How I completely NUKED all comment spam

As the senior developer at Themely I work with WordPress on a daily basis. We have over a dozen WordPress sites running on our servers for theme development, live demos and testing purposes. As you can imagine, dealing with comment spam is a major issue.

Several weeks ago, I decided to focus on completely stopping or at least significant reducing spam and hardening each of our WordPress sites. Since then I’ve been able to stop literally hundreds of daily spam comments to ZERO with just a few changes; here’s how I did it.

Configure Your Discussion Settings

One of the most underrated strengths of WordPress is its built-in anti-spam functionality. You can configure your WordPress Discussion settings to act as a powerful and effective defense against the evil forces of spam. No plugins required!

In your Admin Dashboard navigate to Settings > Discussion and make sure the following settings are checked and configured:

  • Allow people to submit comments on new posts

  • Comment author must fill out name and email

  • Automatically close comments on posts older than X days

  • Enable threaded (nested) comments X levels deep

  • Email me whenever – Anyone posts a comment

  • Email me whenever – A comment is held for moderation

  • Hold a comment in the queue if it contains 1 or more links

  • Add the following words href= https:// and http:// to the Comment Blocklist field

r/Wordpress - How I completely NUKED all comment spam
Comment Blocklist

The Comment Blocklist will send to trash any comment which contains links. Your Trash folder will slowly grow in number and you’ll want to log in and empty the trash on a regular basis (weekly, monthly or whatever you’re comfortable with).

You’ll also want to check your Trash folder for any legitimate comments, but in general, people who are genuinely commenting on your posts aren’t posting links in the comment field. So far from my experience I haven’t seen it trash any legitimate comments.

You can also choose to manually approve all comments before they’re displayed on your site. If that’s the case check the following setting: Before a comment appears – Comment must be manually approved. This is a little more labor intensive as you must log in and manually approve each comment. But it will ensure that if any spam comments slip thought the cracks, they won’t get displayed on your site.

From my experience so far, these settings have essentially eliminated all comment spam on our site.

Here’s a screenshot of our sites discussion settings:

r/Wordpress - How I completely NUKED all comment spam
r/Wordpress - How I completely NUKED all comment spam

Configuring your Discussion Settings will deal with the comment spam once it’s posted to your site, however, you also want to prevent spam comments being posted to your site in the first place. That’s why the following 2 steps are important.

Remove Website Field From Comment Form

Removing the Website (URL) field from your comment form may not have a significant impact but it will help to trip up certain spam bots and prevent them from posting a comment. I have no evidence to back up this claim but it just seems logical and it’s been working for me so far.

There are 2 ways to remove the Website field from your comment form.

Manually

Copy and paste the following code to your theme’s functions.php file or a site-specific plugin:

add_filter('comment_form_default_fields', 'unset_url_field');function unset_url_field($fields){ if(isset($fields['url'])) unset($fields['url']); return $fields;}

This code simply removes the website field from your WordPress comment form. You can visit a blog post on your website in a new incognito tab to see it in action.

Plugin

A good plugin to use is Comment Link Remove and Other Comment Tools by QuantumCloud. To install the plugin, in your Admin Dashboard, navigate to Plugins > Add New and search for Comment Link Remove.

Install and activate the plugin, and configure the plugin settings from (Settings –> CLR Settings).

Add Math Captcha to Forms

Finally, to protect our forms from spam bots we need to add a CAPTCHA field. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. In other words, CAPTCHA determines whether the user is real or a spam robot. One of the simplest and most effective forms is a Math CAPTCHA which asks users to solve a simple math equation.

r/Wordpress - How I completely NUKED all comment spam

Math CAPTCHA’s are highly effective in preventing spam bots, but they’re not perfect. Some spam does get through, which is where your Discussion Settings come into play to manage the spam comments which do get posted to your site.

This has worked quite well for our site for the last several weeks and think it could help you too.

If you have any questions let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *