Stop WordPress Spam Comments

If you run a WordPress site with comments enabled, spam is inevitable. Bots crawl the web constantly, targeting open comment forms to drop links, fake reviews, and promotional garbage. Left unchecked, it clutters your moderation queue, wastes your time, and can create real problems for your site’s reputation and SEO.

The good news is that most WordPress comment spam is automated, and automated spam is very stoppable. A few smart settings changes combined with the right tools will cut your spam volume by 90% or more without making life harder for real commenters.

This guide covers every effective method, from the settings already built into WordPress to the best anti-spam plugins, ordered from quickest wins to more advanced layering.

Why Spam Comments Are a Real Problem (Not Just an Annoyance)

Most site owners treat spam comments as a mild nuisance. It’s worth understanding why they’re actually worth taking seriously.

SEO risk. If spam comments make it to your live site, they can introduce low-quality outbound links to spammy domains. Google can interpret this as your site endorsing those links, which can hurt your authority and rankings. If a spam injection is severe enough, it can trigger a manual action.

Server load. Bots don’t just submit one comment and leave. They hammer your site repeatedly. On shared hosting, this kind of bot traffic consumes server resources and can slow your site for real visitors.

Reputation. A comment section full of “Buy Cheap Meds Here” links looks unprofessional and erodes trust. First-time visitors make a quick judgment about site quality, and a spam-filled comment section signals that no one is managing the site.

Security exposure. Some spam bots are probing for vulnerabilities. A site with poor comment protection often has weak security elsewhere too, and bots catalogue both.

Stopping spam comments isn’t just about keeping things tidy. It’s part of running a properly maintained WordPress site.

Step 1: Fix Your WordPress Discussion Settings First

Before installing any plugins, open your WordPress admin panel and go to Settings > Discussion. There are several built-in controls here that most site owners never touch.

Enable manual approval for all comments. Under “Before a comment appears,” check “Comment must be manually approved.” Every comment goes into your moderation queue first. Nothing appears on your site without your sign-off. This is the simplest possible spam filter and it costs nothing.

Require name and email. Check “Comment author must fill in name and email.” Most spam bots don’t bother with these fields, and those that do usually use recognizable patterns. It’s a low-friction barrier that removes a chunk of automated submissions.

Hold comments with multiple links for moderation. In the “Comment Moderation” section, there’s a field for holding comments that contain a certain number of links. Set this to 1 or 2. Spam comments almost always include links that’s the whole point of them. A legitimate commenter rarely needs more than one or two links.

Build a disallowed keywords list. Under “Disallowed Comment Keys,” add words, phrases, URLs, and IP addresses that should automatically move a comment to the spam folder. Common additions include words like “casino,” “SEO services,” “buy now,” “click here,” and domains you see appearing repeatedly in your spam queue. WordPress will silently send these directly to spam without moderation.

Turn off trackbacks and pingbacks. Uncheck “Allow link notifications from other blogs (pingbacks and trackbacks).” These legacy features are frequently abused by spammers to generate backlinks through your comment system. Disabling them removes a common attack vector entirely.

Close comments on older posts automatically. Check “Automatically close comments on posts older than X days” and set it to 30 or 60 days. Old posts attract a disproportionate amount of spam because bots index them and keep hitting them indefinitely. Closing comments on older content stops this without affecting your active discussions.

Disable comments on media attachments. WordPress creates a separate page for each media attachment you upload, and by default, comments are enabled on these pages. Almost nobody leaves legitimate comments on an image page. Go to Settings > Discussion and uncheck “Allow people to submit comments on new posts” if you want to disable globally, or use a plugin to batch-disable comments on existing media pages. You can also bulk-edit this in Settings > Media if you installed WordPress from scratch with proper defaults.

These settings alone will eliminate a significant portion of spam before you ever need a plugin.

Step 2: Install Akismet

Akismet is the most widely used anti-spam solution for WordPress, and for good reason. It comes pre-installed with WordPress and is developed by Automattic, the same company behind WordPress.com.

How it works: every comment submitted to your site gets sent to Akismet’s cloud-based filtering system, which compares it against a global database built from millions of sites. It checks patterns, IP reputation, link destinations, commenter history, and dozens of other signals to determine whether a comment is spam.

It catches spam that your manual settings would miss, including sophisticated bots that do fill out name and email fields properly and avoid obvious keyword triggers.

Setup:

1. Go to Plugins > Installed Plugins in your WordPress dashboard and activate Akismet
2. Get an API key at akismet.com (free for personal blogs; paid plans start at $5/month for commercial sites)
3. Enter the key in the Akismet settings and you’re done

After activation, Akismet runs completely in the background. Spam comments get filtered automatically. You can review what it caught in your Comments > Spam folder and occasionally check that legitimate comments haven’t been incorrectly flagged.

