WordPress is a fantastic platform for creating your website, however due to it’s popularity and the fact it’s open source it can come under attack from spam if not managed correctly. We have taken a look at some ways to help reduce the amount of spam your website receives.

WARNING: Some of these tips require you to make changes to core code. Always remember to make a full backup of your site and SQL database before attempting to make these changes as errors could leave your site unusable.

1. Add a CAPTCHA test before comments can be submitted.

A CAPTCHA test is designed to find out whether the person submitting the comment is human. They are fairly common now on the web and the idea is to display a set of characters that are slightly distorted so only a human can identify the correct pass phrase. Luckily WordPress offers lots of plugins to easily add this functionality.

Captcha
SI CAPTCHA Anti-Spam
Easy Captcha
Super CAPTCHA Security Suite – One and Only 3D CAPTCHA
Confident CAPTCHA
Enmask Captcha
Blue Captcha

2. Anti-spam plugins

In addition or in place of CAPTCHA WordPress also has other anti spam plugins.

Akismet
Comments submitted are checked against Akismet’s database and spam comments are filtered automatically.

NO CAPTCHA Anti Spam
Works in the same way as Akismet.

WP Anti Spam
Increases the comment filter options from the admin area.

3. Don’t publish comments until they’ve been approved.

Ticking this box ensures comments can’t appear on the site until they’ve been approved by an administrator. You can choose to be less strict by setting an option to allow comments to appear if the person has been previously approved.

4. Keep WordPress up-to-date

Always make sure you’re using the most up-to-date release of WordPress as there are regular updates and fixes – some of these will help fight spam or fix problems which spammers where previously able to exploit.

5. Block Spammers’ IPs

If you’re receiving regular spam comments or messages from a selection IP addresses then it is possible to block any further visit from this IP. To block a spammer’s IP address you need to add the below code to your .htaccess file.

Order allow,deny
Deny from 123.123.123.123
Deny from 156.156.156.*
Deny from 189.189.*.*
Allow from all

Please note – adding a star to the IP will block any thing starting with that IP address. For example 189.189.*.* will block any IP starting with 189.189.

6. Deny Access on No Referrer Requests

Another helpful addition you can make to your .htaccess file is to add some code to block bots with no refer. When a visitor adds a comment to your site they would have been referred to the wp-comments-post.php from your blog page – spam bots often bypass this and target the wp-comments-post.php file directly. Adding the below code stops the bot from being able to do this.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

Please note – you need to replace yourdomain.com with your actual domain name.

7. Completely disable wp-comments-post.php and wp-trackback.php scripts

This is an extreme solution and is only really useful if you don’t want to use the comments functionality of WordPress. To disable these files simply rename them via FTP or via File Manager. For example rename the file from wp-comments-post.php to wp-comments-post-blocked.php. This will mean when a bot or anyone tries to send a comment the necessary file to process it will not be found.

Please note – deleting the file will give the same result but renaming allows you to easily turn this back on. Also when updating WordPress you will need to redo the name change.