How to Protect your WordPress site from Spam Comments [Complete Guide]

For most people who have a website with open comment fields, sooner or later spam comments appear – and once they have started, it grows quickly.

There are various ways to stop this spam – some are based on so-called Captcha, you know those hard-to-read letters that you have to enter before you can press the send button. But this makes many people ignore commenting, and you want to avoid that.

In this article, we provide some of the most popular options of plugins for WordPress, which stop spam without any Captcha.

Akismet anti-spam plugin

Akismet is a plugin that comes with WordPress that is intended to stop spam comments. It is developed by Automatic – the company behind WordPress – and is very effective. The functionality is based on the fact that every comment posted on your blog is run through Akismet’s central spam server which has advanced algorithms and amounts of data that determine whether the comment is spam or not, and Akismet rarely makes any mistakes.

It is also the most popular anti-spam plugin and really has only one drawback: It is really only free for private blogs, and companies actually have to pay money to use it. To activate the extension, you need an API key, and to obtain it, you need to register an account on Each account has only one free key, and the instructions state that it may only be used for “private, non-commercial use”.

For companies, an Akistmet API key cost about $ 5 per month and website last time we checked the price.

Antispam Bee WordPress plugin

If you want something that is completely free for commercial use, there are a couple of options. One of the most popular plugins is Antispam Bee. This is a very easy-to-use add-on that is easy to set up and works effectively for most people. However, Antispam Bee does not have Akismet’s advanced function with a central spam server in the cloud but is based on algorithms and local data that recognize spam comments. Installation is very simple. You can basically just go under Extensions on your WordPress CMS, select “Add new”, search for Antispam Bee, download and activate – then you are protected from spam comments. There are some simple settings, but it is possible to drive on those that are checked from the beginning.

There are no direct comparisons between Antispam Bee and Akismet, but most bloggers seem to consider Akismet to be more effective after all. Simple single measurements have shown that Antispam Bee detects over 99% of all spam comments.

WP-SpamShield Anti-Spam WordPress Plugin

Another option is WP-SpamShield Anti-Spam, an add-on that also has a very high rating. According to statements, it has a two-layer protective shield against spam, where the first blocks almost all automated spam robots through cookie/javascript handling. The second is based on 100+ algorithms that detect spam comments and in addition to blocking out the robots that have made their way through the first layer, should also be able to protect the site against many types of manual spam comments.

In addition to Wp-Spamshield protecting the comment fields from spam, the protection must also include the forms you submit on the website, and the extension is integrated with, for example, Contact Form 7, Gravity Forms, Ninja Forms, BuddyPress, bbPress and the e-commerce package WooCommerce.

How to Protect your website from spam comments

Limit who can comment on your posts

On popular websites with many visitors, most of the comments that come in are pure spam. We, therefore, recommend that you limit who can leave comments on your page. You do this under Settings> Discussion in the WordPress control panel. There you can also set that comments are published only after you have reviewed and approved them.

Reduce comment spam with the Akismet extension

If you have chosen to allow anonymous users to comment on your posts, you need a good antispam add-on. Akismet is usually included in all WordPress installations from the start (and is also free), the only thing required is that you activate it with an API key that you get from Akismet. Once you have activated the extension, it will check all comments for you and only approve those that are okay and legitimate.

Turn off the possibility for outsiders to register users

We recommend that you turn off the ability for outsiders to register new users on your site as that feature is most often used to send spam. You do this under Settings> General in the WordPress control panel where the box for “Anyone can register” next to “Membership” should then be unchecked.

Create the e-mail account

By default, WordPress uses the e-mail address as the sender address when you send e-mail from your website. If you create that email address yourself, you will see every time your WordPress page has tried to send emails that could not be delivered, which makes it easier to detect if your WordPress page is being spammed.

Should you suddenly receive lots of messages about failed e-mails from your WordPress page, you need to review which part of your website is generating spam (eg your contact form) and either deactivate or secure that piece.

Get rid of spam bots – use CAPTCHA in forms

If you have a contact form on your site (or allow user registration as we mentioned in the previous point), it is important that you verify that the user filling in the form is a human and not a spambot. The easiest way to do this is to add a reCAPTCHA plugin to your WordPress site. It helps you differentiate between humans and robots by asking humans to perform an action that robots generally do not understand.

Over the years, spambots have become smarter, but fortunately, the reCAPTCHA method has also become so. Nowadays, you only need to check a box to confirm that you are a human and not a robot. The latest version of Google’s own reCAPTCHA solution does not even require this. Instead, the reCAPTCHA solution is in the background and studies the visitor’s patterns/events on the website to make an assessment of whether it is a real person or a cure. Learn more about enabling Google’s reCAPTCHA solution for your WordPress site »

It does not matter how big or small your WordPress site is. Junk spam in comments, site listings, and contact form messages are issues that you must try to address. Failure to do so may result in spam in the comment fields quickly taking over your site with content that you do not want your site to display and you will have to deal with problems registering fake users.

What is spam?

Spam has long been an annoying feature since the internet became a common feature of our lives. From the beginning, our email was filled with unwanted marketing about various products. Often it was quite traditional advertising for e.g. insurance or travel, but a lot is also about advertising messages from the sex industry. Today, most email servers have quite extensive spam filters that delete this type of message. One problem nowadays is that some genuine and important emails are also interpreted as spam and do not reach the recipient.

In the beginning of being online, we became familiar with spam when unwanted messages began to take over our email inboxes and market everything from car insurance to cheap vacations. In fact, you will probably continue to deal with this type of spam every time you log in to your email.

When we talk about the spam that bombards a WordPress site, it is a more multifaceted topic than traditional email via email. WordPress can be exposed to spam in many different ways. We can be exposed to spam both through comment fields in the blog, fake user registrations or through spam in contact forms.

Spam is of course very annoying for both you and your website visitors, but there are also some security issues associated with spam.

While it may seem difficult to protect your site, in reality, it is not that difficult. All you need is the right approach and the best tools. But it is important to understand the different methods that spammers use so that one can take the right action.

Spam in contact form

For most websites, a contact form is an important part. Contact forms help to facilitate communication between you and your visitors in a way that is both effective for you and user-friendly for your visitors. Unfortunately, even spammers think that contact forms are a good way to spread unwanted messages.

This type of spam is different from other types of spam. Registering as a user on a website or spamming a comment field can be done in WordPress built-in features. A contact form requires you to use an extension.

You can choose from several different extensions for contact forms for WordPress. The most popular are Gravity Forms, Ninja Forms, WPForms or Contact Form 7. Each of these add-ons has its own unique set of features and they also use different methods to combat spam. The specific features to protect your site can be found in the settings for the extension you select. In some cases, you may need to download and install an additional add-on to get complete spam protection.

Stop spam in contact forms

As annoying as spam in the contact forms is, it is as easy to stop. Start by installing a spam extension like Akismet. The advantage of Akismet is that it works at once with contact forms created with Jetpack, Ninja Forms, Gravity Forms and Contact Form 7

An alternative to Akismet could be WPBruiser. It is more complicated to set up, but on the other hand it protects more contact form extensions such as Fast Secure Contact Form, Formidable Forms. You also get Brute Force Protection for membership extensions such as BuddyPress, Ultimate Member and MemberPress as well as protection for forms in WooCommerce and Easy Digital Downloads.

Unlike other anti-spam add-ons, which detect spam comments and registrations afterwards and move them to a spam folder, which you then have to take care of yourself, WPBruiser prevents the spam messages from registering at all.

Stop spam with wpbruiser

No matter which supplement you choose to prevent spam in your contact forms, they almost always do a very good job and spam becomes something that you will very rarely come in contact with at all.

WordPress function for user registration is part of WordPress basics. It can be useful for member websites, online communities or account management in online stores.

Unfortunately, registering fake users is something that spammers often use for malicious simple spam attacks. To prevent spam detection, it is important to look at the root of the problem. Why do bots try to register users on the site?

If you manage to register a fake user, they can use it to write spam comments in the website’s blog. WordPress has a setting where you can set that the person who should be able to write comments must have a user account. If you succeed in registering a fake user, you can continue to spread your advertising messages even if the website requires that you have an account to be able to write comments.

Fake users can even lead to malicious attacks that can affect the security of the site. Some WordPress extensions and themes have less thoughtful features that and themes can enable low-level users, e.g. subscribers, to access some administrative settings on your site.

Although most security flaws in additions and themes require a hacker to actively exploit the built-in vulnerabilities, even a dormant user account can be brought to life at any time and used for more shady activities.

This is how you protect yourself against spam registrations

Here too, the WPBruiser extension is an effective tool for preventing spam detection. But you have to see that addition as a first obstacle. If you want to be completely protected, you must take more measures. One such effective measure is what is known as CAPTCHA.

There are several extensions that use Google reCAPTCHA, which not only protects against spam registrations but also against comment spam and login attempts. It is an incredibly effective tool that determines exactly what a cure is and who is a genuine user.

To get started with Google reCAPTCHA, you start by activating the feature in the add-on you use. After that, you create two keys at Google. (

The next step is to decide which version of reCaptcha you want to use. The slightly simpler one, version 2, you will probably recognize from many websites. Version 2 requires the visitor to do something to prove that they are not a robot. Version 3 protects the site invisibly, without the visitor having to do anything.

Which one to choose is up to you. Google reCAPTCHA v3 is easier for the visitor, but at the same time it is technically possible to track a user on websites that use v3. Google reCAPTCHA v2 requires a little more effort on the part of the user, but is less intrusive in terms of privacy.


From Google reCAPTCHA, you get one or two keys that you copy and paste into the extension you want the feature to use. It may be good to know that not all extensions support reCaptcha, so it is important to choose an extension that supports reCaptcha from the beginning.


A Honeypot is a form that is hidden in the website code, but which is invisible to all regular visitors. Like a real honey jar attracts bees, a digital honey pot attracts spambots. The idea is that robots will see the form in the code and fill it out. In this way you can see what is a cure and what is a real visitor.

Honeypot technology is in theory an easy way to filter out spam. But they are not completely safe. Some of today’s more sophisticated robots have ways to fool your honeypot trap.

So even though many extensions have a Honeypot feature built-in, you should supplement it with reCaptcha and a spam extension. Then you have complete protection against spam registrations.

Is it worth having a comment section?

The easiest and most effective way to immediately put an end to spam comments is to simply turn off the comment feature. You can turn off comments all over the site or on individual pages or posts.

But if you decide to have comments anyway, there are a lot of comment settings that can protect the site. Perhaps the simplest setting is for you as an administrator to approve all comments for publication. Most websites do not receive so many comments that it becomes particularly burdensome.

Even if you decide not to check every comment, you can also set certain words or even IP addresses to be flagged for moderation. This means that the comment is not automatically published on the website.

How to stop spam in the comment fields

If you choose to have the comment feature active, it is recommended that you install a spam filter. Here too, a supplement like Akismet is an effective solution.

Akismet is one of the few extensions pre-installed in WordPress. It filters out any spam comments and puts the unsafe ones aside in a spam folder where you can decide for yourself if they are spam or not.

If you also find spam and mark the comments as spam, the IP number from that user will be sent to a database of spam. All comments from spam in the database are automatically deleted and you do not have to get in touch with them at all. Akismet is free for personal use and small websites. Companies and larger websites should get the paid version.

Other add-ons that handle spam in the comment fields are WpBruiser and AntiSpamBee. Those extensions also create databases of spam that are blacklisted on all websites that use those extensions.

Back up

But even if you have full spam protection, it is recommended that you have a fully-fledged backup solution. Maybe it is part of the service that your web host has? Or you can install an add-on for it as well. BackupBuddy or BackWPup are two extensions that create complete backups and functional restoration.

Stop spam comments on WordPress by manually approving comments

A more practical solution might be to manually approve a person’s first comment. This works so that once the first comment is approved by you, the subsequent comments will be approved and published automatically. It is an effective solution because spammers rarely take the time to write good content. Therefore, their attempt to publish links on your site is easily stopped. This way you can stop spam.

Stop spam comments by must-approve links

You can also choose to have comments with links approved by you before they are published. Comments can also be classified as spam if they contain certain words that you have decided in advance. In this way you can e.g. filter out comments that contain “CBD” etc.

Require users to register first

Be careful when reviewing the discussion settings when you want to stop spam in WordPress! You can limit comments to registered users. However, this may not be a good solution. Of course, it helped to reduce the number of spam comments. But the number of comments from real readers can also decrease.

Creating an account to be able to publish a comment is a bit cumbersome and discourages many from commenting on your website. To allow people to create an account, you also need to have a registration page. The problem is that even spammers will create accounts on your website. It may be unnecessarily cumbersome to have to register to participate in the discussion.

