Top 10 ways to stop spam in WordPress

Spam is a nuisance, and as bloggers, we have all experienced a flood of spam every now and then. Not only is it a pain, but it can slow down your blog and use up your resources. In this post we'll look at ten ways to combat spam.

Guest post by Alex Denning, a Twitter fan who runs, where he blogs about WordPress tips, tricks and hacks.

1. Install Akismet

This is the simple one that everyone does. Akismet comes bundled with WordPress by default and does a good job of picking up spam – for the average blogger, install Akismet and your spam problems will be sorted. The trouble is though, it just stops spam getting displayed, it doesn’t get to the root of the problem. That’s where this post comes in. We’ll start with some simple methods of stopping spam being displayed and then we’ll move onto stopping the spammers getting on your site in the first place.


The reCAPTCHA plugin is one you’ve probably seen around on sites such as Facebook, Twitter and StumbleUpon. It isn’t just your average CAPTCHA (an image containing some letters that are designed so only humans can read them), it uses words from old books, so every time you enter a reCAPTCHA, you’re helping digitise books. At this point, you’re probably thinking but if I’m telling it what the words mean, does that mean I can enter anything? How does that stop spammers? The answer is simple – there are two words, one of which the CAPTCHA knows. The second, it doesn’t and you’re helping digitise it.

The plugin is simple to install, in 2.7+, just do a search for WP-reCAPTCHA and click install. You’ll need a key for the plugin to work, which you can get here. After you’ve done that, reCAPTCHA should appear on your comments’ page.

3. Ask your readers to do 1+1

The second plugin that we’re going to look at as a way of stopping spam being displaued is the ‘Math Comment Spam Protection‘ plugin. Using it, you can add a field to your blog’s comment box with a simple maths (or ‘math’ as they say in the States) question.

I’m not going to go into installing it here as there’s a comprehensive installation guide on the plugin’s website. You can see it in action on WordPress Hacks (image above).

4. Stop spam trackbacks

The final plugin that we’re going to look at is one by the same author who made the plugin above. The ‘Simple Trackback Validation‘ plugin checks if the IP address of the sender of the trackback is the same as the IP address that the trackback URL refers to, thus eliminating [lots]% of trackback spam as spammers won’t use bots running on infected machines. As the plugin’s page says, the plugin also “retrieves the web page located at the URL included in the trackback. If the page doesn’t a link to your blog, the trackback is considered to be spam. Since most trackback spammers do not set up custom web pages linking to the blogs they attack, this simple test will quickly reveal illegitimate trackbacks. Also, bloggers can be stopped abusing trackback by sending trackbacks with their blog software or webservices without having a link to the post.”

Like the ‘Math Comment Spam Protection’ plugin, there’s an installation guide on the plugin’s homepage.

5. Make users login to comment

This is something that probably won’t be a good idea for the majority of bloggers, but it will stop spam – make users login to be able to leave a comment and spammers will be stopped from commenting, but so will one time visitors. Just keep that in mind.

Under ‘Settings’. click ‘Discussion’ and then tick the box ‘Users must be registered and logged in to comment’. Then save changes and you’re done.

6. Ban spammers by IP

Now that we’ve stopped spam being displayed with the tips above, we’re going to move on to blocking spammers getting on your site in the first place. Something we’re going to be using extensively is the .htaccess file. A basic introduction that you should read first is here, and remember the golden rule of .htaccess – always have a backup. Further .htaccess reading is available here on CatsWhoCode and my own blog, WPShout.

In most situations, this tip wouldn’t be too much of a good idea; spammers will fake often their IP, but if there is one IP that is particularly bugging you, then the code below will block them from visiting your site – instert it into your .htaccess file in your blog’s root, changing the second line to include the IP that you wish to ban.

Order allow,deny
Deny from 100.100.100.
Allow from all


7. Ban spammers by IP, on a massive scale

You’ve blocked a single spammer. Well done. Now, with help from Perishable Press, you can block thousands of spammers – Jeff from Perishable has compiled a number of blacklists, from which you can pick and choose which you want to implement into your .htaccess file. The latest blacklists, the ‘fourth generation’ can be accessed below:

8. Deny comment posting to no referrer requests

Another .htaccess trick and the final comment spam stopping technique we’re going to look at is denying comment posting to no referrer requests – in other words, if the comment isn’t actually coming from your site, then it gets blocked. Make sure you change the url in line four to your blog.

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Source – WordPress Recipes.

