Keeping Your WordPress Spam Free (Mostly)

Share this:

WordPress is a wonderful system to work with when it comes to a great many things. Content site creation, niche blogs, personal sites/blogs, it’s friendliness to SEO, plus it’s immense coding and designing community make WordPress one of the most dynamic content management systems out there. WordPress appeals to all kinds of people online, basically anyone who needs a web presence. At the time of this writing, there are over 71,900,000 WordPress blogs written in over 120 languages, with nearly a billion page views a month for just the ones hosted at (approximately half of the nearly 72 million)! While this dynamic and widely usable nature is the core of WordPress’ success, it does present a slight problem for a lot of users:

WordPress Spam.

There isn’t a corner of the internet that isn’t affected by spam, and blog comments are certainly no exception. For spammers, automation is profit. Comment spam is not usually known for having a high rate of success, but if a spammer can make millions of attempts to get through, even a very small percentage of successful comments can be a huge return on their investment. Most blogs automatically allow public comments on all posts and pages, since this is the default comment setting for WordPress. That default acceptance of comments, coupled with the many ways to automatically detect whether a website is a WordPress blog, and the sheer number of WordPress targets available make them a prime target for spammers designing automated tools to post on websites. These tools are also very attractive to SEO spammers, since WordPress blogs cover every topic imaginable.

Spam on your website isn’t just an annoyance: it can have major implications on your SEO campaign, on your site’s overall ability to rank well, or even show up in the SERPs at all in some cases. Letting too much spam through in the comments can clutter your pages, making it harder for search engines to identify what your page is about in the first place. Not to mention how degrading comment spam is to your sites link power and search engine trustworthiness.

Google Webmaster Central says:

FACT: Abusing comment fields of innocent sites is a bad and risky way of getting links to your site. If you choose to do so, you are tarnishing other people’s hard work and lowering the quality of the web, transforming a potentially good resource of additional information into a list of nonsense keywords.

That warning is targeted at would-be spammers, thinking about throwing their links all over the internet, but the penalties from Google aren’t just limited to the sites that are pumping links out there. Websites that are drowning in comment spam also have penalties applied to their rankings, link “juice,” and results. These negative effects are amplified when the spammers start targeting your site with tarnished topics such as online gambling (eg. “Play Poker NOW” or “Real online casino!”) or ones with a more pharmaceutical approach (eg male enhancement, “This mom’s 1 crazy simple trick to ______”, or other equally annoying gimmicks). If your site is already fairly new or hasn’t established a good amount of trust, even a small amount of these types of spam comments can hurt your site.

How Do I Identify Spam?

What do you think of when you think of spam? Some think of a heaping pile of links, others obscure or maybe even semi-relevant anchor texts pointing to sales pages or CPA networks, some think of sandwiches (okay, not really the sandwiches anymore). Truth is WordPress spam comes in many forms, some a little bit better cloaked than others. While some is easy to detect, due to obvious keyword promoting, link stuffing, garbled messages, or obvious spammy topics, others are not so easy. For instance, someone leaves a comment on a post that looks like this?

Spam Blog Comment

Seems harmless. No links in the comment body, and there is no apparent profiteering going on. The name field was filled with “John” and if you hover over his name, the link points to a site such as “John’s Super Cool Personal Blog” and his email doesn’t seem to be serialized in any way. This is probably not spam. However, the comment adds nothing to the content of the site, includes keywords such as “theme” and “layout” in a WordPress environment which may throw the overall context off a bit. There is a chance this is a legitimate question, and perhaps deserves an answer (new friends are always good, right?).

Now, what if that comment looked a little different?

Spam Blog Comment


This comment has an obvious red flag: the comment poster is using the name field to specify an anchor text for the URL entered under “Website” in most comment posting forms. It has the same message body, but it’s obviously spam due to the name entered and the fact that clicking it probably brings you to a spammy site centered around pharmaceutical products. Spammers rely on vague comments that could apply to any post, since the posting is done automatically, so any time you see comments that are unrelated to the specifics of your post, it’s worth looking for other red flags that the comment you’re looking at is just so much spam.

Filtering out spam by hand can be an incredibly time consuming task, though, which is why we’re going to walk you through some of the many automated options to help cut down the amount of spam you need to slog through.

Over the Spam and Through the Bots…

To the WordPress Codex we go. Like I alluded to earlier, WordPress has one of the biggest coding/plugin communities known to CMS users. Virtually anything you need WordPress to do outside of it’s basic functions, you just click the Add New link under Plugins right in the WordPress Admin panel, and search away.


