This tutorial was created using an earlier version of WordPress. To be notified of content updates, subscribe to our updates list (see sidebar), or Like our Facebook page.
For most internet users, SPAM is an inevitable consequence of having an online presence.
Spam-related problems also affect WordPress users, but for different reasons.
The first issue is that WordPress is the world’s fastest growing CMS (Content Management System) platform, used to power millions of websites and blogs worldwide, and so it is an obvious target for hackers, spammers, and bot programmers.
To learn about issues related to spam and WordPress security, see the training module below:
Preventing Spam In WordPress
WordPress allows visitors to post comments on your site. Although this is one of the features that makes WordPress a great platform for user and visitor interaction, it also increases the potential for attracting comment spam …
Unlike regular spam, which is unsolicited email aimed at getting you to buy stuff from the spammer, ‘comment spam’ is usually aimed at getting your visitors to buy stuff from spammers. It is a ‘parasitic’ relationship that benefits the parasite while harming the host.
Even if your site is not very popular or well-ranked, you can expect to attract some comment spam …
Finding ways to combat and prevent comment spam on your WordPress site, therefore, is something that you will need to address when building a presence online.
Comment Spam – Not So Obvious
Every WordPress site is bound to attract comments from spammers.
Many spammers use automated software to place comments on your site hoping to get a free backlink (i.e. a link pointing from your site back to their site). In fact, this is how many questionable SEO service providers make money … clients pay them to get their website links on other sites, not realizing that many of these links are achieved through spamming practices.
Also, savvy spammers use software that searches for sites that allow unregistered users to place comments on sites automatically, which means that site owners are ultimately fighting a losing battle against machines.
In addition to software generated spam, many comment spammers also employ humans to craft and submit “authentic-looking” comments to sites in order to avoid detection and hopefully get their comments approved by site moderators, …
More often than not, however, many of these comments are just spam, and can be found posted indiscriminately on thousands of other sites which share no common topic …
There are a number of ways you can tell if a comment is spam or not. These include:
- The sender’s email address – if the email comes from a free service or a throwaway email service, or it has a nonsense name, then it’s most likely comment spam.
- The sender’s domain – if the comment contains a link to a website address, check if the domain name seems genuine and if so, is it related to your field?
- The comment itself – does the comment refer specifically to the topic of your post, or is the comment generic and vague, e.g. “this article is fantastic! You have really inspired me and given me serious food for thought … I appreciate your honesty and will be returning to this site again and again!”
- The sender’s IP – when in doubt, check the IP address of the commenter using a free service like WhatIsMyIPAddress.com. It will tell you which country the comment originated from. This can be useful, especially if the comment came from a location known as a place where hackers and online scammers operate from.
Moderating comments and manually checking for spam can take up a lot of your valuable time and resources, especially when dealing with sophisticated spammers. Not only that but if your site becomes a magnet for spam comments, it can also affect your rankings in the search engines. Lower rankings mean fewer visitors.
It’s important, therefore, to have a system in place for managing comment spam on your site.
To learn about managing comment spam as part of a regular WordPress site maintenance system, see the tutorial below:
In this tutorial, you will learn how to combat and prevent SPAM using a WordPress plugin called Akismet.
Akismet checks your comments against the Akismet web service to see if these look like spam or not and lets you review any spam it catches under your site’s Comments admin screen.
The Akismet servers monitor millions of blogs and forums, watching the methods and tricks used by spammers in real-time. When spambots, comment factories, buffer sites, and social engineering tricks are identified, Akismet uses this knowledge to try and prevent automated or human spammers from trying to place a spam comment on your site.
Akismet was developed by Automattic, a company founded by the creator of WordPress itself, Matt Mullenweg, and has proven to be very effective in fighting SPAM. Millions of WordPress users have Akismet installed on their sites.
You do not have to install this plugin. Akismet comes built-in with all new WordPress installations. All you have to do is activate and configure it. (if you have to manually install or reinstall Akismet see instructions further below.)
From your WP dashboard, select Plugins > Installed Plugins …
Hover your mouse over the plugin name and click Activate …
If this is a brand new WordPress installation, you may see a notice at the top of your screen when you activate the Akismet plugin. Click on Activate your Akismet account …
Akismet requires an API key (API = Application Programming Interface) in order to work on your WordPress installation.
You can get more information about the WordPress API Keys by visiting the link below:
If you don’t have an API key, click on the Create a new Akismet key button …
You will be taken to the Akismet website. Click on the button and follow the instructions on the site to get an Akismet API key …
Note: If you are blogging for profit or creating commercial WordPress sites and using Akismet, you might end up finding yourself in a licensing predicament. As such, if your site is for a business or if it promotes a product or service, it is highly recommended that you choose your license from one of the paid Akismet options.
For more information go here: Akismet.com
Once you have your API key, save it into a text file and copy it to your clipboard …
Come back to your site and click on I already have a key …
Paste your key into the Akismet API Key field and click Save Changes …
If you have entered a valid key, you will see a confirmation message displayed on your screen that your Akismet account has been successfully set up and activated …
As stated earlier, Akismet comes installed with every new WordPress installation.
