If you own a WordPress site you’ve had to deal with comment spam at some point; it’s constant, and it’s annoying.
As head Software Engineer at Themely I work with WordPress on a daily basis. We have over a dozen WordPress sites running on our servers for theme development, live demos and testing purposes. As you can imagine, dealing with comment spam is a major issue.
Several weeks ago, I decided to focus on completely stopping or at least significant reducing spam and hardening each of our WordPress sites. Since then I’ve been able to stop literally hundreds of daily spam comments to ZERO with just a few changes; here’s how I did it.
Configure Your Discussion Settings
One of the most underrated strengths of WordPress is its built-in anti-spam functionality. You can configure your WordPress Discussion settings to act as a powerful and effective defense against the evil forces of spam. No plugins required!
In your Admin Dashboard navigate to Settings > Discussion and make sure the following settings are checked and configured:
- Allow people to submit comments on new posts
- Comment author must fill out name and email
- Automatically close comments on posts older than X days
- Enable threaded (nested) comments X levels deep
- Email me whenever – Anyone posts a comment
- Email me whenever – A comment is held for moderation
- Hold a comment in the queue if it contains 1 or more links
- Add the following words href= https:// and http:// to the Comment Blocklist field
The Comment Blocklist will send to trash any comment which contains links. Your Trash folder will slowly grow in number and you’ll want to log in and empty the trash on a regular basis (weekly, monthly or whatever you’re comfortable with).
You’ll also want to check your Trash folder for any legitimate comments, but in general, people who are genuinely commenting on your posts aren’t posting links in the comment field. So far from my experience I haven’t seen it trash any legitimate comments.
You can also choose to manually approve all comments before they’re displayed on your site. If that’s the case check the following setting: Before a comment appears – Comment must be manually approved. This is a little more labor intensive as you must log in and manually approve each comment. But it will ensure that if any spam comments slip thought the cracks, they won’t get displayed on your site.
From my experience so far, these settings have essentially eliminated all comment spam on our site.
Here’s a screenshot of our sites discussion settings:
Configuring your Discussion Settings will deal with the comment spam once it’s posted to your site, however, you also want to prevent spam comments being posted to your site in the first place. That’s why the following 2 steps are important.
Remove Website Field From Comment Form
Removing the Website (URL) field from your comment form may not have a significant impact but it will help to trip up certain spam bots and prevent them from posting a comment. I have no evidence to back up this claim but it just seems logical and it’s been working for me so far.
There are 2 ways to remove the Website field from your comment form.
Copy and paste the following code to your theme’s functions.php file or a site-specific plugin:
This code simply removes the website field from your WordPress comment form. You can visit a blog post on your website in a new incognito tab to see it in action.
In order to harden and secure all our WordPress sites I built a super simple and light-weight plugin which automatically removes the website field from your comment forms. To install the plugin, in your Admin Dashboard, navigate to Plugins > Add New and search for Themely Security.
Install and activate the plugin, and that’s it, you’re done. There’s no settings to configure.
Themely Security does a lot of other things to harden and secure your site, here’s a list:
- Limits login attempts
- Disables pingbacks
- Disables access to xmlrpc.php
- Protects wp-config.php
- Disables directory browsing
- Blocks XSS attacks
- Blocks wp-includes files & folders
- Hides version strings
- Deploys 6G firewall and blacklist
- Removes readme.html file
- Adds Math Captcha for login, registration and comment forms
- Automatic updates for WordPress core and plugins
- Removes Website(URL) field from comments form
If you’d rather a plugin which simply removes the website field and nothing else, then consider the following plugin.
Add Math Captcha to Forms
Finally, to protect our forms from spam bots we need to add a CAPTCHA field. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. In other words, CAPTCHA determines whether the user is real or a spam robot. One of the simplest and most effective forms is a Math CAPTCHA which asks users to solve a simple math equation.
Math CAPTCHA’s are highly effective in preventing spam bots, but they’re not perfect. Some spam does get through, which is where your Discussion Settings come into play to manage the spam comments which do get posted to your site.
This has worked quite well for our site for the last several weeks and think it could help you too.
I would love to hear from you if have any questions, please post them in the form below.