How to Stop WordPress Comments Spam


7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

How to remove WordPress Comment Spam Feature Image

Are spam comments on your site getting out of hand?

We’ve been there. Our site used to get an average of 100 spam comments in a day!

Well, we were quite fed up with having to manually remove them. And I’m sure you are too.

We experimented with multiple ways to reduce the amount of effort and time spent on moderating spam comments. And you know what, we found what works best for you!

In this post, you will learn how to stop spam comments on WordPress.

Before we get started, you might be  wondering why you’re getting spam comments in the first place. If so, don’t worry! You can skip to this section below.

How To Prevent Comments Spam in WordPress

When you’re getting hundreds of spam comments every day, speed is of the essence. You need a solution that is easy to set up and does the job, thus saving you precious time and effort. 

Here’s our recommendations based on the order of preference –

Preventing WordPress Comments Spam Using A Plugin 

The easiest way to block or remove spam comments is to use a plugin. Plugins are easy to set up and can save your time, significantly.

Here are the ones we liked:

1. Block Comments using Akismet for Free (Built-in) 

Akismet is a spam-prevention plugin that comes already installed on all WordPress websites. It uses a self-learning algorithm to analyze user comments. It removes obvious spam comments and categorises the rest for your moderation.

Here’s how to activate it: 

  • Click on “Plugins” from your Admin Dashboard. You can see Akismet in your list of installed plugins. Click on “Activate”.

Activate Akismet Plugin

  • You will be asked to set up your Akismet account. Click on “Set up your Akismet account”.

Set up your Akismet Account

  • You will be redirected to the Akismet website where you can choose a plan. They offer a free plan for Personal or Non-commercial blogs and paid options for commercial sites. After choosing, you’ll be asked to enter details such as site URL, email ID etc.

Akismet Pricing and Plans Page

  • Once you’ve added all the details, Akismet sends an API key to your email. Now go back to the WordPress Dashboard. Go to Plugins > Akismet and click on “Settings”. From the window that opens, choose “Manually enter API key”. 

Manually enter an API key in Akismet

  • Add your API key here and you’re done!

Akismet is now setup and will start blocking spam comments immediately. It will also show you activity and statistics for individual commenters to help you identify repeat spammers. It can also detect links inserted in comments for your moderation.

2. Block Comments Using Antispam Bee Plugin

Antispam Bee is another WordPress comments spam plugin that specializes in filtering and removing spam comments. It offers a variety of flexible options to categorize and moderate WordPress spam comments. Some of the key features offered by the plugin are:

  • Geo-blocking comments 
  • Spam Notifications via email 
  • Allow comments of only a particular language
  • Display spam statistics as a widget on the dashboard
  • Compare potential spam comments against a local spam database

To enable this plugin, all you have to do is install and activate it. Then you can choose whatever functions you want to enable.

Features offered by Antispam Bee Plugin

3. Block Comments By Adding A reCAPTCHA To The Comments Form

The reCAPTCHA in WP comments form plugin adds a Google reCAPTCHA as an additional step before a user submits a comment to verify if they are human or not. 

This is the one of the most effective ways to identify and block bots. Adding a reCAPTCHA to your site is like adding a lock to your front door – they bots don’t have the keys!

To enable this function:

  • Install and Activate the reCAPTCHA in WP comments form plugin on your WordPress site.

Add reCAPTCHA in WP comments form plugin

  • Similar to Akismet, you’ll need to obtain API keys to enable this feature. You can find the step-by-step process to obtain and activate this function by going to Plugins > AntiSpam Bee > Settings.

Activating reCAPTCHA in WP comments form plugin

Once activated, you can customize the settings and choose what you want the plugin to do when it catches a spam comment. This is what a sample reCAPTCHA would look like: 

Sample reCAPTCHA in WP comments form

The only downside to adding a reCAPTCHA is that it disrupts the user experience and can be annoying. An additional step while submitting a comment can dissuade genuine commenters.

Bonus Tip: If you’re using Cloudways, we have collaborated with them to provide Bot Protection! This feature blocks all kinds of malicious bots which send your site unnecessary requests. It also reduces your CPU usage by over 40%!

Here’s a screenshot of how bots were blocked when this feature was activated:

Bots being blocked by Bot Protection feature on Cloudways

We can clearly see how this feature blocked more than 15000 requests received in just one day. To know more about this feature and how to use it, check out the Cloudways Bot Protection feature Announcement. 

