How to deal with
WordPress Comment Spam

What is WordPress comment spam, how do they do it and how can you stop it?

I remember when I got my very first comment on a blog.

This is a redirected post

This post originally appeared on our old blog at Please note that some links may be outdated and may not work.

It was flattering; I was beyond chuffed.

I was over the moon to think that someone found my site so fantastic that they stopped what they were doing just to write me a nice little note in the comments. 

"Hi, great post and I love your blog. Can you tell me what theme you are using? I wish mine looked as good."

Only when I looked at the links to a viagra site did I realise that this was spam.  Nice spam, yes.  But spam nonetheless.

this is spam

What is WordPress comment spam?

Spam, in general, is an unsolicited digital message. It can be commercial, malicious or used to try and gain traffic for another site (see below).

You'll recognise it as

  • unsolicited advertisements ( something you didn't ask for trying to sell you something)
  • links to malicious websites or 
  • general abusive information.

WordPress comment spam is a comment on your WordPress blog containing such a message.

Why does comment spam exist?

A lot of people have asked me why spam exists and I understand it can be tricky to see why people do it. What possible gain can there be? Well, as usual with abusive behaviour online the main driver is to make money.

How on earth can anyone make money from WordPress comment spam?

Well, for one thing, they will (hopefully) get a click back to their website. They certainly won’t get one from me but with millions of posted comments they’ll definitely get some. That means more traffic to their site.

But the main goal is to trick Google!

Links from other websites back to your website are an important ranking factor to Google. If you have lots of these “backlinks”, done properly, Google thinks your site is more popular. Thus, Google might rank you higher.

A higher rank means your site will come up in search results more often. That means more visitors to your website. If you get more visitors to your website you will make more money. Presto.

Google are continuously figuring out ways to detect these fake links. Of course, the spammers are, too.

How do they do comment spam?

Actually, it’s really easy to send spam. There are tools available that will do it for you, tools like Scrapebox or GScraper. (No links to them.) They'll find the websites and do the comment posting for you.

Now, Google isn't easy to fool.  If many comments with the same text get posted, they'll realise something fishy is going on and they'll penalise the linked site.  Therefore, to make the comments seem unique, spammers use lists of phrases like this one

Each time it generates a comment , the program will swap out some words for others. This can fool Google into thinking this is a unique comment.

I'm sure you've noticed this type of nonsensical comment:

Google the battle are money. That more are of these “backLinks to you higher. A higher. A higher rank means your website. If you get means more visitor to detect think”, done properly, Google the spammers. That more are more think”, doney.

That’s where this type of junk comment comes from.

How can I stop spam on my WordPress site?

There is actually no way to STOP spam. Once your website is connected to the internet it's open to receiving any traffic, including spam.  Just like you can't actually stop that guy coming round to your postbox with the poorly-spelled pizza brochure.  

But there are steps you can take to vastly reduce the time-sucking effect spam can have on your website maintenance.

There’s no one way to do it. Like dealing with your WordPress security, you need to take a multi-layered approach.

Speaking of security: 30 minutes to 

a more secure WordPress website

Follow our free walk-through to quickly (and easily) learn how to:

Keep hackers out, run backups automatically and save yourself hours of time

Stop comment spam with built-in WordPress tools


Matt Mullenweg, creator of WordPress, created Akismet so that his mother could blog in safety.

Akismet works like this:

  • Someone posts a comment to your WordPress website
  • Akismet checks that comment against all the comments in the community database
  • If it's spam, it's deleted 
  • If spam gets through and a user later marks it as spam, the comment is added to the database

Thus, the pool of spam comments increases, making Akismet increasingly effective over time. By using Akismet you are actively helping combat spam.

Akismet comes as a default plugin with WordPress. This plugin is just the interface to the community-built database behind it.  Install it, use it. When you notice a spam comment, mark it as Spam, don’t delete it. That way it gets added to the database.

The only problem with Akismet is that you will need to register to use it, but it's well worth it.

Comment settings to help limit spam

There are a few settings that might limit the amount of spam you get but to be honest, the spambots are smarter than this nowadays.  Still, it's good practice to set the following:

In Settings > Discussion you'll see this panel of settings

settings to limit wordpress comment spam

Here you should force the author to at least enter a name and email address.  You can also close comments after a number of days or force users to login to comment but these are probably too restrictive for most WordPress websites.

Limit links in a comment

A common feature of spam comments is that they contain multiple links to another website.

settings to limit wordpress comment links

Again in Settings > Discussion, you can reduce the allowed number of links down to one to prevent this.

Stop WP comment spam with your own Comment Blacklist

WordPress also includes a comment blacklist that you can customise. 

Go to Settings > Discussion and add your blacklisted words there. Any comment containing these words will be removed.

Be careful, though.  This blacklist is pretty ruthless and it won't tell you when a comment is deleted.

Including words like "viagra" and "porn" in the list will be effective but partial matches work too.  This means e.g. "ass" will remove comments containing words like "assertion", "assonance" etc.

Stop WP comment spam with comment spam plugins

I’m not going to turn this post into yet another listicle of “The best WordPress anti-spam plugins of 2018”. The web is awash with such search-engine pleasers. 

Here are the two WordPRess anti-spam plugins I use and recommend for clients at the moment:


Antispam bee

Stop WP comment spam with moderation

If you aren't getting too many spam comments you can decide to check them manually yourself. (Any number of spam comments is too many in my book.)

In Settings > Discussion, check the box next to "comment must be manually approved."

It's also a god idea to tick "Comment author must have a previously approved comment." 

D:UserssocDownloadssettings to approve comments

As usual, you should experiment with these settings to find the balance that works well for you and your website.

In more detail - getting technical

When someone leaves a genuine comment on your site, it's a nice gesture to let them know if their comment is in moderation.  Otherwise they may think comments aren't working on your site or they may enter multiple comments in frustration.

First, edit comments.php.  See how in this article.

Look for the following code:

<p> <input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" /> </p>

Change this to something like the following, adding your own customisation:

<p> <blockquote> Comment moderation is in use and will be checked soon. Please do not submit your comment twice -- it will appear shortly. </blockquote> <input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" /> </p>

Remember: do actually check your comments regularly!


The biggest problem with anti-spam plugins? Spammers will download them and figure out how they work!

Therefore, you should use multiple defences, as I mentioned above.  Akismet, coupled with something like Anti-spam bee, is a good setup.  Add to that some of the settings above to tighten control over your comments and you should be fine.  

Always check your comment queue regularly to make sure nothing gets through that shouldn't and nothing is blocked that should be allowed through.

And one last thing: watch out for the sneaky commenters, the ones who leave the ego-pleasing comments: "I love your site! I'm telling all my friends!”

Sorry, but they're fake, too!


Click Here to Leave a Comment Below

Leave a Comment: