Table of Contents
Last update on
Are you flooded with hundreds of useless comments and wondering how to stop spam comments on WordPress? You’re not alone.
WordPress is a powerful and flexible platform that makes it easy to publish blog posts, customize layouts, save drafts, or even add a bio section, but when it comes to comment management, things can get messy.
In this article, you’ll learn how to stop spam comments on WordPress, how to prevent them from showing up in the first place, and how to manage and delete the ones that still get through using comment moderation.
| 🎯TL;DR: How to Stop Spam Comments on WordPress Spam comments can slow down your site, bloat your database, and damage your SEO and credibility. To stop spam comments on WordPress, use anti-spam plugins like Akismet or WP Armour, and add reCAPTCHA for WordPress. You should also limit comments to logged-in users, enable manual comment approval, and disable trackbacks and pingbacks. Other actions include blocking links with a WordPress comment blacklist and using third-party comment systems like Disqus. Moreover, you should boost spam protection with a firewall for WordPress (e.g. Sucuri or Cloudflare) and other WordPress security plugins. Finally, use WP Rocket to clean up spam comments from your database. |
Key Takeaways
✅ Understand what comment spam on WordPress is: irrelevant, unsolicited messages, often loaded with links.
✅ Spot the difference: genuine comments are thoughtful and relevant; spam comments are off-topic and include 2+ hyperlinks.
✅ Allow only logged-in users or previously approved commenters to limit spam.
✅ Add reCAPTCHA for WordPress to your comment form to block spam bots.
✅ Forbid links in the comment field using a simple code snippet or plugin.
✅ Use a reliable anti-spam plugin for WordPress, Akismet is the most complete and trusted solution.
✅ Use WP Rocket to permanently delete spam comments from your database in one click and keep your site fast, lean, and clean!
✅With the right setup, you can stop WordPress spam bots without turning off your comments section completely.
What Is WordPress Comment Spam?
Comment spam on WordPress refers to irrelevant or unsolicited messages posted in the comments section of your site, trying to promote links and boost SEO. They are often posted by automated WordPress spam bots that flood your site with low-quality content, not for discussion, but to manipulate search engines, drive traffic to external sites, or even inject malicious links.
You can find the spam comments directly from the WordPress admin, in the Comments section:
Fine-tuning your WordPress comment settings and following the best practices below can help prevent spam comments.
Let’s go over the best actions you can take to stop spam comments on your WordPress blog.
Configure Built-in Discussion Settings
WordPress includes a built-in spam protection section under the Discussion Settings panel. To access it, go to Settings > Discussion, and you’ll find a series of options to help you control and prevent spam comments.
Let’s go over each built-in WordPress comment setting so you can easily take action and limit the number of spammy comments.
1. Disable WordPress Comments
It’s a radical move, but if you turn off comments globally or per post, spam comments won’t even have a chance to come through. WordPress does not offer to disable comments site-wide in one click; you need to follow these two steps:
First, disable WordPress comments for all new posts moving forward.
Go to the Default post settings section and simply uncheck the box: “Allow people to submit comments on new posts.”
Then, for existing posts that already have comments enabled, you’ll need to use the following site-wide workaround:
Go to Other comment settings and set the following: “Automatically close comments on posts older than [1] day.”
This effectively disables comments across all older posts at once.
2. Require a Name and Email Address
Requesting basic identity details helps filter out bots (although some of them can circumvent this). Under Other comment settings, check the “Comment author must fill out name and email” box.
3. Restrict Comments to Registered Users
Requiring users to register and log in before commenting adds a strong layer of protection. Since only verified users can leave comments, this significantly lowers the risk of spam. It’s one of the simplest ways to reduce user registration spam WordPress sites often deal with because bots are far less likely to go through the full login process just to post a fake comment.
Under Other comment settings, check the “Users must be registered and logged in to comment” option.
4. Automatically Close Comments on Old Posts
This is a great way to prevent spam comments, as most spam targets older content.
Under Other comment settings, check the “Automatically close comments on posts older than X days.” Set it to a reasonable timeframe, such as 30 or 60 days, depending on the content.
5. Enable Manual Comment Moderation & Stay Notified
Manual comment approval on WordPress is the best way to review each comment before it appears on your site. You should also receive notifications in case of new activity in the comments section.
Under Before a comment appears, check: “Comment must be manually approved” and “Comment author must have a previously approved comment”. The second option will save you time once you’ve vetted a user.
Under Email me whenever, check “Anyone posts a comment,” and “a comment is held for moderation” so you can stay on top of new interactions and don’t let spam slip through.
6. Enable Automatic Comment Moderation
The WordPress comment moderation system allows you to set filters to automatically catch and queue suspicious comments or send them directly to the trash.
Under Comment Moderation, you can enter a link limit: “Hold a comment in the queue if it contains X or more links,” and add known spam words, IPs, or email addresses.
Under Disallowed Comment Keys, you can add your WordPress comment blacklist, such as words, URLs, IPs, or even user agents. Any comment containing one of these will be sent directly to the Trash.
Install an Anti-Spam Plugin
Another powerful step in your WordPress spam protection strategy is to use one of the reliable anti-spam plugins for WordPress. These tools automatically detect and filter out spam comments before they even reach your moderation queue!
Here are two effective and easy-to-use options we recommend:
Akismet: The most popular anti-spam plugin
With over 6 million active installations, Akismet is the most widely used anti-spam plugin for WordPress. It’s free for personal use, and premium plans remain affordable for business or commercial sites.
Akismet scans all incoming comments and contact form submissions, comparing them against a global database of known spam. It helps prevent harmful or irrelevant content from being published on your site.
WP Armour: Lightweight plugin using honeypot fields
WP Armour is another excellent option, with over 300,000 active installations. It has a free version, doesn’t rely on any external API calls, and uses a clever client-side honeypot technique to block spam bots.
So, what’s a honeypot field in WordPress? It’s a hidden field that normal users won’t see, but bots will. When a bot fills it out, it’s immediately flagged as spam. Unlike most plugins that add this field via PHP on the server, WP Armour uses JavaScript to place the trap. Since most spam bots can’t process JavaScript, they often overlook the field, making this method highly effective.
| 💡 Hint: Besides using an anti-spam plugin for WordPress, you should also install a WordPress security plugin. Spam protection is just one part of a solid, site-wide security strategy — think of it as the first line of defense against unwanted and harmful activity. |
Add CAPTCHA or reCAPTCHA
One effective way to block WordPress spam bots is by asking commenters to prove they’re human, with a CAPTCHA or reCAPTCHA for WordPress. Before their comment is approved, they’ll need to solve a simple challenge, such as clicking on traffic lights or checking a “I’m not a robot” box.
The easiest way to add reCAPTCHA to your comment form is by installing the free Advanced Google reCAPTCHA plugin. It protects your WordPress site from spam comments and brute-force login attacks by adding CAPTCHA tests to your comment form. You can see an example below:
While this method is useful, it’s not perfect. On mobile devices, CAPTCHAs can be frustrating to complete and may discourage users from interacting with your site, potentially preventing some genuine comments from being posted.
We asked some WordPress companies what they were doing to prevent spam, and Raitis Sevelis from WPBakery said:
We prioritize optimization. We’d much rather rely on tools like reCAPTCHA to automatically filter out low-quality comments (even if it means fewer comments) than spend time and money to moderate the comments section manually.” Ultimately, it’s up to you to determine your priorities and overall blogging strategy.
Implement a Web Application Firewall (WAF)
Another powerful way to stop spam at the source is to use a firewall for WordPress, also known as a Web Application Firewall (WAF).
Tools like Sucuri or Cloudflare act as a shield between your WordPress host and incoming traffic. They filter out malicious bots, fake referrers, and other unwanted visitors before they even reach your site, dramatically reducing spam.
WAFs also give you extra control: you can block specific IP addresses or even entire countries with just a click. It’s a smart addition to your overall WordPress spam protection strategy.
Avoid WordPress Spam Comments by Using a Third-Party Commenting System
One effective way to avoid spam altogether is to stop using the native WordPress discussion system and switch to a third-party comment system instead.
This is a smart choice if you want to disable comments in WordPress but still allow your readers to interact with your blog. These external platforms often come with stronger spam filtering and moderation features built in.
Disqus is one of the most popular third-party comment systems out there. The Disqus for WordPress plugin makes it easy to replace the default WordPress comment system. It not only helps reduce spam but also boosts user engagement by offering add-ons to grow your audience, monetize your content, while keeping spam out of the way. Here’s an example of a custom comments area:
Other strong plugin alternatives include:
- Yoast Comment Hacks: This plugin adds useful tweaks to the native WordPress comment system. You can set comment length limits, redirect first-time commenters to a thank-you page, and clean up the clutter from comment notification emails. It’s a smart way to streamline and control your comment section.
- wpDiscuz: Often described as the best alternative to Disqus, this plugin provides a fast, modern, and interactive comment system with rich features. It keeps the comments on your own site (unlike Disqus), while still offering spam protection and engagement tools.
Deactivate Trackbacks and Pingbacks
Trackbacks and pingbacks in WordPress were originally designed to notify you when another blog links to your content. But today, they’re mostly used by spammers to send fake pings from low-quality websites, which can hurt your SEO, clutter your comment section, and put your site’s security at risk.
That’s why it’s a good idea to disable them. Just go to Settings > Discussion in your WordPress dashboard and uncheck the box: “Allow link notifications from other blogs (pingbacks and trackbacks) on new posts.”
Block URLs Inside Text Fields
Many WordPress spam bots — and sometimes even real people — try to sneak in malicious links through your comment forms. Unfortunately, CAPTCHA and anti-spam plugins can’t stop human spammers.
If you’re still getting suspicious links, a smart solution is to block URLs entirely in your comment form fields.
To do that, you can use a simple PHP script that prevents users from submitting URLs in the Single Line Text or Paragraph Text fields. This adds an extra layer of protection, keeping your comment section clean and organized.
The code snippet below scans the comment content before it’s saved. If it detects a URL, it will block the comment and display an error message.
function block_comment_links($commentdata) {
$comment_content = $commentdata['comment_content'];
// Regex pattern to detect links
if (preg_match('/https?:\/\/|www\./i', $comment_content)) {
wp_die(__('Your message here: e.g. Sorry, your comment appears to contain a link, which is not allowed.'));
}
return $commentdata;
}
add_filter('preprocess_comment', 'block_comment_links'); Bonus: How to Identify and Delete Spam Comments
So, what if you’ve taken all the right precautions, but some spam still slips through? It’s important to learn how to spot spam comments because if you leave these irrelevant, low-quality messages on your blog, they can bloat your site, harm the user experience, and make your blog look unprofessional.
Spam comments are often generic, off-topic, stuffed with suspicious links, or posted by anonymous users with shady names or URLs. They’re usually designed to trick your readers or boost the spammer’s SEO.
On the contrary, genuine comments are thoughtful, relevant to the post, and usually include a name, a real email address, and no spammy links. They add value to the discussion and show real engagement from your audience.
Take a look at the comments below. First, the spammy comments are off-topic and include many random links:
On the contrary, the genuine comments represent genuine engagement from the community:
How to Permanently Trash Spam Comments
You can simply go to WordPress > Comments, select the spammy comment, and press Trash to delete it.
If you want to permanently remove them from your database and keep your site clean and lean, you can do it with a performance plugin like WP Rocket.
WP Rocket is the most powerful and beginner-friendly performance optimization tool for WordPress. As shown below, you’ll find a tab dedicated to database optimization with an option to delete spam comments in one click permanently:
With WP Rocket, all comments marked as spam will be deleted using the wp_delete_comment function, meaning they will be permanently cleared from the database.
WP Rocket doesn’t stop there. It also implements 80% of performance best practices immediately upon activation, including caching, cache preloading, GZIP compression, lazy rendering, code minification, and critical image optimization.
It also offers one-click options to defer and delay JavaScript, remove unused CSS, and lazy-load images, iframes, and videos.
🚀 In short, WP Rocket improves your page speed and keeps your database lean by deleting all spam comments from the database in a few clicks!
Wrapping Up
Now that you know how to stop spam comments on WordPress, you don’t have to disable the comments section entirely. Instead, be smarter: fine-tune your WordPress comment settings to filter and block spam effectively without discouraging genuine users from participating in the conversation.
Spam comments can bloat your database, slow down your site, and hurt your SEO and credibility. Regardless of how you handle them, removing spam comments from your WordPress database is essential. That’s where WP Rocket becomes your best ally: it helps you easily clean up spam and maintain a lean, fast-loading website.
Start using WP Rocket today to boost your page speed and keep your database clean, with no risks taken with the 14-day money-back guarantee!