In the above section, we learnt that we can easily block WordPress spam comments using a plugin. But if you don’t want to add another plugin to your website, then don’t worry! WordPress comes with numerous in-built features that can be enabled to moderate and stop spam comments. 

Let’s dive in!

Preventing WordPress Comment Spam Using Built-In Features 

1. Turn on Comment Moderation

If you’re only getting a few spam comments every day, you can still afford to moderate them manually. You can choose to manually approve every comment before it is shown on the website.

Go to Settings > Discussion and choose “Comment must be manually approved”.

Turn on Comment Moderation

Now all comments will automatically be stored under the Comments section. You can manually review them and only approve those that you think are genuine. 

2. Remove URL Field from Comment Form

The most common focus of spam comments is to get a backlink from your site. You must’ve seen many spam comments which seem to be flattering the writer and then leave a link to an unsolicited site. This is a Black-Hat SEO linking technique. It unnecessarily increases the number of outbound links from your site which is not good for your SEO.

You can address this issue by disabling the option to add a URL in the first place! 

To do this, you will need to modify the code in your functions.php file.

It is always recommended to take a site backup before you make any code changes. You can use a reliable backup plugin like BlogVault to keep your site backed up on their servers. In case anything goes wrong, you can use them to restore your site in literal seconds! 

Once you’ve taken a backup, here’s what you need to do:

  • Hover over the “Appearance” Menu in your WordPress Dashboard. From the drop-down menu, now click on “Theme Editor”. This will take you to the code of your current theme.

Theme Editor in Appearance Menu

  • The functions.php folder is usually found at the top of the list of “Theme Files”. Click on it. 

Locating the functions.php file in Theme Editor

  • Add the following code at the end of the folder. Then click on “Update File”.

//* Remove URL field from comments
function remove_url_comments($fields) {
return $fields;

Adding code in functions.php file to disable URL in comments

This will ensure that the website URL field on your comment forms is no longer displayed. 

Comments form with website URL disabled

3. Add a minimum and maximum limit on the number of characters

Some spam bots are designed to leave one word comments like “Hello”.  Automated spam blocking tools can’t pick up this comment as spam because it’s seemingly harmless. By adding a mandatory limit on the number of characters, you can keep these bots out!

To add a character limit to the comments field, you’ll need to modify the code in the functions.php file.

  • Go to Appearance > Theme Editor. Now open the functions.php file. Add the following code at the end of the file: 

add_filter( ‘preprocess_comment’, ‘wpb_preprocess_comment’ );
function wpb_preprocess_comment($comment) {
 if ( strlen( $comment[‘comment_content’] ) > 5000 ) {
 wp_die(‘Comment is too long. Please keep your comment under 100 characters.’)
if ( strlen( $comment[‘comment_content’] ) < 60 ) {
wp_die(‘Comment is too short. Please use at least characters.’);  
return $comment;

  • Now click on “Update File”. If someone tries to add a comment lesser than the limit set, the following message will be displayed.

Notification for comment being too short

4. Switch off Comments Permanently

If you’d rather not spend any time on moderating spam comments, disabling comments is the best way to go!

In WordPress you can choose to disable comments for old posts or even disable comments permanently on your blog.

Steps to Disable Comments on Older Posts:
  1. Go to Settings > Discussion. 
  2. Under “Other Comments Settings”, enable “Automatically close comments on posts older than X days” and change the number of days to your preference. 
  3. WordPress now blocks comments on posts that are older than the number of days you’ve specified.
Steps to Disable Comments Permanently:
  • To switch off the comments feature permanently on your site, Go to Settings > Discussion.
  • Now disable the option called “Allow people to submit comments on new posts”.

Disabling comments on new posts

Users will not be able to add any comments to new posts anymore.

Leaving spam comments is just one way in which bots are trying to abuse your website. Bots are also designed to guess the password of your website and hack into your site.

To block all kinds of bots and protect your website completely, you must use a firewall.

MalCare’s firewall protection is the most comprehensive and effective solution to protect your site from all kinds of bots. 

Let’s understand how this works.

Preventing WordPress Comment Spam using a Firewall

MalCare’s Real-time Firewall Protection uses multiple methods to block bad bots from accessing your site. It is constantly analyzing the requests made to your site. MalCare identifies spam bots as they tend to use malicious IP addresses and automatically blocks them. It also offers login protection and maintains an audit log of unauthorized access to your WordPress Admin Dashboard or backend. 