Anti-spam by Cleantalk (No CAPTCHA)

As you can probably see from the name, Anti-spam by CleanTalk (no CAPTCHA) does not rely on the visitor to mark all the boxes or fill in any captcha code to prove that they are human. This plugin works together with other plugins such as bbPress, BuddyPress and Contact form 7. It can be used to stop spam comments, registration spam and spam from your contact form. You also have the ability to set specific types of junk content should you need it.


Anti-spam is another spam protection for WordPress, which is not based on the visitor having to fill in Captcha code. This plugin does not have a settings menu, which is very unusual. It works by setting up a trap for robots. Two hidden fields are added to your form. The first field is a date field and is filled in automatically by Javascript. The second field should be blank. Spam robots are tricked into the trap by entering the wrong information for these fields. However, this plugin does not work with Jetpack

Other ways to prevent spam on WordPress

Because the spam problem has grown so large, website owners have had major problems. There are many antispam plugins available online. Below is a list of anti-spam plugins that might help you stop spam in WordPress:

• WordPress Simple Firewall – A replacement for Akismet. It captures spam from both robots and human visitors.
• AlphaOmega Captcha & Anti-Spam Filter – Adds captcha to your form to reduce spam.
• Peter’s Custom Anti-Spam – Forces users to identify themselves by sending a photo before they are allowed to comment.
• IP Blacklist Cloud – Allows you to block specific IP addresses and usernames from spamming your websites.

Here’s how to set up your site to stop spam in WordPress. Start by changing the discussion setting, so that comments with links are sent for moderation and make sure that the comment made by each visitor is moderated. This makes it almost impossible for spam to slip past.

The next step could be to activate Akismet. If you see that the amount of spam is increasing, you may need to supplement with another anti-spam plugin. Dealing with spam is a matter of testing different options. If one solution does not work, try another! If it does not work, try with someone else! Unfortunately, it is not possible to say which anti-spam plugin is best. Which is best varies from site to site. It depends on the level of both spam comments and real comments that the site receives.

It is also a question of how hard the filtering should be set when you want to stop spam in WordPress. Imagine that (a human) visitor spends a lot of time writing a comment and then it is not approved because the spam filter had too strict rules. It can arouse some frustration in visitors.

How to turn off comments on your website

When you start your website, you often think that it is nice that users can leave their comments on the website. It is, too, but you will soon discover that there are also a lot of spam comments.

The next step is that you want to turn off the comments on the website, but how do you really do that?

There are several ways to stop comments in WordPress, you can choose if you want to turn off comments completely or if you want them to remain on certain pages or posts. I know that many site owners get tired of the large amounts of spam and spam comments they receive through their websites. For some, the situation becomes unsustainable and therefore they simply want to stop the problem. On this page I was going to tell you how to turn off comments in WordPress. Before you decide to turn off comments in WordPress completely, I just want to tell you that there are other ways to solve the problem of spam (stop spam in WordPress).

How to turn off comments in WordPress pages or on the posts completely? You can turn them off completely during settings and discussion. But this only applies to new pages and posts.

If you have many old pages or posts, you can remove the comment option by installing a Disable Comments extension. In general, it is good to keep the number of extensions down, but if you have a lot on the website, it can be almost impossible to go through everything and remove the comment option. In those cases, plugins like Disable Comments can be a smart tool.

If you want to turn off the ability to comment on individual posts or individual pages, you can do so by:

Go to the page or post for which you want to deactivate comments. Under documents in the right-hand column, you will find the box for discussion. You must uncheck it if you want to delete comments for that post.

Disadvantages of turning off comments

Before you consider removing the ability to comment at all, think a little about the benefits of retaining the comment feature on a page or post! The biggest advantage of keeping the comment option on the website is that it is good if a lot happens on the page. If you have loyal readers who command what you have written, it is good for your website. Google ranks your website higher if a lot happens on it. It also becomes more interesting for the readers and they stay longer on your website and visit it more often. A website with comments thus generates more traffic. More traffic to the page leads to more business for you.

The reason you want to turn off comments on your website or blog is often that you get a lot of spam and want to reduce the amount. There are other ways to protect yourself from spam. But if you have problems with really large amounts of spam, it can be very time-consuming to go through all the new comments. This is why many people choose to turn off the comments completely on the website.


We monitors and writes about new technologies in areas such as technology, innovation, digitization, space, Earth, IT and AI.

Related Posts

Leave a Reply