9. Stop content theives

Spammers don’t just limit themselves to spamming your comments – often they’ll steal your content too. This next trick will stop spammers who steal your content via RSS. Once you’ve found a site stealing your content, first thing to do is find out the site’s IP address. A search for ‘ping [site name, ie]’ should give you a result. Once you’ve got that, head over to the offending site and find their RSS feed. Then, open up your .htaccess file and add the following lines:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^
RewriteRule ^(.*)$

Change the IP in line two with the IP of the offending site and the url in line three with the offending site’s feed.

Source – WPShout/ SEO Black Hat

10. Stop spammers stealing your images

Now that we’ve stopped spammers from stealing your content via RSS, now it is time to combat those who just copy and paste your articles onto their site. Yes, this isn’t technically stopping spam, but it is helping combat the spammers.

You’ve got two options if people are hotlinking your images – watermark or .htaccess. We’ll look at both, and I’ll leave you to decide which is better. First up, watermarking. The foolproof method is to watermark your images before you upload them, which you can do with some simple software – FastStone Photo Resizer is a great tool that I’d thoroughly recommend. What’s more, it’s free! The second option is to install phpThumb and create a shortcode that resizes and watermarks your image. Copy and paste the following code into your functions.php file, having uploaded phpThumb to your theme’s folder, uploaded a watermark and changed the URLs. You can also change the width that images will be resized to (it’s currently 590).

<?php function imageresizer( $atts, $content = null ) {
return '<img src="/THEMEURL/phpthumb/phpThumb.php?src=' . $content . '&w=590&amp;fltr[]=wmi|/images/watermark.gif|BR"  alt="">';
add_shortcode('img', 'imageresizer'); ?>

With the code integrated, now when uploading a picture, upload it in the normal way, then go into HTML mode and copy the image url, then delete the image and then paste the image URL between [img] and [/img].

Of course, you can also easily disable hotlinking by going into your .htaccess file and pasting the following (changing lines three and five – five will display and alternate image – send it to something blank, or perhaps an ad for your site?):

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
#RewriteRule \.(gif|jpg)$ - [F]
RewriteRule \.(gif|jpg)$ [R,L]


Wrapping up

So there we are. Ten lovely ways to stop spam in WordPress, in roughly 1323 words. Got any tips to share? Leave a comment below, of course!

  • I think Akismet is pretty much all you need.

    • Hello,

      I don’t agree i think that a few of the above methods are more than needed in today’s world i put my blog back online after 6 months of down time and i am getting 200% more spam than i ever did before even with askimet enabled.


  • Known most of them.

    Nice post!


  • Jax


    Though most of them are known people ignore it during wordpress setup. I have seen many of client event activated Akismet. I am pretty much sure that Alex’s effort will encourage bloggers to use these tricks.

  • Useful post, I’ll try it.

    Thanks 🙂

  • Pingback: Top 10 ways to stop spam in WordPress | Webs Developer()

  • I’m off to implement number 9 right now. Recently discovered a relentless scraper stealing entire articles and removing all links. The worst kind of scum!

  • #9 is a great idea – wish I’d known that a couple of months back 😉

    I have a couple of ideas to add –
    install Bad Behavior: it complements Akismet beautifully and stops spammers before they actually get to leave the comment, so you don’t have hundreds of spam comments to scan for the odd false positive.

    And also Comment Timeout – I find most spammers leave comments on older posts, so closing comments after a couple of weeks or a few days after the last comment on a thread also reduces the potential for spam.

  • Good “stop spam” tips never go out of fashion. Many new bloggers struggle with spam and just putting a couple of the tips on list into use goes a long way. Start with Akismet, that’s a given and continue with the simple trackback validation plugin. I’m running the Hashcash along with those and these three have worked wonders for me so far. I’ll get around ip blocking and .htaccess hacks if things start to go out of control.

  • @Jeff – Kyle Eslick said to me a while back that he didn’t mind people scraping as he saw it as flattering that they see the content of his blog good enough to scrape!

  • Please see and use the AntispamBee – a simple, anonymous and registration-free antispam plugin for WordPress

  • Pingback: Top 10 ways to stop spam in WordPress | wpden()

  • useful tips, Thanks!

  • Great post! 🙂

  • Pingback: Top 10 ways to stop spam in WordPress | Neorack Script()

  • I have found the simplest way to stop spam, and one which also adds a useful feature which should be part of WordPress already, is simply to install a preview plugin and require all users to preview their comments before posting. Thus, once a comment is written, the only button available is Preview rather than Post/Submit—the latter only becomes available once the preview is displayed. It works a charm, and it’s really helpful for getting people to take a second to think about what they’re writing, and check it for obvious errors, too.