Click on Add New under Plugins in the WordPress Admin panel. Type in a keyword or two that will help find the plugin you’re looking for. Or just type in the name of the plugin if you know it. In this case, it’s Akismet.

Be sure to click on details to open up a small window with more useful information. When decided, click on Install Now on the plugin of your choice. The plugin will download, extract and install, all automatically.

Now you can activate the addon and get going on configuring it! You can alternatively click Return to Plugin Installer to continue searching for and installing new plugins. When ready to configure them, find where the plugin gets configured (it’s different for many; check the plugin’s documentation).


So you’ve just seen how to install Akismet, and conveniently it’s the first step we should take to combating (or preventing) a spam invasion. Akismet is an Anti-spam plugin that detects spam by using data collected from millions of blogs around the world. It runs dozens of checks on the comment to rule out a good chunk of all types of comment spam. Akismet is now included with most WordPress installations, however it’s not ready to go right off the bat. Users need to register on Akismet and chose a payment plan (free is an option, and allows full use of the API for most personal bloggers) in order to receive an API key, which needs to be entered on the Akismet configuration screen in your admin panel.


First, head on over to the Akismet Registration form to sign up for free. Enter all your correct information and click ‘Continue’. You should see a confirmation screen telling you to check your email. The email will contain the API key needed to activate Akismet.

After you’ve obtained the API key from your email inbox, navigate to Plugins -> Akismet Configuration and paste the key in the top text box. Click the ‘Update Options’ button to save the configuration. Akismet will let you know if your key is entered correctly or not.

Perhaps you have a little cleanup work to do already? Now head over to your comments section in the admin panel. In the top, there will be a button that says ‘Check for Spam’. Clicking that will check your current queue for spam and mark them appropriately.

AVH First Defense Against Spam

The next component in our spam defense system is called AVH First Defense Against Spam. This plugin installs the same way as Akismet, through the search function in the Add New portion of the Plugins section within the WP admin panel. Once installed, it’s time to configure. AVH F.D.A.S. will require two API keys in order to make full use of it’s anti-spam features. There are three primary components to AVH F.D.A.S. that help fight spam. The first is Project Honey Pot. Second is Stop Forum Spam, and lastly is Spamhaus (which does not require an API key). All three of these networks essentially log IPs that post a great many comments or forum replies in a short amount of time and on a large scale. Project Honey Pot requires that you be an active participant in honey-potting in order to acquire an API key. Learn more about setting up a honey pot here. Stop Forum Spam is a bit easier, and only requires that you register on their forums. Once logged in you can request an API key here.


The first step to getting a Project Honey Pot API key is to register here. To request an API key, you must have an active honey pot running on any site you own (Learn more here).

Getting a Stop Forum Spam API is a two step process. First apply on the Stop Forum Spam forums, then use this form to request an API key once logged in. This service does not require you to set anything else up to get an active API key.

Finally, paste in the API key(s) you managed to obtain into the appropriate boxes within AVH F.D.A.S. -> 3rd Party Options. Configure the emailing options as you see fit, and leave the rest as default (be sure to enable all three components!)

There are no further steps to take with AVH F.D.A.S. It runs autonomously in the background, and will alert you to any issues if you enabled the emailing options in the config screens. This plugin will continually monitor the activity of users on your site and reject those that have been flagged as spammers. Your normal visitors won’t know a thing, and no personal or identifying information is stored.

User Spam Remover

Our next item of interest is User Spam Remover. This plugin takes care of all of those spam account should your blog be open for registration. User Spam Remover does just what the name says, removes spam user accounts. Any accounts that were registered and have no valid activity will be cleaned out by this plugin. You can also tell it to disable email notifications for new user registrations. User Spam Remover will also log all of its activity, and even provides a .sql file with all deleted account should you need to restore them. You can tell the plugin to only delete accounts of a certain age or older, and tell it which accounts to never delete regardless of usage (white listing).


Start out like always, under Plugins, click Add New. Type “User Spam Remover” in the search box and install the first result. Click on activate once it’s installed, then click your way to Users -> User Spam Remover.

On this screen, tick the first check box to enable User Spam Remover, and click ‘Save Changes’. At the top of this same screen, click ‘Remove spam/unused accounts now’ and wait for it to complete. Leave all other options set to their defaults.