If you have to install or reinstall Akismet,however, then here is how you do it:
From your WP admin area, select Plugins > Add New …
Select the Install Plugins > Search tab, then type in “akismet” into the search field and click on the Search Plugins button …
Locate the plugin in the search results area and click Install Now …
Once your plugin has been installed, make sure you activate it …
Once your plugin has been activated, click on Settings …
You can also get to the plugin’s settings screen by selecting Plugins > Akismet from your dashboard menu …
This takes you to the Akismet settings page …
If you have already set up and activated your Akismet account with a valid API key as shown earlier, you will see a “Valid” key alert. If not, you will need to enter a valid API Key in the API key field and click Save Changes to activate your Akismet account …
You can also specify a couple of options for Akismet by enabling / disabling the following checkboxes:
- Auto-delete spam submitted on posts more than a month old.
- Show the number of comments you’ve approved beside each comment author.
Unless you plan to collect and analyze your spam data, we recommend enabling the “auto-delete spam submitted on posts more than a month old” option. This eliminates unwanted data from your site and helps to reduce the size of your database …
Selecting the option to “Show the number of comments you’ve approved beside each comment author” allows moderators to see the number of approved comments for each user in the “Comments” section …
Akismet is hosted on a network of servers and operates over multiple server locations, so it’s constantly checking and rechecking your comments to see if they really are comments or just spam.
You can check to see if the servers are running from the settings screen …
You can also view the network status of the plugin’s servers from the settings screen …
Note: If your web host is unable to reach Akismet’s servers, the plugin will automatically retry when your connection is back up.
Once Akismet is installed and running, there’s not much else to do. If you have selected the auto-delete option, Akismet will automatically scan comments on your site for spam and delete content from your Spam folder each month …
You can view stats on spam caught by Akismet by clicking on the Stats link at the top of the Akismet screen …
This opens up a new screen showing you the history of all spam caught by Akismet on your site …
This data helps you understand the volume and type of comment spam affecting your site over a period of time …
You can easily see which comments were caught or cleared by Akismet and which were spammed or unspammed by a moderator from your Comments screen.
To do this, click on the Spam link in the “Comments” section menu…
You can see all the comments that Akismet has flagged as spam in your Spam folder, including links highlighted by the plugin in the comment body to reveal hidden or misleading links …
To manually delete all spam comments, click on the Empty Spam button, or, simply let the plugin delete items automatically from this folder if you have enabled the “auto-delete” option in the plugin settings as shown earlier …
You can also check for spam manually by clicking on the Check For Spam button in the top and bottom sections of your Comments screen …
Akismet provides a comment status history feature that lets you easily see which comments were caught or cleared, and which were spammed or unspammed by a moderator.
To access this feature, hover your mouse over any comment in the Comments section and click on the History link …
Your comment history is displayed in the Comment History section below the comment editing area …
This lets you keep track of comments that you report as spam, and also lets you see how Akismet checks and re-checks comments on your site. In fact, each time a new comment, trackback, or pingback is added to your site it’s submitted to the Akismet web service which runs hundreds of tests on the comment and then returns a thumbs up or thumbs down, saving you the time of sorting through and deleting spammy comments from your site.
As you can see, Akismet is very effective at helping to manage comment spam on your site. Once the plugin is set up, it goes to work in the background, monitoring all incoming comments, then analyzing, filtering and isolating anything it determines to be spam.
To download this plugin, visit the site below: Akismet
Other WordPress Spam Prevention Plugins
In addition to Akismet, there are other WordPress spam plugins that you can look at, including free anti-spam alternatives:
Antispam Bee is an easy-to-use and highly effective anti-spam plugin. It protects your site or blog from spam by replacing the comment field.
Some of the main benefits of using this plugin include:
- Allow comments only in certain languages
- Block comments and pings from specific countries
- Quick & Dirty: activate, set settings, done!
- Spam comments can either be marked as SPAM or deleted immediately
- Automatically cleans up the spam folder
- Saves no data in your WordPress database
- Sends no data about your site to external sites
To download this plugin, visit the site below: AntiSpam Bee
Spam Free WordPress
Spam Free WordPress is a comment spam blocking plugin that, according to developer Todd Lahman, will not only block 100% of the automated spam on your site with zero false positives, but also claims to outperform Akismet in its 100% accuracy with zero false positives for automated spam (manual spam is blocked with an IP address blocklist).
The Spam Free WordPress plugin was born out of the necessity of helping a heavily trafficked site fight spam that multiple plugins could not stop, but instead increased the load on the server fighting the spam. Since then, Spam Free WordPress has been tested successfully under real world heavy traffic and heavy comment spam, conditions.
Spam Free WordPress recommends that once the plugin is installed, no other comment spam plugins are needed and should be disabled, as these may cause undesirable false positives.
Spam Free WordPress also has a mission to help WordPress become the world’s first and only comment spam free blogging platform.
Some of the main benefits of using this plugin include:
- Automatically blocks 100% of automated comment spam
- Local manual spam and ban policy set with local IP address blocklist
- Global manual spam and ban policy set with remote IP address blocklist
- Significantly reduces database load compared to other spam plugins
- Zero false positives
- Option to strip HTML from comments
- Saves time and money by eliminating the need to empty the comment spam folder
To download this plugin, visit the site below: Spam Free WordPress
Fighting WordPress Spam – Additional Information
In addition to using plugins to help combat spam, you can learn how to configure your WordPress discussion settings and manage your WordPress comments.
To learn about configuring your WordPress discussion settings, see the tutorial below:
To learn about managing comments on your site, see the tutorial below:
Congratulations! Now you know how to combat, prevent and protect your WordPress site from comment spam.
"This is AMAZING! I had learnt about how to use WordPress previously, but this covers absolutely everything and more!! Incredible value! Thank you!" - Monique, Warrior Forum