Stop Wordpress Comment Spam

Posted on

Bots often spam WordPress comments to exploit vulnerabilities or promote links for various purposes, such as SEO manipulation or spreading malware. These automated scripts target websites with open comment sections, attempting to post links and generate traffic.

STOP WordPress Comment Spam

Bots can post spam comments without directly accessing your WordPress by exploiting vulnerabilities in the website’s comment submission process. They typically send automated requests directly to the comment submission endpoint, bypassing the user interface. This can happen when websites have weak security measures, flawed input validation, or lack proper authentication checks.

When the Spam bots send a large volume of requests, it can overload the server in a short period. This can lead to a Distributed Denial of Service (DDoS) attack, where the server becomes overwhelmed and unable to handle legitimate traffic. Bots may exploit vulnerabilities, initiate numerous connections, or flood the server with requests, causing it to slow down or even crash. This is the time when you need to take a look at implementing firewalls, rate limiting, and DDoS protection measures that can help mitigate the impact of such attacks and ensure server stability.

To stop WordPress comment spam, it’s crucial for website administrators to implement robust security practices and employ tools like CAPTCHA, IP filtering, and anti-spam plugins. Implementing CAPTCHA, moderation, or anti-spam plugins can help mitigate such spam attacks on WordPress sites.

If you’re looking to stop the spam without using a plugin, you can try to use the below methods:

Using a function

Before accepting a comment on the server side, the function will check for the dynamic key presence. If the check fails, it will reject the comment. Of course this means that users without JavaScript support will have their comments rejected.

// Stop spammers
function preprocess_new_comment($commentdata) {
if(!isset($_POST['is_legit'])) {
die('Stop spamming my website please!');
return $commentdata;
if(function_exists('add_action')) {
add_action('preprocess_comment', 'preprocess_new_comment');


If you’re looking to catch them and send them to away, to a non-existent url in a weird domain, like htaccess can help you filter them and bounce their access before they even request a php thread.

RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !^(.*)*
RewriteRule (.*)$ [R=301,L]

This will block all the direct hits to wp-comments-post.php, independently of using GET|POST, if they don’t come from your website and if the rule don’t match, they are forwarded anywhere, without overloading your server. It’s and aggressive approach of what recommends.

You can also take several manual steps to reduce WordPress comment spam without using a plugin:

  • Disable Comments: If you don’t require comments on your site, you can disable them globally or on specific pages and posts.
  • Moderate Comments: Set your comments to be manually approved before they appear on your site. This gives you control over what gets published.
  • Use Comment Blacklist: In the WordPress dashboard, you can create a comment blacklist. Add common spam words, URLs, or email addresses to this list, and comments containing these elements will be flagged for moderation.
  • Enable CAPTCHA: While this involves some plugin usage, you can integrate CAPTCHA into your comment form manually by adding code to your theme files.
  • Customize .htaccess: You can add rules to your .htaccess file to block certain IP addresses or limit access to your comment submission endpoint.
  • Adjust Discussion Settings: In the WordPress dashboard, go to “Settings” > “Discussion” and adjust settings like requiring registration for commenters or limiting links in comments.

Remember to regularly check your comments and adjust your strategies based on evolving spam patterns. Keep your WordPress installation, themes, and plugins updated to patch any security vulnerabilities.