Top 10 ways to stop spam in WordPress

by Alex Denning. 111 Comments -

Spam is a nuisance, and as bloggers, we have all experienced a flood of spam every now and then. Not only is it a pain, but it can slow down your blog and use up your resources. In this post we’ll look at ten ways to combat spam.

Guest post by Alex Denning, a Twitter fan who runs, where he blogs about WordPress tips, tricks and hacks.

1. Install Akismet

This is the simple one that everyone does. Akismet comes bundled with WordPress by default and does a good job of picking up spam – for the average blogger, install Akismet and your spam problems will be sorted. The trouble is though, it just stops spam getting displayed, it doesn’t get to the root of the problem. That’s where this post comes in. We’ll start with some simple methods of stopping spam being displayed and then we’ll move onto stopping the spammers getting on your site in the first place.


The reCAPTCHA plugin is one you’ve probably seen around on sites such as Facebook, Twitter and StumbleUpon. It isn’t just your average CAPTCHA (an image containing some letters that are designed so only humans can read them), it uses words from old books, so every time you enter a reCAPTCHA, you’re helping digitise books. At this point, you’re probably thinking but if I’m telling it what the words mean, does that mean I can enter anything? How does that stop spammers? The answer is simple – there are two words, one of which the CAPTCHA knows. The second, it doesn’t and you’re helping digitise it.

The plugin is simple to install, in 2.7+, just do a search for WP-reCAPTCHA and click install. You’ll need a key for the plugin to work, which you can get here. After you’ve done that, reCAPTCHA should appear on your comments’ page.

3. Ask your readers to do 1+1

The second plugin that we’re going to look at as a way of stopping spam being displaued is the ‘Math Comment Spam Protection‘ plugin. Using it, you can add a field to your blog’s comment box with a simple maths (or ‘math’ as they say in the States) question.

I’m not going to go into installing it here as there’s a comprehensive installation guide on the plugin’s website. You can see it in action on WordPress Hacks (image above).

4. Stop spam trackbacks

The final plugin that we’re going to look at is one by the same author who made the plugin above. The ‘Simple Trackback Validation‘ plugin checks if the IP address of the sender of the trackback is the same as the IP address that the trackback URL refers to, thus eliminating [lots]% of trackback spam as spammers won’t use bots running on infected machines. As the plugin’s page says, the plugin also “retrieves the web page located at the URL included in the trackback. If the page doesn’t a link to your blog, the trackback is considered to be spam. Since most trackback spammers do not set up custom web pages linking to the blogs they attack, this simple test will quickly reveal illegitimate trackbacks. Also, bloggers can be stopped abusing trackback by sending trackbacks with their blog software or webservices without having a link to the post.”

Like the ‘Math Comment Spam Protection’ plugin, there’s an installation guide on the plugin’s homepage.

5. Make users login to comment

This is something that probably won’t be a good idea for the majority of bloggers, but it will stop spam – make users login to be able to leave a comment and spammers will be stopped from commenting, but so will one time visitors. Just keep that in mind.

Under ‘Settings’. click ‘Discussion’ and then tick the box ‘Users must be registered and logged in to comment’. Then save changes and you’re done.

6. Ban spammers by IP

Now that we’ve stopped spam being displayed with the tips above, we’re going to move on to blocking spammers getting on your site in the first place. Something we’re going to be using extensively is the .htaccess file. A basic introduction that you should read first is here, and remember the golden rule of .htaccess – always have a backup. Further .htaccess reading is available here on CatsWhoCode and my own blog, WPShout.

In most situations, this tip wouldn’t be too much of a good idea; spammers will fake often their IP, but if there is one IP that is particularly bugging you, then the code below will block them from visiting your site – instert it into your .htaccess file in your blog’s root, changing the second line to include the IP that you wish to ban.

Order allow,deny
Deny from 100.100.100.
Allow from all


7. Ban spammers by IP, on a massive scale

You’ve blocked a single spammer. Well done. Now, with help from Perishable Press, you can block thousands of spammers – Jeff from Perishable has compiled a number of blacklists, from which you can pick and choose which you want to implement into your .htaccess file. The latest blacklists, the ‘fourth generation’ can be accessed below:

8. Deny comment posting to no referrer requests

Another .htaccess trick and the final comment spam stopping technique we’re going to look at is denying comment posting to no referrer requests – in other words, if the comment isn’t actually coming from your site, then it gets blocked. Make sure you change the url in line four to your blog.