  • Pingback: Daily David -

  • Just install Akismet and you’re done. Recaptcha is good, but I think that is not very user friendly, consider a blog targeting kids, they’ll find the captcha a bit hard.

  • Pingback: Top 10 ways to stop spam in WordPress | Squico()

  • Pingback: 10 ways to stop spam in wordpress | Squico()

  • Pingback: 晓闻心雨 » 十招阻止WordPress中的垃圾评论()

  • Stop Spam Tackbacks is useful. There are a lot of spam trackbacks on my site. May want to give this a try.

  • I always thought Akismet is all you need. Thanks for these useful tips

  • Akismet, captchas, IP blocks and mandatory login?.. This post should be called “How to stop comments forever”. Bots won’t care, but harassed readers will.

  • Thanks for the post, I found using Akismet cuts down spam quite a bit but isn’t 100%, and won’t help with things like content stealing so it’s good to have a few more things in the arsenal.

  • Pingback: links for 2009-09-01 | Links | WereWP()

  • I use Akismet you also have some nice tip that I hadn’t really come across (not very techie me)

  • I installed AntiSpam Bee and been using it for months. No annoying captcha, no manual moderation, it simply works in eliminating automated spam comments 🙂

    My review about it here

    But of course 1-2 spam will still go through but that’s when Akismet comes in 🙂

  • I also use AntiSpam Bee because Aksimet alone does not block enough spam and I do not like captchas.

  • Its been a common concern observed in most of the bloggers.Spam is one of the factors thats been a worry to all. This is a useful article for most of the bloggers.But, Akismet as you said is not that effective as per my experience.I still receive ample spams on a regular basis.
    Is there a better alternative known to you?

    Anyways, I must appreciate the efforts you have taken for the nice write up.Thanks again for that.

  • Pingback: Top 10 ways to stop spam in WordPress | Webs Developer()

  • Pingback: Top 10 ways to stop spam in WordPress | PHP()

  • Nice list of Spam protection plugins for WP. I think, the most use among the list is Akismet, reCAPTCHA and Math comment spam protection. However, I’ve read before that Akismet isn’t that effective, but still useful in some cases.

  • Excellent post. I am not a big fan of the captcha usage as it tends to reduce comments. I should try the htaccess methods as scraping of my feed is increasing day by day.

  • Pingback: Top 10 ways to stop spam in WordPress | Miscellaneous ~ Knoxville Website Design()

  • Thanks for the tips, but I don’t quite agree with 2, 3 and 5 because these also get in the way of real commenters, and may reduce the number of legitimate comments that you get.

  • Pingback: Colección de recursos imprescindibles para WordPress | Trazos Web()

  • Pingback: Top 10 Ways to Stop Spam in WordPress | Choose Daily()

  • hat

    great recommendation for the tips. I will do it on my web.

  • MTG

    Thanks for this list. I use NoSpamNX in my site which is pretty good at blocking.

  • Nice article. Akismet and the math questions get rid of 99.9% of spam, in my experience. It also helps if you set your blog to manually approve comments, though that takes more time to manage.

  • Rwh

    Hey Alex,

    Extremely useful and informative post. I will certainly apply most of it. Many tips that you mentioned in your post are new to me, and incorporating them will definitely prove helpful in preventing spams. thanks a lot for this wonderful compilation…

  • Pingback: Антиспам в WordPress | Бузочок()

  • Loy

    I use only Akismet for stopping spam. I used Captcha plugins before but I think it discourages commenting. Some captcha are too hard to read!

  • These are great ways if you have an already active blog, but for people just starting out their blog, you might be discouraging initial activity on your site. Of course, the smaller the blog, the less spam you get, so I guess it just scales at the end of it all.

  • Thanks for the tips, but I don’t quite agree with 2, 3 and 5 because these also get in the way of real commenters, and may reduce the number of legitimate comments that you get.

  • Awesome article. Akismet is a really helpful tool.

  • Pingback: Weekly Fave’s | --> New way to graphic()

  • Great tips especially for newbies like me. I will keep this in mind and use it in my site. Thanks.

  • Having worked with WP a long time my opinion is more or less that 1. is enough. Even though it saves the spam (for a time) it keeps it out of my comment boxes. I love the day I discovered Akismet.

  • Useful and informative tips as always!

  • Hey, thanks for these tips. I have several blogs that are getting loads of icky spam comments every day. Its the same people sending the same messages. They seem to think that if they keep sending them, I will just give in and approve them or something lol. I’m definitely going to try these, thanks 🙂

  • sam

    reCAPTCHA is the best by far, imho. Had some serious spam issues on one of my older sites, and all I knew of was to hold the comments until I`d moderated them. Was a real pain in the butt, I must say, I had to look over ALL the comments because maybe 2 or 3 of the 50-100 were actual comments, and good ones. reCAPTCHA really made it all easier for me..

