10 Ways to prevent spam comments on WordPress

You wake up to find 200 new comments awaiting moderation. Exciting, right? Until you realise they’re all promoting cryptocurrency scams, sketchy pharmaceuticals, or worse. Comment spam isn’t just annoying. It can damage your site’s reputation, hurt your SEO rankings, and even expose visitors to malicious links.

The good news? You can prevent spam comments on WordPress without disabling your comment section entirely. This guide walks you through 10 proven methods to keep your discussions genuine and your site secure.

• WordPress has built-in tools that block most automated spam when configured correctly
• Requiring user registration dramatically reduces bot-driven spam
• Anti-spam plugins like Akismet work best alongside native settings
• Firewall protection adds a critical layer of defence against spam bots
• Regular comment moderation combined with automation creates the strongest protection

Before diving into solutions, it’s worth understanding why spammers target your comment section in the first place.

Spammers want to:

• Build backlinks to boost their sites in search rankings
• Distribute phishing links that steal user data
• Inject malicious code through comment fields
• Test your site’s defences before larger attacks

According to Akismet’s spam statistics, their service blocked over 500 billion spam comments across WordPress sites in the last 20 years. That’s a lot of junk trying to reach your readers.

Your first line of defence is already built into WordPress. Navigate to Settings > Discussion and enable these options:

• Comment author must fill out name and email – stops anonymous bot submissions
• Users must be registered and logged in to comment – eliminates most automated spam
• Comment must be manually approved – gives you final say on what appears
• Hold comments with 2 or more links – most spam contains multiple URLs

These settings alone can reduce spam by 70-80% on most sites.

In the same Discussion Settings panel, scroll to the Comment Moderation box. Add common spam trigger words like:

• casino
• viagra
• cryptocurrency
• free money
• click here
• SEO services

Any comment containing these words gets held for manual review. Update this list as you notice new spam patterns.

Below the moderation box, you’ll find the Disallowed Comment Keys field. This is your nuclear option. Words added here cause comments to be sent directly to the trash.

Use this for repeat offenders. If you keep seeing spam from specific IP addresses or domains, add them here to block future attempts automatically.

Spammers often target old posts that have fallen off your radar. Under Discussion Settings, check Automatically close comments on posts older than X days.

A setting of 60-90 days works well for most blogs. This keeps conversations active on recent content while protecting your archives.

Native settings handle basic spam, but a dedicated plugin catches what slips through. Popular options include:

These plugins use databases of known spammers and machine learning to identify spam patterns you’d never catch manually.

CAPTCHAs force users to prove they’re human before submitting comments. Modern options include:

• Google reCAPTCHA v3 – invisible scoring that doesn’t interrupt real users
• hCaptcha – privacy-focused alternative to Google
• Simple math questions – lightweight option for low-traffic sites

The tradeoff is user friction. Choose an option that matches your audience’s technical comfort level.

Honeypots are invisible form fields that humans never see but bots fill out automatically. When a submission includes data in the honeypot field, it’s flagged as spam.

This method has zero impact on user experience since legitimate visitors never know it exists. Many security plugins include honeypot functionality by default.

Here’s where most guides fall short. A web application firewall (WAF) blocks spam bots before they even reach your comment form.

Firewalls identify malicious traffic patterns and known bad actors at the server level. This reduces your site’s processing load and catches sophisticated spam that bypasses form-level protections.

Spam isn’t just a nuisance. It’s often the first sign of a larger attack. A firewall that blocks malicious bots protects your comments and your entire site simultaneously.

By default, WordPress allows certain HTML tags in comments. Spammers exploit this to embed hidden links and formatted content.

To restrict HTML, add this code to your theme’s functions.php file:

add_filter('pre_comment_content', 'wp_strip_all_tags');

This strips all HTML from comments, leaving only plain text. It’s aggressive but effective for sites plagued by link spam.

Even with all protections in place, some spam slips through. Schedule weekly reviews of your spam folder to:

Train your anti-spam plugin by marking false positives
Identify new spam patterns to add to your blocklist
Empty the spam folder to keep your database clean
A bloated spam folder can slow down your site. Database optimization helps maintain performance as your comment history grows.

Spam comments are more than a daily annoyance. They’re a security risk that demands a layered defence. Start with WordPress native settings, add a reliable anti-spam plugin, and consider firewall protection for comprehensive coverage.

The most effective approach combines multiple methods. No single solution catches everything, but together they create a filter that lets genuine conversations through while blocking the junk.