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Source – WordPress Recipes.

9. Stop content theives

Spammers don’t just limit themselves to spamming your comments – often they’ll steal your content too. This next trick will stop spammers who steal your content via RSS. Once you’ve found a site stealing your content, first thing to do is find out the site’s IP address. A search for ‘ping [site name, ie]‘ should give you a result. Once you’ve got that, head over to the offending site and find their RSS feed. Then, open up your .htaccess file and add the following lines:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^
RewriteRule ^(.*)$

Change the IP in line two with the IP of the offending site and the url in line three with the offending site’s feed.

Source - WPShout/ SEO Black Hat

10. Stop spammers stealing your images

Now that we’ve stopped spammers from stealing your content via RSS, now it is time to combat those who just copy and paste your articles onto their site. Yes, this isn’t technically stopping spam, but it is helping combat the spammers.

You’ve got two options if people are hotlinking your images – watermark or .htaccess. We’ll look at both, and I’ll leave you to decide which is better. First up, watermarking. The foolproof method is to watermark your images before you upload them, which you can do with some simple software – FastStone Photo Resizer is a great tool that I’d thoroughly recommend. What’s more, it’s free! The second option is to install phpThumb and create a shortcode that resizes and watermarks your image. Copy and paste the following code into your functions.php file, having uploaded phpThumb to your theme’s folder, uploaded a watermark and changed the URLs. You can also change the width that images will be resized to (it’s currently 590).

<?php function imageresizer( $atts, $content = null ) {
return '<img src="/THEMEURL/phpthumb/phpThumb.php?src=' . $content . '&w=590&amp;fltr[]=wmi|/images/watermark.gif|BR"  alt="">';
add_shortcode('img', 'imageresizer'); ?>

With the code integrated, now when uploading a picture, upload it in the normal way, then go into HTML mode and copy the image url, then delete the image and then paste the image URL between [img] and [/img].

Of course, you can also easily disable hotlinking by going into your .htaccess file and pasting the following (changing lines three and five – five will display and alternate image – send it to something blank, or perhaps an ad for your site?):

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
#RewriteRule \.(gif|jpg)$ - [F]
RewriteRule \.(gif|jpg)$ [R,L]


Wrapping up

So there we are. Ten lovely ways to stop spam in WordPress, in roughly 1323 words. Got any tips to share? Leave a comment below, of course!

Comments (111) - Leave yours

    • Richard Howell said:


      I don’t agree i think that a few of the above methods are more than needed in today’s world i put my blog back online after 6 months of down time and i am getting 200% more spam than i ever did before even with askimet enabled.


  1. Jax said:


    Though most of them are known people ignore it during wordpress setup. I have seen many of client event activated Akismet. I am pretty much sure that Alex’s effort will encourage bloggers to use these tricks.

  2. Jeff Starr said:

    I’m off to implement number 9 right now. Recently discovered a relentless scraper stealing entire articles and removing all links. The worst kind of scum!

  3. Sue Bailey said:

    #9 is a great idea – wish I’d known that a couple of months back ;-)

    I have a couple of ideas to add –
    install Bad Behavior: it complements Akismet beautifully and stops spammers before they actually get to leave the comment, so you don’t have hundreds of spam comments to scan for the odd false positive.

    And also Comment Timeout – I find most spammers leave comments on older posts, so closing comments after a couple of weeks or a few days after the last comment on a thread also reduces the potential for spam.

  4. Zemalf said:

    Good “stop spam” tips never go out of fashion. Many new bloggers struggle with spam and just putting a couple of the tips on list into use goes a long way. Start with Akismet, that’s a given and continue with the simple trackback validation plugin. I’m running the Hashcash along with those and these three have worked wonders for me so far. I’ll get around ip blocking and .htaccess hacks if things start to go out of control.

  5. Alex Denning said:

    @Jeff – Kyle Eslick said to me a while back that he didn’t mind people scraping as he saw it as flattering that they see the content of his blog good enough to scrape!