  • Great list of plugins to stop spam but i personally use the Akismet and It’s the best plugin to stop spam for me. Really helped me stop spams in my blog. Akismet knows how to identify a spam from not a spam.

  • This is the EXACT thing I`m looking for! I`ve got a site that`s been up for only a few weeks, and spam has already become a major problem. I have noe idea how they do it, but I keep getting spam comments that`s gotta be automated. What, do they use a program to find new websites or something? Cuz I wouldn`t have put my link on my site, I still have a big fat zero in PR.

  • Love it. Especially #9 and #10. Nice to have SOMETHING you can try to do and protect what is being stolen.

    That being said, if you publish your feed via Feedburner, #9 isn’t really going to work is it?

  • Nice list but I think Akismet is alone enough for spam comments.

  • Pingback: 20+ Powerful Wordpress Security Plugins and Some Tips and Tricks : Speckyboy Design Magazine()

  • Pingback: 20+ Powerful Wordpress Security Plugins and Some Tips and Tricks — rogdykker()

  • Pingback: Favorite Wordpress Plugins for Controlling Spam()

  • Pingback: How To Fight Content Theft – Being A Freelancer – Freelance Writing Blog | ArcticLlama Freelancing Blog()

  • That was a useful list of tricks.I feel comment moderation will also be a useful trick to stop spamming. I have found it useful.

  • Pingback: 20+ Powerful Wordpress Security Plugins and Some Tips and Tricks | Downrex()

  • Thanks for the great resource. I’ve used Akismet and reCaptcha but your other suggestion will definitely come in handy.

  • Pingback: 20+ Powerful Wordpress Security Plugins and Some Tips and Tricks()

  • Pingback: spam i engellemenin 10 yolu ingilizce: h… « wiki.laroouse()

  • New to wordpress – Great article!

  • Pingback: Top Articles On The Web Design Billboard In September’09 | Showcases | instantShift()

  • Pingback: Top Articles On The Web Design Billboard In September’09 | KolayOnline()

  • Pingback: 24 Helpful Wordpress Security Plugins and Some Tips and Tricks | Cosmos Blog -- Internet News,Life,Culture,Polices,Resource,Make Money()

  • Pingback: Tujuh Cara Melawan Spam di Wordpress | Tarqy dot Com()

  • Pingback: Le top 10 des astuces anti-spam pour Wordpress » Inside da web()

  • Math Comment Spam Protection & Simple Trackback Validation really keep the spammers away. Unfortunately the server on which my new blog is hosted doesn’t support them and the technicians are still working at it.
    Beware of Perishable Press’s list. You could end up blocking legit visitors to your blog.

  • Pingback: What should (or shouldn’t) I do to stop spam on my blog? – All kind of stuff around the web()

  • Pingback: WordPress Security Guide | Using social media to guide and help you connect to social networks: Twitter, Facebook, Google, LinkedIn, YouTube using social media()

  • Nice post thanks for the tips some extra one that were new to me

  • Unfortunately, two of the described plugins had their last update about 10 years ago, tested for WordPress 2.2.2.

    Are they still being maintained?


  • Thanks for the article.
    It really helped me out, as I was getting 20+ spams.
    with Akinet and reCAPTCHA should be enough to prevent them, rigth?

  • ali

    l like the article, need to try all that see if it works 🙂 but l know that works good for comments

  • Pingback: How to stop spam in WordPress » Wordpress Themes()

  • It’s like the cops and robbers. As the cops get smarter and invent new things to catch the bad guys, the bad guys reinvent ways to get around the cops. I really hope the war on SPAM is over soon but then again, a lot of people would lose alot of money if SPAM completely vanished.

  • Pingback: 10 maneras de evitar el SPAM en WordPress | Craftyman Blog()

  • Strange notice about reCaptcha – sometimes when you enter not valid letters (1 or 2) – script still thinks you are not the bot.
    (not tested with with 3 or more mistaken letters)

  • Pingback: More Precautions, Less CAPTCHA - Some CAPTCHA Alternatives - QuestionBin - Intelligent Answers for Smart Questions::Blog comment()

  • Thanx for sharing this info on spammers. I forgot all about akismet. Hopefully, all I need to do is activate that plugin and put in the API…

  • Would it make a difference to the content that has already be lifted, or would it just prevent them from using your rss feed to steal content in the future? You cans also set the number of times someone has to comment before a link is added with the linkylove plugin.

