Prevent Spam on Your WordPress Site

By Justin Parra

WordPress is one of the most popular and flexible open source platforms for websites.  Because of this popularity spammers have found it to be an easy and vulnerable target for all kinds of different spamming methods.

Lets briefly cover the 3 most common types of spam you will be subjected to on a WordPress site.

Comment Spam:
Comment spam is when a comment is left on your post or page that  somehow links back to a suspicious website.  The comment is usually suspiciously broad like “Nice Post!” or “I agree”  or references something in no way related to your content.  The goal of the spammer is to raise the amount of incoming links to a website or even increase the saturation of certain target keywords. Not deleting or leaving yourself vulnerable to this type of spam can cause quite a few problems.  Your Google Pagerank depends heavily on the sites you associate yourself with so keep that in mind.

PingBack/ Trackback Spam:
When you are blogging it feels great to be noticed and have someone link back to your post.  Spammers take advantage of this by creating fake links back to your post.  In turn this “Pingback” records on your page depositing a link from the spammer.  Many people think of this as a good thing because we as bloggers are always looking for incoming links to help us move up in Pagerank.  Don’t let this bite bite you in the rear!  It doesn’t matter if you have a million incoming links if they are all from spammers.  Delete that ugly thing because you do not want your site associated in any way with spam.

Form Spam:
With the same goal as comment spam the spammer builds what is referred to as a “bot” (Think evil Decepticon from transformers).  The bot is programmed to search for forms to submit email spam by automatically filling out millions of forms at a time.  Becoming a victim to form spam can leave your inbox an absolute mess!


Now that we know how and why spammers work lets do what we can to fend them off!

Akismet Plugin- Your first line of defense:

Akismet is no secret to WordPress users.  It’s only one of two default plugins in your WordPress install (The only one that actually does anything).  Despite this you wouldn’t believe how many sites I have logged in to and seen that the plugin is NOT ACTIVATED.  Yes, you have to register at and paste in your API key.  It takes an extra step but it will save you hours of daily work. I cannot stress this first step enough.  Akismet will save you from a majority of comment spam in one swoop.

Comment Timeout Plugin- For the old time bloggers:
As you write more and more articles you will notice that your archived articles are being spammed more than your fresh articles.  Often times an article can be grabbed by a spam bot and it will be difficult to release the hold of this evil little vulture!  That’s where Comment Timeout comes in.  You can set a number of days for your article to be open for commenting and then they will be disabled.

Captcha- Are you human?:

A captcha is a non- machine readable image that makes the user verify the contents before commenting or submitting a form.  You can find plenty of plugins for this both for commenting as well as contact forms.  Captcha can verify that your user is human and not a “bot”.

Wordpress Admin Settings-  Your built in spam ninja!:

Wordpress has a few settings that you can tweak to make your life easy when dealing with pesky spammers.

1.  Force your users to submit their name and email before they can submit a comment.
2.  Go to the Options>> Discussion panel and change your comment moderation.  Set the number of links for a comment to be held in moderation to 1.  The Default is 2.  Now when someone leaves a link on a post it is held in moderation.  Most spam contains links.
3.  In the comment moderation panel add to your spam words.  For instance, if you are getting hammered by prescription med spammers add words like, “viagara, tramadol, vicodin” to your spam list to prevent these comments and links.

Extra Tidbits-

Use a Gmail filter: Gmail has a pretty good spam filter.  You can utilize it by forwarding your email to your gmail account and forwarding those filtered emails to your “spam free” email account.

Replace text with an image: If you have your email address displaying on your site make sure it is not static text.  Create the button in photoshop and save it as a JPEG, GIF or PNG.  This will help your email address from being swooped up by the spam bots.

Don’t be a dummy:
Think twice before you post your email address on a forum, newsgroup, or message board.  Spammers don’t just get email addresses from thin air (Although they are working on it).

Captain Obvious: Decide carefully what your companies email addresses will be.  If you don’t have an IT staff to clean up your email mess make sure you don’t have a corporate structure email.  For instance, or  Get creative!  admin@ or webmaster@ are all just begging to be spammed!

I hope you came out of this with a bit more insight on how to prevent wordpress spam and maybe even spam in general.  The root of spam is held in the hands of greedy humans who’s ideas are constantly evolving.  As web publishers we need to be moving right along next to them with a shield to block these mischievous little creatures!




I suggest you AntispamBee Plugin, It really does a good job.

Justin Parra

Thanks Sebastian! I’ll look into it.