How to Stop WordPress Spam Comments


How to remove WordPress Comment Spam Feature Image

Are you tired of constantly deleting WordPress spam comments

Are you worried about the phishing links in your comment section? 

Are you stressed that your site could be blacklisted by Google due to spammy content? 

If you have reached the point of wondering whether genuine comments are worth this onslaught, this is the article for you. 

We understand the frustrations and fears that accompany the relentless onslaught of spam comments on WordPress. Constant monitoring, manual deletion, and floods of email notifications take a toll on you and your website. 

The good news is that we can help you. We will guide you through easy steps and proven strategies to stop WordPress spam comments and reclaim control over your site’s comments section. 

TL;DR: Fight comment spam by using a combination of CleanTalk and MalCare. CleanTalk is an anti-spam plugin that can automatically delete your comments and MalCare is a powerful security plugin for WordPress, with a firewall that blocks spam bots. The dual approach is a comprehensive security solution to safeguard your site from comment spam and the lurking danger of malware.

You can get rid of spam comments on your WordPress site with an anti-spam plugin that bulk deletes the spam automatically. The next step is to take security measures to prevent future spam comments. 

There are several ways to combat spam on your site—comment spam and otherwise. But, while these measures are effective, they are rarely foolproof on their own. Based on your specific case, you will need a mix of strategies to get the best results.

Additionally, you want anti-spam mechanisms that keep out the maximum WordPress spam comments without manual intervention, while letting genuine user comments come through. This is a critical balance to strike when adopting an anti-spam strategy for your site. 

The simplest solution is to restrict comments altogether, and in many forums, you will find exactly this advice. However, if comments are an integral part of your site engagement, then you want to have a more nuanced approach. 

Keeping these points in mind, we have listed the most effective mechanisms to fight comment spam. Even so, our recommendation is to thoroughly test each one and measure the results.

1. Use an anti-spam plugin

An anti-spam plugin significantly combats spam comments on WordPress sites. This type of plugin leverages various techniques to detect and filter out spam while letting in legitimate content. 

When choosing the right anti-spam plugin, consider features like accurate spam detection, retrospective cleaning, automated cleaning, and blacklisting or whitelisting IPs. Among our tested anti-spam plugins, CleanTalk stands out as the best choice. 

CleanTalk offers comprehensive spam protection, tackling email, form submissions, user accounts, subscriptions, and comments. It offers a range of exceptional features:

  • Real-time protection
  • Automated filtering
  • Automated blocking
  • Effective bot protection
  • Statistics and analytics
  • Whitelisting for trusted users
  • No-captcha protection 

Here are the steps to installing and using CleanTalk on your site: 

  1. Create a CleanTalk account.
CleanTalk signup page
  1. Search for CleanTalk in the WordPress plugin directory
  2. Install and activate the CleanTalk plugin on your WordPress site
  3. Copy the access key from the CleanTalk dashboard.
  4. Navigate to the CleanTalk settings in your wp-admin panel.
CleanTalk dashboard
  1. Paste the access key into the CleanTalk settings.
  2. Click the Submit button to save the settings.

That’s it. You’re all set. CleanTalk will start cleaning your site immediately. 

But, if you don’t like CleanTalk, check out these other popular anti-spam alternatives

2. Install a firewall

Comment spam, registration spam, and contact form spam in WordPress or otherwise—is caused by spam bots. If you check your analytics, and see that visits to a page are not in line with the WordPress spam comments, it is because good analytics programs like Google filter out spam bot activity. 

However your website needs a firewall to really keep them out. A reliable firewall is capable of distinguishing between malicious bots and legitimate ones, effectively blocking the former. It serves as a crucial defense mechanism to block spam bots before they reach your site. Moreover, firewalls offer customizable rules, such as geoblocking to block entire countries, to provide further protection tailored to your specific needs. MalCare, a security plugin, has the most reliable WordPress firewall on the market. 

