How to stop WordPress comment spam ranks as one of our most common support questions. Spam comes in several varieties:
- referrer spam
- registration spam
- comment spam, including trackback spam
Referrer spam is the stuffing of a fake referrer in the HTTP header of requests to a web site. The conduct of Semalt was a prominent example of referrer spam. We regularly monitor our network for referrer spam, because we’re in the best position to block it.
Registration spam represents bots registering as a subscriber or new user on a WordPress site. It’s virtually a non-existent problem on wpPERFORM but it’s a common trouble spot for self-hosted WordPress sites with open registration.
In this article, we’ll focus on fighting comment spam, which is the automatic posting of comments on sites where comments (including trackbacks or pingbacks) are allowed. The WordPress Codex entry on comment spam claims that:
The good news is that WordPress’ built-in tools and history of combatting [sic] comment spam mean that most WordPress blogs get very little spam, and when they do it’s easy to address.
Unfortunately, that statement is only proof that some Codex articles contain false and inaccurate information and desperately need updating, because WordPress sites attract boatloads of comment spam, and fighting it can be time consuming.
Comment spam is driven by several factors. For over 8 years, links in WordPress comments have been assigned the nofollow meta tag, but the debate over the usefulness of that tag has raged on since its introduction in 2005, as this 2007 article from Search Engine Journal attests. Some believe that search engines use nofollow links in determining rank on a search engine results page (SERP), and a 2010 experiment by Social SEO shows evidence nofollow links are a ranking factor. Even if they’re not a ranking factors, links in comments represent an opportunity to drive traffic to a site for financial gain.
Whatever spammers’ motivations might be, comment spam can be a serious problem for sites running WordPress. Sifting legitimate comments out of hundreds or thousands of spam comments is time-consuming. Accidentally publishing a spam comment can degrade the content quality of that page and ultimately your entire site. For August 2014, Akismet reported that it flagged 7.2 billion pieces of spam, an increase of more than 92% over the prior year period. Only 4% of the comments it processed in the period were real.
In no specific order, our recommendations to fight comment spam are:
- Akismet
- WordPress Zero Spam
- Comment Blacklist Manager
Akismet
Akismet is a service that checks comments against a range of factors. Its spam identification learns new information each time every webmaster using the plugin identifies a comment as spam. It uses an API key, so you’ll need to sign up for an Akismet account to use the service.
Akismet is free for personal, non-commercial use up to a limited number of checks (currently 80,000 per month). Commercial use (including use by non-profits) and personal sites with comment activity over the number of checks require one of the Akismet pricing plans. Keep in mind that Akismet “checks” include spam comments, so if you have very light comment activity from real visitors but are deluged with 90,000 spam comments, you’ll exceed the check threshold and trigger the requirement to get out your wallet.
If you like data, Akismet provides some pretty graphs of the comment activity on your site, including the spam it identified, the ham (legitimate comments in Akismet’s terminology), and the comments you flagged as spam. Here’s a sample from a relatively low-traffic site:
Akismet is one of the best choices for stopping comment spam, but it faces 2 common criticisms: it adds too much page weight and it produces too many false positives.
The complaint about adding page weight is no longer accurate. As of Akismet 3.0.1, jQuery is no longer required on the front end of a site for Aksimet to work. That’s a big change, because if your site didn’t otherwise load jQuery on the front end, you’d be adding about 103 Kb to page weight (for jquery.js and jquery-migrate.min.js) just for Akismet. As of the current version, Akismet loads its own form.js, which adds a miniscule 0.7 Kb. Even for older versions, if your site required jQuery on the front end for functions other than Akismet, it’s not fair to attribute that extra weight to Akismet alone.
False positives are a different story and a legitimate concern. They’re caused when a non-spam comment is received but flagged as spam by Akismet. False positives are on the rise because spammers are increasingly adopting the identity of commenters with a history of making valid comments in an effort to confuse Akismet.
Still, Akismet benefits from the resources of Automattic, a leading supporter of WordPress itself. The war on comment spam isn’t going to be over soon, and Akismet has demonstrated it has the commitment and staying power to provide a solid though not perfect solution.
WordPress Zero Spam
Pippin Williamson, the lead developer of Easy Digital Downloads, created a little buzz on Twitter with his tweet:
Goodbye Akismet
— Pippinsplugins (@pippinsplugins) September 11, 2014
No, he wasn’t giving up the battle against spam. He was just changing weapons, which he subsequently made clear:
For those asking why I disabled Akisment, it just has too many false positives, and this plugin works wonders: https://t.co/5L7B00wIO4
— Pippinsplugins (@pippinsplugins) September 11, 2014
Pippin’s new weapon of choice: WordPress Zero Spam. The plugin works by checking all submitted comments for a specific attribute. Comments without the attribute are rejected as spam. WordPress Zero Spam automatically adds the attribute to comments via JavaScript.
Since spammers typically use bots without JavaScript for performance considerations, the attribute is never added to their comments, causing them to get rejected. One downside: visitors who intentionally disable JavaScript will have their comments rejected if you activate this plugin. Such visitors represent a very small share of traffic, and the JavaScript requirement can be clearly stated in a comment policy. Most WordPress sites load some JavaScript on their front ends, so the ability to comment won’t be the only or most important thing that’s broken for visitors with JavaScript disabled.
At this time WordPress Zero Spam is very effective. It’s based on the work of David Walsh, and many webmasters report that activating the plugin stopped spam completely. It’s also very lightweight. Its zero-spam.min.js only adds 0.1 Kb to a page’s weight.
Some believe that in time spammers will counter the technique, reducing its effectiveness. But the plugin developers aren’t likely to give up either. If WordPress Zero Spam becomes wildly popular and spam bots simply try to add the attribute themselves, the plugin developers could counter that by making the added attribute customizable, which would make the spammer’s job a lot harder. But the real risk is that JavaScript use by bots seems to be on the rise, something others have already observed. If bots use JavaScript, that would invalidate the plugin’s approach for separating the bots from real commenters. Only time will tell how durable this approach is.
Theme & Plugin Compatibility Issues with WordPress Zero Spam
Most themes that use the standard WordPress comment and registration forms will work with the plugin. However, if your theme doesn’t follow the default names for the ID’s of the comment and registration forms (commentform and registerform, respectively), then the required attribute won’t be added to these forms even if JavaScript is enabled. That will cause all comment and registration form submissions to appear to come from spammers.
As well, not all plugins play nice with the standard WordPress ID’s for these forms. For example, Genesis Simple Comments out of the box strips the ID of the comment form. We’ve modified that plugin on our network, but if you’re running the off-the-shelf version in the WordPress plugin repository, WordPress Zero Spam will treat all comments as coming from spammers because the required form ID is missing.
Comment Blacklist Manager
In addition to WordPress Zero Spam, Pippin noted he added another anti-spam weapon: Comment Blacklist Manager.
Comment Blacklist Manager automatically adds a regularly updated list of over 12,000 terms to your Comment Blacklist maintained in your WordPress dashboard at Settings->Discussion. This list, maintained at GitHub, is the blacklist source.
The plugin supplements the blacklist source with your own local blacklist and offers the ability to exclude terms. Comments that contain a term on the blacklist after local terms are added and excluded are automatically marked as spam.
If your Comment Blacklist already contains terms you’ve added, Comment Blacklist Manager will add its terms to your list. However, since its list is very extensive (probably more extensive than your existing list), there’s a very good chance your terms are already on its list.
Therefore, if you activate this plugin and have a relatively short list of your own blacklist terms, it’s worth a few minutes to check your local list against the list added by the plugin and remove your duplicate entries. To do that, copy your blacklisted terms to the Local Blacklist and delete them from the Comment Blacklist. Then, one by one, review your Local Blacklist for entries that already exist on your now expanded Comment Blacklist, and remove the duplicate on your Local Blacklist. When you activate the plugin, it adds its terms at the end of your existing Comment Blacklist, keeping your original terms at the top. That makes it easy to identify and move them to the Local Blacklist metabox added by the plugin.
Using Multiple Weapons To Fight Spam
To stop WordPress comment spam, it’s possible to use multiple weapons at the same time. For example, we’ve successfully tested running Akismet, WordPress Zero Spam, and Comment Blacklist Manager at the same time. However, by itself WordPress Zero Spam was 100% effective in all of our tests, so adding additional plugins to the mix didn’t appear to help in stopping spam from reaching the WordPress dashboard.
As a general rule, we recommend the approach of adding additional spam fighting weapons as needed based on the spam your site receives. If WordPress Zero Spam isn’t 100% effective, add Comment Blacklist Manager to your mix. Take note of words in your spam comments and look for them on the blacklist. If they’re already there, the plugin will help immediately; if they’re not, simply add them to your Local Blacklist. Finally, if spam remains a problem, go the further step and add Akismet protection. Alternately, if you start out with Akismet and find it missing a lot of spam, add WordPress Zero Spam to see if it helps.
Review Your WordPress Discussion Settings
In addition to using plugins to combat spam comments, it’s important to review the settings you’ve made on how comments are handled on your site. For the default settings and behavior that apply to your site overall, visit Settings->Discussion in your WordPress dashboard.
The checkboxes in the first and last groups, under Default article settings and Before a comment appears, respectively, are important for controlling comments generally. You can consider manually approving all comments if your comment activity is relatively light or take a less strict stance requiring that a comment author have a previously approved comment (ie, subsequent comments from the same author will appear automatically).
You can override your site’s default settings on individual posts or pages for even more control.
Trackbacks and Pingbacks
Some webmasters observe something that’s unexpected in their comment streams: trackbacks and pingbacks. When they’re real, both are notifications to your site that another site has linked to your content. Trackbacks are from older, legacy content management systems; pingbacks are typically from other WordPress powered sites. Pingbacks use XML-RPC while trackbacks use HTTP POST, and that’s an important distinction in a spam discussion. It’s easier to make a fake HTTP POST request, and that explains why trackback spam is common on WordPress sites. Fake pingbacks are very rare, so much so that we can’t recall the last time we saw one. Our spam fighting recommendations in this article will address trackback spam.
Sometimes, you can appear to spam yourself by creating what’s known as a self-ping. This occurs when you have pingbacks enabled and you link to your own content using an absolute URL. To disable self-pings, simply use a root relative URL as described in our article on relative URL’s.
Things We Don’t Recommend
There are some things we specifically recommend you don’t do in an effort to stop comment spam.
We’re not fans of putting a CAPTCHA on your comment form. A CAPTCHA is a type of challenge/response that is sometimes used to reduce spam. The big problem is that a CAPTCHA makes commenting more difficult for all commenters, including legitimate ones. Since there are viable ways to reduce or stop comment spam without creating problems for real commenters, it doesn’t make sense to use a CAPTCHA on a comment form.
We also don’t recommend restricting comments to registered users. While that will reduce the number of spam comments your site receives, it will also virtually wipe out comments entirely. If you’re going to effectively kill comments on your site by requiring registration, disable commenting altogether and spare your site the work of presenting a comment form in the first place.
Fighting Spam Is a War That Won’t Be Over Any Time Soon
We’ve outlined our best recommendations for fighting WordPress comment spam. Let’s douse our recommendation with some realism. While the approaches we’ve identified are effective at significantly reducing and in some cases eliminating comment spam, no approach is perfect. As our recommendation changes, we’ll update this post accordingly.
Spammers try to circumvent the blocks put in place by talented plugin developers. Those developers spend late nights developing new tools to create better blocking mechanisms. This war is not going to be over any time soon.