Steps to enable MalCare’s firewall protection:

  • Create your account with MalCare from the Signup Page. 
  • Add your website URL and install the plugin. You can do this directly from MalCare’s dashboard  or manually install the plugin from the WordPress Repository.
  • Once the plugin is installed, the firewall is automatically activated. MalCare now automatically blocks malicious bot traffic and IP addresses to protect your site.

To check the details, click on the arrow from the “Firewall” section.

MalCare Firewall More Details

  • In the section that appears, MalCare displays a graph of the number of traffic and login requests and the ones that have been blocked. Click on “Show More” to see the exact details. 

Traffic Requests identified by MalCare

You can now see the exact details of all the requests made to your site including the country of origin, the date and time and whether the request was allowed. 

Details of Traffic requests identified by MalCare

MalCare’s Smart Firewall protects your site by blocking bad bots which can significantly reduce your comment spam.

Now we’ve seen all the different ways to get rid of spam comments. But wait, why does this even happen in the first place?

We’ve explained this below.

Why are Comment Spam Bots targeting your site?

Before we answer this, you need to understand how easy it is to employ a bot for spamming comments. There are hundreds of networks called  “botnets” and forums on the black market where you can easily hire a bot for comments spam. In fact, if you take email spam into consideration, 80% of all spam is sent by just 10 botnets! 

Here’s why these comments spam bots are used:

  1. To piggyback a link:
    Spam comments are a Black Hat SEO technique to build backlinks to a site. Bots are employed by unsolicited or low-quality sites to leave spam comments with links, in an effort to rake up those SEO points. 
  1. To overload your server:
    Hackers use bots to overload your server and cause it to crash. They send bots to attack your login page and spam your server with requests. These requests can also be in the form of comments. While you’re busy trying to get your site back up, hackers discreetly use other methods to hack your site.
  1. To pivot your traffic to unsolicited sites:
    Websites that induce viruses or sell drugs usually use spam comments to get more traffic. Unsuspecting visitors end up clicking on the link in comments and get directed to these unsolicited websites. 

Thus we can see how spam comments are used to benefit off of normal sites. 
Now you might’ve used some of the methods we’ve mentioned to stop spam comments. But the fight doesn’t end there. Spammers are constantly evolving and changing their styles to try and get through anti-spam measures.

So it’s important for you to know how to identify spam comments if you ever see them. Here are some tips.

Checklist to Identify WordPress Spam Comments 

If the comment has even one of the following characteristics, it’s most probably a spam comment. 

  • It has a suspicious link:
    Check to see if the link has numbers in it or if it’s a shortened link. This is primarily used to redirect to sites that sell drugs or cause viruses.
  • It is extremely flattery but irrelevant:
    Spammers tend to be flattering by saying “Amazing post!” or “Great resource, will come back for reference” etc. But you’ll notice that these comments don’t actually add value nor do they address the article.
  • It has unusual keywords:
    The comment has specific keywords like those used for SEO building, which don’t sound like daily language. 
  • The comment is short and generic:
    Similar to the second point, spammers say things like “Great article”, “Very good resource” etc. Bots usually leave similar comments on multiple websites. 
  • The user’s name is a Company name:
    The commenter seems to belong to some company rather than being an individual.  In this case, they’re probably looking to add a link back to the company site. 

What’s The Verdict?

Now that we explored all the different ways to block WordPress spam comments, find the one that works best for you!

Our personal recommendation is to use MalCare’s firewall protection along with an anti-spam plugin like Akismet. This has completely reduced our efforts spent on comment moderation and keeps the spam bots out!

But while preventing spam bots is great, there are still many threats lurking that you need to protect your website against. Only a quality WordPress security plugin can offer you such protection.

MalCare is the best security plugin out there. It is known to catch malware than other scanners just seem to miss. The best part is that it offers 1-Click Instant Malware Removal to keep your site 100% hack-free!

With superior firewall protection, uptime monitoring and website hardening, MalCare has proven to be a happy choice for over 400,000 website owners.

Try MalCare for free today!


You may also like

An Introduction to WordPress Plugins
An Introduction to WordPress Plugins

The default WordPress site is basic. It’s a blank canvas for you to jazz up and make your own. Maybe this means turning your site into an ecommerce store or…

9 Essential Plugins For Every WordPress Site
9 Essential Plugins For Every WordPress Site

Plugins open up a world of possibilities for a WordPress site. You can design something completely new, change your site into an e-commerce store, or even create a portfolio for…