  • Great article. have you ever thought of adding more images to keep us readers more interested just in case we’re visual learners? Just my two cents. I’ve added you on my blogroll.

  • Just by activating Akismet reduces my spam to almost zero. I just wish the API key was provided when wordpress installs!!

  • Pingback: 20+ Powerful Wordpress Security Plugins and Some Tips and Tricks | Coyot [at] : Plugins()

  • Askimet is a must plugin for every wordpress blog. In addition one can use math comment or re-captcha plugin to avoid spam.

  • Pingback: WordPress Security – A Comprehensive Guide | BloggingPro()

  • Pingback: Astuces anti-spam pour Wordpress - Faiçal Le Presque Direct()

  • This is very informative. I’ve been using some of these apps like Akismet and reCaptcha and they have been very helpful in reducing spam.

  • The only problem I have found with Askimet is that when I have updated my wordpress via the auto update method (in admin) the key does not seem to work anymore. I had to get a new one – bizzarre??

  • Akismet combined with any other addon works great !

  • I’m using Askimet and Math comment, they lowered spams almost to zero!
    My website is pretty new, so i don’t propose registration yet but the day i start, I will use reCaptcha for sure!

  • Hi again,

    Just one thing! your link for “match comment spam protection” is broken !!!

  • Thank you for this information. My blog has only been up for a couple of months and I am already getting 15-20 spam comments per day. I will definitely set up some of your ideas to try to reduce the number I get.

  • I do agree with many that Akismet does its job well. I get ZERO false positives from it. But stealing images is a major worry and it takes a lot of bandwidth.

    So will definitely use that piece of code on my blog.

    thanks for the useful post;

  • There is another easy way to stop spam, just remove information from meta about wordpress as a content generator… and most of spambots will not recognise your blog as a WP, will leave it. + Akismet = Good protection 😉

  • I was so elated when I found this article when I did a search on “comment spamming.” Having this know-how tidbit has helped me arm my blog against those sniveling little spam buggers. Thank you for sharing this. Yours, Jae Smith ♥♥

  • some good tips. if i use facebook comment system, is there any chance to spam?

    • I am using facebook comment but still get spammed with a number of comments. How are they able to comment, when the default wordpress comment box is not visible on the website.

  • An excellent collection of suggestions. Have set this article in my favorites !! Thanks for sharing.

  • Very detailed tips for bloggers who have encountered incidents like this. Thanks for posting.

  • Hello, I havent tried all of these combined, but what I notice is that reCaptcha from time to time seems to be won by spammers which are able to go foward and post spam any way.
    You have a great set of usefull tips, thanks a lot!

  • I added number 5 to my site. Making guest register and log in to post. Thanks!

  • I used to get more that 100 spam comments and now its no more. Thanks to reCAPTCHA plugin, its real good ..;) I must thanks the author wrote the lovely piece of article. Once again keep doing the good work.

  • Alex

    The best plugin for WP with antispam Tsleantalk it. It automatically checks all the comments and do not miss them. Plug-in eliminates the CAPTCHAs and other methods of communication hinder the visitor on the site. You can post messages without pre-moderation. The visitor will immediately see your comments on this site. Automatic publishing can increase traffic to your blog to 20% due to the publication of articles relevant blog comments, attracting additional traffic on the comments and improve ease of commenting on the blog.

  • Alex

    Sorry, misspellings module CleanTalk

  • I am receiving lots of spam traffic these days causing major unwanted load on my server. Any suggestions to fight this spam traffic?

  • Tommie Todd

    Spam is a thing which nobody likes, as a blogger or website owner we often see them. It is an annoyance that harms our website, also making it down slower by using our resources. It is always better to prevent your website from spam and if you are a WordPress user, then you have plenty of options to do so. There are plenty of anti-spam WordPress plugins available, just use any of them to provide security to your website. One of them which I would like to introduce is comment spam protection plug-in. I found it very effective and I am sure you will find it too.

  • Steward hale

    Interesting post.. thanks for sharing

  • Henry Willis

    WordPress was first released on May 27, 2003 and since then it has espoused so many upgrades. Initially it was just an open source blogging tool but now has turned out to be the most admirable CMS platform. The biggest reason behind this huge popularity of WordPress is hidden in its simplistic usage and available large number of predesigned themes and templates. Today, WordPress accounts 19% of all the websites. Talking about spamming on WordPress then it’s not easy for someone. It has so many utilities and methods to be protected against robots and spammers. All the points discussed here are very nice and I think all WordPress user must read it to increase their fundamental knowledge.

  • Very useful tips! Thank you!