin manually from the WordPress Repository.
  • The firewall is automatically activated until the plugin is enabled. To secure your site, MalCare now blocks malicious bot traffic and IP addresses automatically.

Click on the arrow from the ‘Firewall’ section to search the details.

  • MalCare-Firewall-More-DetailsMalCare shows a graph of the amount of traffic and login requests and the ones that have been blocked in the segment that appears. To see the exact info, click on ‘Show More’.

Traffic-Requests-identified-by-MalCareYou will also see the precise list of all the requests sent on your website, including the country of origin, the date and time, and whether the request has been approved.

Details-of-Traffic-requests-identified-by-MalCareThe Smart Firewall of MalCare defends your site by blocking bad bots, which will reduce your comment spam dramatically.

We’ve seen all the numerous ways to get rid of spam comments now. But wait, why in the first place does this even happen?

Below, we’ve explained this.

Why are Comment Spam Bots targeting your site?

You need to realise how easy it is to recruit a bot for spamming comments before we answer this. There are hundreds of networks on the dark market dubbed “botnets” and forums where you can quickly employ a spam bot for comments. In fact, 80% of all spam is sent by only 10 botnets, if you take email spam into account!

Here’s why these comments are used by spam bots:

A link to piggyback:

A Black Hat SEO strategy for creating backlinks to a website is spam comments. In an attempt to rake up certain SEO points, bots are hired by unsolicited or low-quality sites to leave spam comments with ties.

To have the server overloaded:

To congest your server and cause it to fail, hackers use bots. To target your login page and flood your server with requests, they send bots. These requests can also take the form of observations. Hackers discreetly use other tools to hack the site when you’re busy working to get your site back up.

To pivot your traffic to unsolicited sites:

Virus-inducing or drug-selling websites typically use spam comments to get more traffic. In the comments, unsuspecting tourists end up clicking on the link and are led to these unsolicited websites.

We will therefore see how spam comments are used to take advantage of regular pages.
You may now have used some of the tools we have listed to avoid spam comments. The war doesn’t stop there, though. To try to break around anti-spam steps, spammers are continually changing and altering their styles.

So it’s important for you to know how, if you ever see them, to recognise spam comments. Here are a couple of tips.

WordPress Spam Comments Checklist to Recognize

If the message also has one of the following attributes, it’s most definitely a spam comment.

It has a relation that is suspicious:

Check to see if there are numbers in the link or whether it’s a condensed link. This is mostly used to redirect to places where drugs are distributed or viruses are triggered.

It is really flattering, but irrelevant:

Spammers appear to say “Amazing post!” to be flattering. “or “Powerful resource, for comparison, will come back” etc. But you’ll find that they don’t really add value to these remarks or answer the post.

It comes with odd keywords:

The statement has unique keywords that don’t sound like everyday vocabulary, like those used for SEO construction.

Short and generic, the comment is:

Spammers say things such as “Great article”, “Very good resource” etc., similar to the second point. On different websites, bots typically leave identical remarks.

A business name is the user’s name:

Rather than being a person, the commenter seems to belong to some corporation. They’re presumably trying to add a connection back to the company site in this situation.

What is the verdict?

Find the one that fits best for you now that we have explored all the numerous ways to block WordPress spam comments!

Our personal advice is to use the firewall security of MalCare along with an anti-spam plugin such as Akismet. This has eliminated our attempts to moderate feedback altogether and holds the spam bots out!

But while spam bots are awesome to stop, there are so many risks lurking from which you need to protect your website. Such defence can only be provided to you by a quality WordPress security plugin.

The best protection plugin out there is MalCare. It is understood that other scanners just tend to avoid finding malware. The best thing is that 1-Click Automatic Malware Removal is provided to keep your site 100% hack-free!

MalCare has shown itself to be a happy choice for over 400,000 website owners with superior firewall security, uptime management and website hardening.

Today, try MalCare for free!