  6. D Bnonn Tennant said:

    I have found the simplest way to stop spam, and one which also adds a useful feature which should be part of WordPress already, is simply to install a preview plugin and require all users to preview their comments before posting. Thus, once a comment is written, the only button available is Preview rather than Post/Submit—the latter only becomes available once the preview is displayed. It works a charm, and it’s really helpful for getting people to take a second to think about what they’re writing, and check it for obvious errors, too.

  7. Rarst said:

    Akismet, captchas, IP blocks and mandatory login?.. This post should be called “How to stop comments forever”. Bots won’t care, but harassed readers will.

  8. Dave Sparks said:

    Thanks for the post, I found using Akismet cuts down spam quite a bit but isn’t 100%, and won’t help with things like content stealing so it’s good to have a few more things in the arsenal.

  9. Michael Aulia said:

    I installed AntiSpam Bee and been using it for months. No annoying captcha, no manual moderation, it simply works in eliminating automated spam comments :)

    My review about it here

    But of course 1-2 spam will still go through but that’s when Akismet comes in :)

  10. Saurabh said:

    Its been a common concern observed in most of the bloggers.Spam is one of the factors thats been a worry to all. This is a useful article for most of the bloggers.But, Akismet as you said is not that effective as per my experience.I still receive ample spams on a regular basis.
    Is there a better alternative known to you?

    Anyways, I must appreciate the efforts you have taken for the nice write up.Thanks again for that.

  11. Marius said:

    Nice list of Spam protection plugins for WP. I think, the most use among the list is Akismet, reCAPTCHA and Math comment spam protection. However, I’ve read before that Akismet isn’t that effective, but still useful in some cases.

  12. Ajith said:

    Excellent post. I am not a big fan of the captcha usage as it tends to reduce comments. I should try the htaccess methods as scraping of my feed is increasing day by day.

  13. Eric B. said:

    Thanks for the tips, but I don’t quite agree with 2, 3 and 5 because these also get in the way of real commenters, and may reduce the number of legitimate comments that you get.

  14. Jonathan Bennett said:

    Nice article. Akismet and the math questions get rid of 99.9% of spam, in my experience. It also helps if you set your blog to manually approve comments, though that takes more time to manage.

  15. Rwh said:

    Hey Alex,

    Extremely useful and informative post. I will certainly apply most of it. Many tips that you mentioned in your post are new to me, and incorporating them will definitely prove helpful in preventing spams. thanks a lot for this wonderful compilation…

  16. Антиспам в WordPress | Бузочок said:

    [...] Так вот, я совершенно недоумеваю зачем постоянно изобретать велосипеды, если один клёвый велик уже существует и очень [...]

  17. Loy said:

    I use only Akismet for stopping spam. I used Captcha plugins before but I think it discourages commenting. Some captcha are too hard to read!

  18. Blonde Cougar said:

    These are great ways if you have an already active blog, but for people just starting out their blog, you might be discouraging initial activity on your site. Of course, the smaller the blog, the less spam you get, so I guess it just scales at the end of it all.

  19. Alec Ramon said:

    Thanks for the tips, but I don’t quite agree with 2, 3 and 5 because these also get in the way of real commenters, and may reduce the number of legitimate comments that you get.

  20. Sace said:

    Having worked with WP a long time my opinion is more or less that 1. is enough. Even though it saves the spam (for a time) it keeps it out of my comment boxes. I love the day I discovered Akismet.

  21. Roxanne said:

    Hey, thanks for these tips. I have several blogs that are getting loads of icky spam comments every day. Its the same people sending the same messages. They seem to think that if they keep sending them, I will just give in and approve them or something lol. I’m definitely going to try these, thanks :)

  22. sam said:

    reCAPTCHA is the best by far, imho. Had some serious spam issues on one of my older sites, and all I knew of was to hold the comments until I`d moderated them. Was a real pain in the butt, I must say, I had to look over ALL the comments because maybe 2 or 3 of the 50-100 were actual comments, and good ones. reCAPTCHA really made it all easier for me..

  23. Bryan said:

    Great list of plugins to stop spam but i personally use the Akismet and It’s the best plugin to stop spam for me. Really helped me stop spams in my blog. Akismet knows how to identify a spam from not a spam.

  24. Roger said:

    This is the EXACT thing I`m looking for! I`ve got a site that`s been up for only a few weeks, and spam has already become a major problem. I have noe idea how they do it, but I keep getting spam comments that`s gotta be automated. What, do they use a program to find new websites or something? Cuz I wouldn`t have put my link on my site, I still have a big fat zero in PR.

  25. Brian said:

    Love it. Especially #9 and #10. Nice to have SOMETHING you can try to do and protect what is being stolen.

    That being said, if you publish your feed via Feedburner, #9 isn’t really going to work is it?

  26. Udegbunam Chukwudi said:

    Math Comment Spam Protection & Simple Trackback Validation really keep the spammers away. Unfortunately the server on which my new blog is hosted doesn’t support them and the technicians are still working at it.
    Beware of Perishable Press’s list. You could end up blocking legit visitors to your blog.

  27. VrmpX said:

    Thanks for the article.
    It really helped me out, as I was getting 20+ spams.
    with Akinet and reCAPTCHA should be enough to prevent them, rigth?

  28. Stacey Valentine said:

    It’s like the cops and robbers. As the cops get smarter and invent new things to catch the bad guys, the bad guys reinvent ways to get around the cops. I really hope the war on SPAM is over soon but then again, a lot of people would lose alot of money if SPAM completely vanished.

  29. Ivan Davies said:

    Would it make a difference to the content that has already be lifted, or would it just prevent them from using your rss feed to steal content in the future? You cans also set the number of times someone has to comment before a link is added with the linkylove plugin.

  30. seth travisty said:

    Great article. have you ever thought of adding more images to keep us readers more interested just in case we’re visual learners? Just my two cents. I’ve added you on my blogroll.

  31. Mark said:

    Just by activating Akismet reduces my spam to almost zero. I just wish the API key was provided when wordpress installs!!

  32. Jamie said:

    This is very informative. I’ve been using some of these apps like Akismet and reCaptcha and they have been very helpful in reducing spam.

  33. Mark said:

    The only problem I have found with Askimet is that when I have updated my wordpress via the auto update method (in admin) the key does not seem to work anymore. I had to get a new one – bizzarre??

  34. Chris said:

    I’m using Askimet and Math comment, they lowered spams almost to zero!
    My website is pretty new, so i don’t propose registration yet but the day i start, I will use reCaptcha for sure!

  35. Randy C. Brown said:

    Thank you for this information. My blog has only been up for a couple of months and I am already getting 15-20 spam comments per day. I will definitely set up some of your ideas to try to reduce the number I get.

  36. Ravi said:

    I do agree with many that Akismet does its job well. I get ZERO false positives from it. But stealing images is a major worry and it takes a lot of bandwidth.

    So will definitely use that piece of code on my blog.

    thanks for the useful post;

  37. meloniq said:

    There is another easy way to stop spam, just remove information from meta about wordpress as a content generator… and most of spambots will not recognise your blog as a WP, will leave it. + Akismet = Good protection ;)

  38. Jae Smith said:

    I was so elated when I found this article when I did a search on “comment spamming.” Having this know-how tidbit has helped me arm my blog against those sniveling little spam buggers. Thank you for sharing this. Yours, Jae Smith ♥♥

    • Piyush Jain said:

      I am using facebook comment but still get spammed with a number of comments. How are they able to comment, when the default wordpress comment box is not visible on the website.

  39. RicLops said:

    Hello, I havent tried all of these combined, but what I notice is that reCaptcha from time to time seems to be won by spammers which are able to go foward and post spam any way.
    You have a great set of usefull tips, thanks a lot!

  40. murphy said:

    I used to get more that 100 spam comments and now its no more. Thanks to reCAPTCHA plugin, its real good ..;) I must thanks the author wrote the lovely piece of article. Once again keep doing the good work.

  41. Alex said:

    The best plugin for WP with antispam Tsleantalk it. It automatically checks all the comments and do not miss them. Plug-in eliminates the CAPTCHAs and other methods of communication hinder the visitor on the site. You can post messages without pre-moderation. The visitor will immediately see your comments on this site. Automatic publishing can increase traffic to your blog to 20% due to the publication of articles relevant blog comments, attracting additional traffic on the comments and improve ease of commenting on the blog.

  42. Ansh said:

    I am receiving lots of spam traffic these days causing major unwanted load on my server. Any suggestions to fight this spam traffic?

Leave a Reply

Your email address will not be published. Required fields are marked *

Please respect the following rules: No advertising, no spam, no keyword in name field. Thank you!