Spam is one of the most frustrating aspects of running a WordPress site.
The picture below comes from one of our clients. Their problems started a little over a year ago. A few spam comments a day eventually turned into dozens. Now, even when they clear all of the spam messages from the moderation panel, they’re quickly overwhelmed within a few days.
If that looks similar to your Comments panel, you’re dealing with spambots. Spambots are programs designed to crawl the web, harvest e-mail addresses, and find vulnerable websites. In this case, the spambot has recognized that our site is running WordPress. It tries to leave as many comments as possible, with spam links inside the messages.
For spammers, the logic is simple. It’s easy and cheap to send out massive amounts of spam. If even one person out of a thousand clicks a link, they stand to make money. Multiplied over millions of websites, they can turn a decent profit.
In most cases, the spam detection features built into WordPress will flag spam comments. The problem is that it doesn’t automatically delete them. Over time they build up, making it tedious to moderate your comments, and increasing the likelihood that you’ll accidentally delete something good.
How to Disable Comments Altogether
If your organization’s website is primarily informational — and you don’t have a need for people to start discussions on your posts — you may want to do away with the commenting system altogether.
To completely disable the WordPress comments system, go to Settings -> Discussion, and uncheck “Allow people to post comments on new articles.” From this point forward, the comment box will no longer appear under new posts and pages you create.
The operative word here is “new.” Comments will still be enabled on old posts and pages. To change that, go to Posts -> All Posts. Select all of your old posts as a batch, and select “Edit” from the Bulk Actions dropdown menu. Under the Comments dropdown menu, select “Do not allow,” then click “Update.”
If you don’t want comments to appear anywhere on your site, congratulations, you’re done!
But what if you want users to be able to comment on your posts? Keep reading.
Hardening the WordPress Comment System
WordPress has several built-in features that can help you cut down on spam. Most of them are applied correctly out-of-the-box, but if your site’s copy of WordPress was installed a long time ago, your settings might be misconfigured.
All of the WordPress comment settings can be found by going to Settings -> Discussion.
- “Comment author must fill out name and e-mail”
When checked, anyone wanting to submit a comment has to enter their name and an e-mail address. All modern spam bots can get around this by generating bogus credentials, but it’s a good idea to make sure this one is checked, anyways.
- “Users must be registered and logged in to comment”
This one is only useful if visitors have a reason to sign up for an account on your site in the first place. In most cases, you should leave it unchecked.
- “Before a comment appears: “
You can choose to manually approve all comments, or allow comments from trusted users (people who have had a comment approved in the past) automatically post to your site. If your site is being inundated with spam, you’ll want to select the first option but not the second.
WordPress can also search submitted comments for certain words and flag them if there’s a match. When you put words into the Comment Blacklist box, WordPress knows to flag comments containing those words as spam. There are word lists purpose-made for spam filters like this. To use this feature, copy the contents of the open-source, community-maintained WordPress Comment Blacklist and paste them into the comment blacklist box on your site.
WordPress makes it easy to turn off comments across an entire site. But what if we want to only disable comments on pages, or on specific types of posts?
No Page Comment is a great little plugin designed to solve that problem. You can enable or disable comments on certain types of content without affecting others. No Page Comment even works on individual pages and posts, allowing you to customize every aspect of your site’s comment system.
Akismet is a plugin that is included by default with your WordPress installation. If you are using the WordPress comments system, it’s a must-have addition.
Akismet is a smart filter that analyzes spam messages across thousands of websites. It “learns” what spam looks like, and automatically blocks comments that meet its criteria.
Installation is easy. First, go to the Akismet site and sign up for an account. You can choose between several plans; most organizations will do fine with the Basic (name your own price) or Plus ($5 / mo) packages. Akismet will automatically asign you an API key — a long string that identifies your account. Install the WordPress plugin, input your API key, and you’re done!
If a spam comment happens to get through, flag it and delete it as you normally would. This helps Akismet recognize comments like it in the future, reducing spam across the WordPress community as a whole.
Using Third-Party Comment Systems
One of the best — and easiest — solutions is to simply use a third-party comment system.
Here at Glaance, we use Disqus. Disqus users can use a single account to comment on any site that uses the platform. Disqus integrates well with WordPress, and does a good job of filtering out spam (although you can expect a few comments to get through on occasion).
Disqus is easy to set up. Start off by registering for an account on Disqus.com, then install the official Disqus WordPress plugin. Once you’ve done that, you need to link your account to your website.
There are some downsides to using a third-party comments system. If your site already has an active comments section, longtime users might not enjoy making a switch. Third-party systems tend to load a bit slower than the default WordPress comments system. And some users have concerns about privacy. But if you’re looking for a quick and easy fix, the third-party route is hard to beat.
Which Solution is Right for You?
Ultimately, there isn’t a “one-size-fits-all” fix for WordPress comment spam. The solution you pick should be the one that makes the most sense for your site.
If you’re comfortable with the default comments system, but want to reduce spam and have more control over where users are allowed to comment, a combination of Akismet, No Page Comment, and changing the default settings will be your best option. Disqus and similar third-party systems make things as simple as possible, with a few caveats. And if your site doesn’t need user comments at all, you can disable the system altogether.