Apart from a firewall, MalCare has other excellent security features: 

  • Automatic malware scanner
  • One-click malware removal
  • Bot protection
  • Login protection
  • Premium support from WordPress security experts
  • Site hardening features

Here are the steps to install and use MalCare: 

  1. Create an account on the MalCare website.
  2. Access the dashboard using the link in your email.
  3. Add your site to the MalCare dashboard. The plugin will be automatically installed on your site.
MalCare Firewall

4. Click the arrow at the bottom right. Click Show more and you’ll see all the traffic that has been blocked by MalCare.

3. Disable comments 

Our blogs, for example, don’t have a comment section. It’s a good way to prevent WordPress comment spam completely. You can use one of the in-built settings to do so. Here are the steps: The picture below shows all of your options:

  1. Click Settings in the side panel and click Discussion.
  2. Deselect “Allow people to submit comments on new posts”.
  3. Scroll down to the bottom of the page and click Save Changes. 

You can also disable or enable comments for individual posts using the following steps:

  1. Click Posts in the sidebar and then All Plugins
  2. Hover over the post and click Edit. 
  3. Click the gear icon at the top right of the post editor and click Discussion from the bottom of the post settings. 
  4. You can deselect or select whether you want to “Allow comments”.

4. Disable anonymous comments:

With anonymous commenting disabled, users are required to provide identifiable information, deterring spam and abusive behavior as their identity is associated with their comments. Bots, which often target websites with anonymous commenting, face an additional challenge as they must now provide valid user information, which is more difficult for them to generate or fake. 

You can disable anonymous comments using the following steps: 

  1. Hover over Settings and click Discussion
  2. Select “Comment author must fill out name and email” in the “Other comment settings” section
  1. Once you’re done, click Save Changes. 

5. Manually approve your comments

Another method to stop WordPress comment spam is to take charge of who is commenting. WordPress gives you the option to manually approve a comment before it is displayed in your comment section. This can be a huge load on your resources but if you’re interested, here are the steps that you can use to do so: 

  1. Click the Discussion  tab in the Settings tab. 
  2. Select “Comment must be manually approved”.
  1. Click Save Changes when you’re done.

6. Moderate comments

WordPress gives you two options, out of the box, to moderate your settings. First, you can limit the number of links that are added in a comment. This is especially helpful because a big problem of comment spam is the hyperlinking to spam sites. The other is to add a list of words that send the comment to the comment queue. Here are the steps to do either, 

  1. Go to the wp-admin panel and click Settings in the sidebar. Click Discussion.
  2. Then, scroll to the comment moderation section of the page.  
  3. Customize the following settings: 
Comment moderation
  • Use the drop down menu to select the number of links a comment can have. 
  • List popular spammy words like “Buy” or “Best Deals” in the big text box. If the word appears in either the author’s name, IP address or comment, they get sent to the moderation queue. Each word has to be on a separate line. Don’t add punctuations or blank spaces. 
  1. Click Save Changes when you’re finished. 

7. Only allow logged in users

This method helps you authenticate users too. Users have to provide details like an email address and password to login. This reduces the likelihood of spam bots.

You can restrict comments to logged in users by using the following steps:

  1. On your wp-admin panel, click Settings in the sidebar. Then, click Discussion.
  2. Select “Users must be registered and logged in to comment”.
  • When you’re ready, click Save Changes. 

These measures will mitigate comment spam, but not remove it altogether.

8. Implement reCAPTCHA

reCAPTCHA helps prevent WordPress spam comments by adding a test that asks users to prove they are human, such as selecting certain images or solving puzzles. This extra step stops automated spam bots from flooding comment sections with unwanted messages, making it harder for them to trick the system and ensuring that real people are leaving genuine comments. 

Some form plugins like WPForms come with built-in reCAPTCHA capabilities. So, if you already use WPForms, here is how to enable the feature:

  1. Create a Google reCAPTCHA account by adding your site and filling in details like type of reCAPTCHA and a domain. Click Submit when you’re done. 
  1. Copy the site key and secret key from the WPForms dashboard on wp-admin. Then, paste it in the respective fields on the Google reCAPTCHA console.
  2. You can now either add reCAPTCHA to specific forms by using the Form Builder or set it for all your forms by going to the Spam Protection and Security settings on the WP Forms dashboard. 

If you’ve already designed all your forms and want a separate reCAPTCHA plugin, you can use BestWebSoft. It offers both visible and invisible reCAPTCHA. This way, you don’t have to get protection at the cost of your user’s convenience. 
If you’re considering the value of reCAPTCHA vs a dedicated anti-spam plugin, we have compared reCAPTCHA and Akismet.

9. Using third-party comment sites

If you don’t want comments or bots to have any effect on your website’s server, you can use a third party comment site, like Disqus. Instead of hosting the comments directly on the website’s server, the website integrates the third-party comment system into its pages. When users leave comments, they are stored and managed by the third-party service. This approach offers benefits such as streamlined comment moderation, spam filtering, and additional specialized comment features like threaded discussions, social media integration, and user authentication.

Disqus is the most popular third party comment site. Here are the steps to install Disqus on your site:

  1. Look for Disqus in the WordPress plugin repository. Click Install and Activate. 
  2. Click on Disqus in the sidebar. You will be then redirected to sign up, create a site, and select a plan. 
  1. Then, click Comment and Moderation in the sidebar of the Disqus console. Pick from either Balanced or Strict options, and click Complete Setup

Most third-party comment services have fairly sophisticated spam protection mechanisms. However, the one downside is that the comment content is not on your site. It is drawn via a plugin from the third-party service, and displayed via a widget on your site. This does have some SEO impact, in addition to needing users to sign up for another account to post a comment.

10. Insert honeypot fields

Honeypot fields are a form of invisible field added to comment forms that are designed to deceive spam bots. The concept behind honeypot fields is simple: while they appear invisible to human users, spam bots automatically fill in all fields, including the hidden honeypot field. Legitimate users, however, cannot see or interact with the honeypot field, so they leave it empty. When a comment is submitted with a filled honeypot field, it is immediately identified as spam. 

You can implement honeypot fields by using anti-spam plugins like WPArmour. You can also use honeypot specific plugins like Honeypot for WP Comment. Install and activate the plugin and you’re set to go. 

11. Prevent trackbacks and pingbacks

Trackbacks or pingbacks are the notifications you get when another site links to one of your blogs. It usually appears as a comment on your blog and may have a snippet of what their article mentions. But, this opens the doors to a lot of WordPress spam comments and spam links. It’s an antiquated system of building backlinks that you don’t need anymore. So, you can disable it on the Discussion page of your website settings. Unselect “Allow link notifications from other blogs (trackbacks or pingbacks). 

If you’d still like to use the feature, there are other ways to combat trackback spam like using spam plugins or disabling XML-RPC

12. Stop imposter comments

Imposter comments in WordPress refer to comments that are intentionally designed to appear genuine but are actually spam or contain malicious intent. These comments often mimic authentic user comments to deceive website owners and visitors. Imposter comments may include hackers that are using a user’s email ID, for example. To avoid this, you can use third party comment sites like we’ve talked about earlier. You can also use Facebook comments. This will force the commenter to be a valid Facebook user. 

The steps to enable Facebook login are as follows:

  1. Create a new developers for Facebook account on the Meta for Developers website. You can just sign into an existing Facebook account. 
  2. Create a Facebook app. This will require adding an app name. If prompted, click Facebook Login as the product you’d like to use.
  1. After that, you’ll see an app ID at the top. Copy the app ID. 
  2. Go back to your wp-admin panel and install the plugin WP Social Comments
  3. In the sidebar, click Facebook comments and paste the App ID in the  respective field. 
  1. You can then customize your comment box and decide which posts to allow comments on. 
  2. Click Save Changes when you’re done. 

You’re all set at this point. 

13. Disable HTML in your comments

HTML tags are designed to be special instructions that tell a web browser how to show things on a webpage. In the context of comments spam, hackers can hide links or images in HTML code. The code makes a seemingly innocent comment clickable. Disabling HTML in comments allows you to expose the tags and the link won’t be clickable. This method requires a little bit of coding.

You will need to add the following code to the functions.php file:

function convert_comment_html_entities($comment_text) {
    $comment_text = htmlspecialchars($comment_text);
    $comment_text = make_clickable($comment_text);
    return $comment_text;

function disable_comment_links($comment_text) {
    $comment_text = strip_tags($comment_text);
    return $comment_text;

add_filter('comment_text', 'convert_comment_html_entities', 10, 1);
add_filter('comment_text', 'disable_comment_links', 20, 1);

The code needs to be added to the end of the functions.php file. 

