Steve Taylor photo

WordPress hacks and tips: Spam

a can of spam Spam is the bane of bloggers. The internet may yet be rendered close to useless thanks to the deadly combination of the low-cost, high-volume mechanized advertizing it facilitates and our culture’s emphasis on consumption and competition.

Still, we’re not going to make it easy for them.

Built-in tools

Of course, WordPress has some good methods of preventing your comments from filling up with bogus comments linking to dodgy pharmaceutical sites built into the core—look under Settings > Discussion.

Allow link notifications from other blogs (pingbacks and trackbacks.)
Not many people use trackbacks, and they come with their own, very popular form of spam. Unless you really need trackbacks, disable this.
Comment author must fill out name and e-mail
This is a must, make sure it’s checked.
Users must be registered and logged in to comment
A pretty effective way of reducing spam! However, only sites with a relatively dedicated readership can afford to force people to register. If you go for it, make sure you have some spam protection on the registration form, such as SI CAPTCHA (see below).
Automatically close comments on articles older than [n] days
If you rarely get good discussions on old posts, enable this and set the days cut-off according to your sense of a post’s lifespan on your blog.
An administrator must always approve the comment
Effective, but potentially time-consuming! Not usually worthwhile.
Comment author must have a previously approved comment
Always have this checked. It will let someone’s comment straight through if they’ve commented before (the system compares email addresses). Good for keeping discussions lively even when you’re not around to approve comments.
Hold a comment in the queue if it contains [n] or more links.
Set to 2 by default; probably a good measure. Note: Don’t set this to zero or leave it blank—this will send all comments to moderation. There’s no real point in disabling it by setting it to something like 1000 (what legitimate commenter would include 1000 links?). To loosen the setting, just up it to 5 or so.
Comment moderation / blacklist words
This is a pretty powerful feature. Various keyword “blacklists” can be found (e.g. on the Codex) to paste into these boxes. I’ve not used these extensively, but probably worth exploring.


Almost “built-in”, this plugin comes with WordPress and just needs to be activated to work. Actually, you also need to get a account and grab the API key from your profile there, too. Akismet includes full instructions. Akismet sends comments off to its server and flags suspects as spam. There’s the danger of “false positives” of course, but the system seems quite accurate, and provides good tools for monitoring things just in case. Akismet might work for you alone; however, many people recommend using it in combination with another method.
A good CAPTCHA plugin, for comment and/or registration forms. CAPTCHAs are those images of squiggly letters you’re asked to type out. They provide a certain amount of protection, but are regularly broken by bots and low-paid humans.
This is genius in theory, and pretty good in practice. It’s a CAPTCHA system that uses doubtful words from projects that are digitizing written works. Spam gets stopped, and OCR efforts are helped. Like all CAPTCHAs, it’s not water-tight, but making this part of your anti-spam arsenal does some good as well as stopping some bad.
A formidable “Swiss Army knife” for WP forms. Includes CAPTCHA and Verification Question options, and the option to use the plugin to generate the comment form (and hence include a CAPTCHA on the comment form)—though this can be a little fiddly.
Bad Behavior
I used to use this plugin regularly. It analyzes requests to the server and blocks those thought to be spamming attempts—in theory, this has the advantage that it saves you server load as well as preventing successful spam hits. I stopped using it after a series of problems where it started giving false positives a lot, blocking my clients from their sites. However, it seems to be still going strong, so they may have ironed this kind of thing out. They still, however (as with most spam-prevention plugins) recommend using it in combination with something else.

Block attempted comments without a referrer

Thanks to WpRecipes for this. I’ve just started using it, and it seems to be effective. It basically blocks requests where there’s no apparent referrer in evidence. Pop it into functions.php, or use the .htaccess version in the original post.

function check_referrer() {
	if ( !isset($_SERVER['HTTP_REFERER']) || $_SERVER['HTTP_REFERER'] == "" ) {
		wp_die( __('Please enable referrers in your browser.') );
add_action( 'check_comment_flood', 'check_referrer' );

Referrer blacklisting

Jeff Starr has an interesting piece on blocking “referrer spam”. If you do decide to follow his lead, please take care to read his disclaimer at the end of the post!

References and further reading


  1. Jesse avatar Jesse

    good tips although I think it’s being a little dramatic to say the internet will be rendered useless, perhaps it was just a joke.

  2. @Jesse, I guess it was an exaggeration to make a point. It’s demonstrably less useful because of spam.

  3. Jason avatar Jason

    Internet is far from being useless. Actually, it’s the opposite that is going on. Thanks for sharing the useful plug-ins though.

    Jason Good
    “Learn foods to avoid with IBS”

    [Link removed. Need I say more? ;-) SLT. ]

Comments are closed.