For most sites, Akismet alone handles the bulk of comment spam effectively.

Step 3: Add a Honeypot Field

A honeypot is an invisible form field hidden from real users through CSS. Human commenters never see it. Bots do, because they parse the HTML code directly rather than seeing what a browser renders visually. When a bot fills out the hidden field (which automated scripts do automatically), the submission is flagged as spam and rejected.

The result: zero friction for real users, and automatic rejection of most automated bot submissions.

Several plugins add honeypot protection to your WordPress comment form:

Antispam Bee is the go-to free option for native WordPress comments. It processes spam detection locally without sending data to third-party servers, which matters if you have privacy-conscious visitors or GDPR obligations. It uses a honeypot approach and has several configurable rules for blocking suspicious submissions.

WP Armour (over 300,000 active installs) is another lightweight option that uses a client-side JavaScript honeypot. It doesn’t rely on external APIs and has a minimal performance footprint.

Honeypots work exceptionally well against bot spam. They don’t stop human spammers, but human spam is rare and handled by moderation and keyword filters.

Step 4: Add CAPTCHA for an Extra Layer

CAPTCHA forces commenters to prove they’re human before their submission goes through. Google’s reCAPTCHA is the most widely implemented option and comes in several versions.

reCAPTCHA v2 shows the familiar “I’m not a robot” checkbox or image-selection challenge. It’s visible and adds a small amount of friction for real users.

reCAPTCHA v3 runs invisibly in the background, scoring each interaction based on behavior signals. There’s no visible challenge at all, it just blocks suspicious submissions automatically. This is generally the better choice for user experience on WordPress comment forms.

Cloudflare Turnstile is a newer privacy-focused alternative to reCAPTCHA that doesn’t track users the way Google does. Worth considering if your audience cares about privacy.

For simple math-based CAPTCHA with minimal setup, plugins like Really Simple CAPTCHA add a lightweight challenge without requiring external API connections.

Keep in mind that CAPTCHAs add friction. On sites with an active commenting community, even a small barrier reduces legitimate comment volume. The invisible options (reCAPTCHA v3, Cloudflare Turnstile, honeypots) are generally preferable because they don’t ask real users to do anything extra.

Step 5: Consider Requiring Login to Comment

One of the most effective spam controls is also the most restrictive: requiring users to be logged in to leave a comment. Spam bots almost never register accounts because it takes too much effort and exposes them.

Go to Settings > Discussion and check “Users must be registered and logged in to comment.”

This works. It will reduce your spam volume to near zero. But it also reduces legitimate comment volume, because many real readers don’t have accounts and won’t create one just to leave a comment.

It’s the right choice for membership sites, community platforms, forums, and any site where you already expect users to have accounts. For a standard blog or business website where you want low-friction engagement from first-time visitors, it’s too restrictive.

The right approach depends on your audience. If comments are a core feature of your site, use the other methods. If comments exist but aren’t central to your site’s purpose, requiring login is a clean solution.

Step 6: Block Spam at the Firewall Level

Anti-spam plugins handle spam after it reaches WordPress. A Web Application Firewall (WAF) stops malicious traffic before it ever reaches your WordPress installation.

Services like Cloudflare and Sucuri sit in front of your server and analyze incoming requests. Known spam bot IP addresses, suspicious traffic patterns, and bot signatures get blocked at the network level. This reduces server load, protects against brute-force attacks, and catches spam sources that plugin-level filtering misses.

Cloudflare’s free plan includes basic bot protection and rate limiting, which is enough to meaningfully reduce bot-submitted spam. You can also create firewall rules to throttle comment submission requests from single IP addresses, blocking the kind of rapid-fire automated submission patterns that spam bots use.

This overlaps with broader WordPress security hardening. Our article on how to secure your WordPress site covers WAF setup in detail, including how it fits into a complete security approach.

The Best Anti-Spam Plugins Compared

Here’s a direct comparison of the most reliable anti-spam plugins for WordPress comment spam:

Akismet is the standard choice. Cloud-based spam filtering against a massive global database. Catches sophisticated spam that rule-based approaches miss. Free for personal sites; commercial use requires a paid plan. The slight downside: it sends comment data to Akismet’s servers, which is a consideration for privacy-focused sites.

Antispam Bee is the best free alternative that processes locally. No external data transmission, GDPR-friendly, and highly configurable. Great for European sites or anyone avoiding third-party data dependencies. Slightly less effective than Akismet on its own but very capable, especially combined with honeypot protection.

CleanTalk goes beyond comment spam to cover contact forms, registration forms, and subscriptions from a single plugin. Cloud-based with a lightweight footprint. Has a free trial; paid plans start around $8/year. Excellent value if you want comprehensive form spam protection across your whole site.

WordPress Zero Spam is a set-and-forget option that uses IP intelligence, device fingerprinting, and honeypots to block spam. Good option for site owners who want effective spam blocking with minimal configuration.

Wordfence and Sucuri are primarily security plugins, but both include comment spam protection as part of their broader feature sets. If you’re already using one of these for firewall and malware scanning (covered in our WordPress security guide), their anti-spam features come along for the ride.

You don’t need multiple anti-spam plugins. Pick one and configure it properly.

What to Do If You’re Already Buried in Spam

If your comment queue already has thousands of spam comments sitting in it, here’s how to clean it up:

Bulk delete from your dashboard. Go to Comments > Spam. At the top, select “All” from the checkbox dropdown, then click “Empty Spam.” This clears your entire spam folder at once. For very large backlogs (tens of thousands of comments), you may need to do this in batches.

Delete via the database if your dashboard is timing out. If the volume is so large that WordPress admin actions are timing out, connect to your database via phpMyAdmin or a similar tool. Run this SQL query to delete all spam comments:

DELETE FROM wp_comments WHERE comment_approved = 'spam';

Then run OPTIMIZE TABLE wp_comments; to clean up the table afterward.

Install Akismet before anything else. It will start filtering immediately after activation, preventing new spam while you clean up the backlog.

Update your Discussion settings. Turn on manual approval for all new comments temporarily while you work through the cleanup. Once your queue is clean and your anti-spam tools are in place, you can relax moderation to approved commenters only.

Check that no spam made it to your live site. Go to Comments and filter by “Approved.” Scan for anything that looks like spam that slipped through before you had proper protection in place. Delete anything suspicious.

Should You Disable Comments Entirely?

For some sites, the answer is yes. Comments are genuinely useful for some types of content, tutorials, news articles, discussion posts. For others, they add maintenance overhead without adding real value.

If your site is primarily a business website, a service-focused landing page, or a portfolio, comments probably aren’t serving a real purpose. Disabling them entirely is cleaner than spending time managing spam.

You can disable comments site-wide by going to Settings > Discussion and unchecking “Allow people to submit comments on new posts.” For existing posts, you can bulk-update comment status through the Posts editor by selecting all posts and using the “Bulk Actions > Edit” option to disable comments across the board.

Plugins like “Disable Comments” (by WPDeveloper) offer a one-click solution that disables comments everywhere, including on media pages and custom post types, without requiring manual post-by-post changes.

If you decide to keep comments but want tighter control over spam, our WordPress maintenance and support service handles ongoing comment moderation and security monitoring so you don’t have to.

Quick Setup Guide: The Recommended Combination

For most WordPress sites, this combination provides strong spam protection without hurting the experience for real commenters:

1. Settings > Discussion: enable manual approval, require name and email, hold comments with 1+ links, disable trackbacks, close comments on old posts
2. Install and activate Akismet with your API key
3. Install Antispam Bee for honeypot protection
4. Add reCAPTCHA v3 or Cloudflare Turnstile to your comment form
5. Set up Cloudflare (free tier) in front of your site for firewall-level bot blocking
6. Build out your Disallowed Comment Keys list with common spam phrases and domains

This layered approach stops automated spam at multiple points: before it reaches WordPress (firewall), when the form is submitted (honeypot and CAPTCHA), and in the processing stage (Akismet and Discussion settings). Getting through all of those layers is difficult for even sophisticated spam bots.

How Comment Spam Affects SEO

It’s worth being specific about the SEO connection, because it’s often misunderstood.

Spam comments themselves don’t directly hurt your rankings if they’re sitting in your moderation queue unpublished. The risk comes when spam gets through to your live site.

Published spam comments with links to low-quality or harmful sites create outbound links from your domain to those sites. Google can treat these as endorsements. At scale, this can dilute your site’s link profile and signal low editorial standards.

Comment sections indexed by Google also become part of your page’s content. If your comment section is full of keywords like “cheap pharmaceuticals” and “online casino,” those words appear on your page and confuse Google about what your page is actually about, which can hurt relevance for your actual target keywords.

Spam bots also consume crawl budget. If Googlebot is regularly hitting your site and finding hundreds of new spam pages or deeply nested comment threads full of spammy content, it wastes the crawl allocation that should go to your real content.

Keeping your comments clean is directly tied to maintaining the quality signals that matter for technical SEO and site authority.

FAQ: WordPress Spam Comments

If you need help setting up spam protection, ongoing comment moderation, or full WordPress maintenance, our WordPress maintenance and support service covers all of this. We also build WordPress sites designed to be fast, secure, and easy to manage from day one, get in touch with our WordPress web design team to learn more.