14. Remove URL fields from comment form 

Spam comments often aim to get a backlink from your site. You might have noticed comments that seem flattering but include links to unwanted websites. This is a sneaky SEO tactic called Black-Hat linking. It can harm your site’s SEO by increasing unnecessary outbound links. To tackle this, you can disable the option to add a URL in the first place, preventing such spam comments from appearing. To remove URL fields from your comment form, you will have to do the following:

  1. Take a backup: Before making any changes to your core files, it’s always a good practice to create a backup. This ensures that you have a copy of your original files in case anything goes wrong. You can use reliable backup plugins like BlogVault to securely back up your core files.
  1. Open the theme editor: Next,  access the theme editor. Navigate to the WordPress admin panel and click on the “Appearance” tab in the sidebar. From there, select the “Theme Editor” option.
  1. Edit the functions.php file: Scroll through the list of theme files on the right side of the theme editor until you locate the functions.php file. Once you find it, open the file and add the following code snippet at the end of the file:
//* Remove URL field from commentsfunction remove_url_comments($fields) {unset($fields[‘url’]);return $fields;}add_filter(‘comment_form_default_fields’,’remove_url_comments’);
  1. Save your changes: After adding the code snippet to the functions.php file, make sure to click the “Update File” button to save your modifications. This will ensure that the URL field is removed from your comment forms. 

How to delete WordPress spam comments

Once your site is inundated with spam comments, across multiple pages and posts, it is a nightmare to clean up manually. WordPress spam comments often have phishing or other spam links, lying in wait for an unsuspecting user. Google also includes comment content in its scan for malware, so comment spam is not something you can leave unattended. 

There are only two anti-spam plugins we have seen that remove existing spam from a site: CleanTalk and Stop Spammers. We recommend CleanTalk, because it is aggressive about combating spam. 

If you have a manageable amount of comments, you can manually delete them. Here are the steps to do so:

  1. On your WP-Admin panel, click Comments in the sidebar. 
  2. Select all the comments you want to delete.
  1. Click the Bulk Actions drop down menu.
  2. Select Delete.
  3. Select Apply. 

This may not be a sustainable method as your site grows and comment spam becomes more rampant. So, we highly recommend you invest in the other methods in this article. 

Checklist to identify WordPress spam comments

So, which comments do you delete? How can you tell if a comment is a spam comment? Here are the signs to look out for”

  • The comment contains a suspicious link. They’re promoting websites that might not be trustworthy
  • Lots of flattery but irrelevant to the topic
  • The person’s name sounds made up or not real. It may also be a company name.
  • The comment seems weird or not appropriate
  • The comment is full of bad grammar or writing
  • They use unusual keywords that seem geared towards SEO and don’t sound like regular language
  • The comments seem generic

Why are you getting spam comments on WordPress?

When a site is publicly accessible and lacks sufficient WordPress comment spam protection, it becomes an open gateway for spam bots and accounts to flood the comment section with unwanted content. 

Spam bots are automated programs or scripts designed to generate and distribute spam content. These bots are programmed to perform repetitive tasks, such as posting spam comments on websites, sending spam emails, or filling out forms with unwanted content. Spam bots can target various online platforms, including websites, blogs, forums, and social media platforms. 

Addressing comment spam requires a multi-faceted approach because there is no one-size-fits-all solution. Unfortunately, relying solely on one measure may not be sufficient these days because the bots have gotten smarter. 

Additionally, many spam bots will evolve to circumvent security measures designed to stop them. An example of this is to use the details of an existing user while leaving comments, known as imposter commenting.

What do spam comments want from your site?

Apart from the inconvenience of deleting comments, what are the other effects of WordPress spam comments:

  • Overloading the server: A large influx of spam comments can consume server resources, leading to increased server load and potential performance issues. This could have other consequences like loss in search engine rankings or bad user experience. 
  • Traffic redirection: Spam comments may contain malicious links that redirect users to unrelated or harmful websites, diverting traffic away from the intended destination.