Voilà! No more dusty old unused user accounts. There’s no further actions to be taken. User Spam Remover will run automatically without any need for attention.

Better WordPress reCAPTCHA

Better WordPress reCAPTCHA is another plugin for WordPress that helps defeat automated spammers/bots. It places a reCAPTCHA image (similar to the one displayed on the right) in every comment form to stop bots from being able to comment. Captchas are computer generated images of warped text that only humans can accurately read. When prompted, a user must enter the characters accurately in order to proceed with posting a comment. This is a preventative measure that all bloggers should implement.


Install the plugin through the plugin installer, like usual. Search for “Better WordPress reCAPTCHA” and install the first result. Activate it once installation is complete.

You must apply for a ReCAPTCHA API key from Google. When logged into your Google account, fill out this API key request form. If you have multiple domains, be sure to tick ‘Enable this key on all domains (global key)’ when applying.

Google should have returned two keys, one public and the other private. Treat your private key like a password, share it with no one. Paste both of these in under BWP reCAPT -> General Options in their respective boxes. The default options here will work well, adjust them to suit your needs if need be.

Contact Form 7 with BWP reCAPTCHA Extension

Every site has a use for custom forms. Mostly, custom forms are used to create contact forms that guests can use to send messages to the blog owner. These custom forms can also be used for free reports, informational requests, or other call-to-actions. Usually getting a notification from one of these forms is a good thing, and I hate it when the joy is spoiled when I discover the form was filled out by another useless spam bot. Contact Form 7 is a great tool, and is very versitile, but it works best when the BWP reCAPTCHA extension is added on to provide a spam free way for contact form to be used on your blog.


To get this set up properly, you need to install two plugins. First search for ‘Contact Form 7’ and install the first result, and activating it after installation is complete. Return to the Add New section and search for ‘Contact Form 7 BWP reCAPTCHA Extension’ and install the first result, activating it like the rest. Contact Form 7 BWP reCAPTCHA Extension is a plugin that replaces the default captcha capabilities of the stock Contact Form 7.  There is no need to enter an API key as this just ties in to BWP reCAPTCHA which we’ve already installed.

There will now be an additional option under the BWP reCAPT tab within the admin page labeled ‘CF7 Options’. This is where the styling of the captchas are set so they tie in nicely with your custom contact forms. Configure these as necessary, once you have your contact forms live.

Now you have an excellent way for your customers/readers to communicate with you, and a little spam deterrence to go with it. Captchas are a fairly quick thing for humans to solve, and prevent a great deal of automated submissions.

Contact Form With ReCAPTCHA Example

(click to enlarge)

Email Address Encoder

There’s one other area of spam that we can target in WordPress. Aside from spammers looking to get cheap backlinks, many are also looking to collect contact information. Email harvesting is the act of using automated software to crawl sites relevant to the spammer’s interests, saving any and all email addresses it finds. The spammer likely uses these emails to attempt solicitations, and that can get really annoying if you’re posting email addresses for your users to use, but 99% of your emails end up being from spammers. Well that’s where Email Address Encoder comes in. This lightweight plugin will convert any email addresses contained within forms, pages, blog posts, and other areas into decimal and hexadecimal based entities. The email addresses remain readable to the user, but to automated crawlers the email address is obfuscated, thus severely reducing spam received when posting your email address on a public page.


The installation for Email Address Encoder is the simplest yet. In the plugin installer menu, search for ‘Email Address Encoder’ and install the first result. Activate it once it’s installed, and that’s it! Email Address Encoder requires no configuration, and doesn’t even have a configuration page.

Here is an example source code displaying the email link before Email Address Encoder is activated.

Here is an example source code displaying the email link after Email Address Encoder is activated.

Whew! That’s a lot to take in!

We’ve taken a look at identifying spam, reducing comment spam by IP monitoring, blocking comments based on certain spammy characteristics, reducing spam with the help of Google’s reCAPTCHA service. We’ve also taken a look at Contact Form 7’s reCAPTCHA extension and an email address encoder. With these seven plugins, you should see a dramatic reduction in all types of spam associated with your WordPress site. It’s important to remember that spammers are constantly evolving their tactics, so as time goes on some of them will develop workarounds for these spam-blocking techniques. We’ll be sure to keep you posted when we see it’s time to adopt some new tools to block WordPress spam.

Other Posts

Leave a Reply

Your email address will not be published. Required fields are marked *