Unfortunately, comment spam is just one form of spam that websites need to combat. Other types of spam, such as email spam, form submission spam, or user account spam, can also be prevalent and require appropriate measures to mitigate their impact. The only way to combat them all is to create a good anti-spam strategy that works for you. 

Final thoughts

Now that we’ve explored different ways to block WordPress spam comments, choose the method that suits you best. We recommend using MalCare’s firewall protection along with an anti-spam plugin like CleanTalk. This combination reduces comment moderation efforts and keeps spam bots away.

For overall website security, MalCare is a top-notch plugin. It detects malware others miss and offers 1-Click Instant Malware Removal. With its firewall protection, uptime monitoring, and website hardening, MalCare is trusted by over 400,000 website owners. Try MalCare for free today!


What are spam comments on WordPress?

WordPress spam comments refer to unsolicited and unwanted comments that are typically posted by automated bots or spammers. These comments often contain irrelevant or promotional content, links to malicious websites, or attempts to manipulate search engine rankings.

How do you prevent spam comments on WordPress?

To prevent spam comments on WordPress, you can utilize a combination of tools and plugins. MalCare’s firewall with bot protection and CleanTalk’s anti-spam features are effective solutions. These tools can help identify and block spam bots, filter out spam comments, and provide comprehensive protection against comment spam.

How do I delete thousands of spam comments?

The most efficient way to delete a large number of spam comments is to use CleanTalk’s retrospective cleaning feature. This powerful functionality automatically deletes spam comments. eliminating the need to manually delete each comment individually. CleanTalk streamlines the process, saving you time and effort.

Why is my blog getting spam comments?

If your blog is receiving spam comments, it is likely due to a combination of factors. Publicly accessible sites without proper security measures become attractive targets for spammers and automated bots. Inadequate spam protection or lack of measures such as captcha verification or comment moderation can contribute to an influx of spam comments.

What are some free plugins for comment spam on WordPress?

There are several free plugins available for combating WordPress spam comments. Some popular options include Akismet, Antispam Bee, and Stop Spammers. These plugins will offer varying features and capabilities to help filter and block spam comments. In our experience, Akismet is probably the best free plugin for a single site. 

How do spammers leave comments without visiting the page?

Spammers often employ automated bots to leave comments without visiting the page manually. These bots can interact with websites and comment forms directly through API calls, bypassing the need to physically access or load the page. This allows them to spam comments across multiple sites rapidly and efficiently, making it essential to have robust spam protection measures in place.

What happens to comments that are marked as spam?

By default, they get stored in your database for anti-spam plugins like Akismet to learn from and improve. You can delete those comments too by selecting all the spam comments and clicking Delete from the Bulk Actions drop down menu. Everything that is in trash is permanently deleted after 30 days. 

Why is every comment going into the moderation queue?

Click Settings in the sidebar and click Discussion. Then check the following settings:

  •  Check if the “Comment must be manually approved” option is checked. This will force all your comments to go into the moderation queue.
  •  In the comment moderation section, make sure that the dropdown menu for the number of links that could send a comment to the moderation queue, is above 0. If not, any comment with a link is sent to the moderation queue.
  • Make sure your spam words list is formatted correctly. Don’t add b;ank lines or punctuations. Each word has to be a separate line. 

If none of this helps, deactivate each comment spam plugin one by one till you find out which plugin is causing the issue. Then contact the developers for help. 



You may also like

dns hijacking
DNS Hijacking: All You Need to Know About It

Have you ever typed a familiar URL into your browser only to land on a strange, unfamiliar website? Imagine your visitors facing the same dilemma when accessing your website. They…

How to Protect Your Website from Hackers
How to Protect Your Website from Hackers

Every day, small businesses become victims of cyber attacks. Hackers break into websites, steal customer data, and damage reputations. Your website, which is vital for your business, is at risk…

What are Website Backdoors and How to Clean Them?
What are Website Backdoors and How to Clean Them?

Are you frustrated with your website getting hacked again and again, even after you’ve cleaned it each time? You’ve spent hours fixing your site, only to find that the problem…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.