Combating Comment Spam
Comment spam is a fact of life if you have a blog. Using WordPress, you have not only solid built-in tools to prevent comment spam, there are also a wide range of comment spam protection and defense plugins and methods to choose from if you feel you need additional coverage and protection.
There is no "one size fits all" method that will protect your comments; spammers use many tactics. Consider using multiple defenses. Remember spammers change the way they attack so you must keep your choices updated.
Akismet Comment Spam Fighter
Current versions of WordPress come with Akismet installed by default. Akismet uses a unique algorithm combined with a community-created database to "learn" which comments are comment spam and which are legitimate.
Note: This plugin costs $5 a month if you make any money from your site, such as through an affiliate link, ad, or paid service.
To enable Akismet on your WordPress blog, go to the Plugins panel and activate the Plugin. You will be prompted to get an API key from Akismet.com after you sign up for a payment plan. After Akismet is activated, you'll see a menu added to the Comments Panel that holds a list of "caught" comment spam.
If comment spam gets through Akismet's net, mark it as comment spam in your Comments Panel. Do not delete it. By marking it "comment spam", the information is sent to Akismet and added to the community-created database.
Frequently, check through the caught comment spam in the Akismet Panel to look for false/negatives, legitimate comment spam that has been caught by Akismet. Mark it as Not Spam and click Despam at the bottom of the page to remove these comments from the list.
My Comments Get Caught By Akismet
Akismet learns by those who mark comment spam as comment spam and legitimate spam is despammed. If your comments are being caught by Akismet, remove them from the Akismet Panel. It might take two or three times, but it will learn and automatically not designate your comments as spam.
Commenters on your blog may have their comments caught by Akismet. If you do not regularly check your Akismet Panel, have an easy way of allowing readers to email you if their comment did not appear.
With updates to the database and major changes to the software, this process may have to be repeated.
If you continue to have problems with Akismet catching your comments or too many of your readers' comments, contact Akismet for more assistance.
Default Comment Spam Tools
The following are the default comment spam tools that come with every installation of WordPress, in addition to the Akismet WordPress Plugin.
Number of Links in Posts
To change the number of links in comment posts, which may help stop comment spammers who include dozens of links in their comment posts, you can change the setting for the number of links permitted in a comment.
Go to the Settings > Discussion panel.
Scroll down to Comment Moderation.
In the section which covers the number of links in a post, it is set to 2 by default. You could lower to one.
NOTE: Do not set this to zero or leave the field blank. It will send every comment to moderation -- not the desired effect.
If you encounter a word or phrase that is not in the Spam Words list, you can add it. You can also add the spam words found on the Spam Words list to the list that comes with your WordPress installation.
Go to the Settings > Discussion > Comment Moderation panel.
In the Spam Words textarea box, you can add additional spam words.
Added words are to be on a single line with a single line break after them with no spaces in between the words. If you include a blank line, every single comment will be moderated.
- When a comment contains any of these words in its content, name, URI, e-mail, or IP, WordPress will hold it in the moderation queue.
Included on your Settings > Discussion panel is a section called the Comment Blacklist. This is a list of words completely blacklisted from your blog.
Be very careful what you add here. If a comment matches something here it will be completely nuked and there will be no notification. These "nuked" comments will not appear on your blog, but they will remain in your database marked as [spam]. Comments that are marked as [spam] are held in your database to educate "intelligent" anti-spam plugins, such as Akismet.
Choose your blacklist words wisely!
Remember that partial words can match, so if there is any chance something here might match it would be better to put it in the moderation box. Blacklisting a word such as tramadol will automatically delete any comments containing tramadol, tramadols, bigtramadol, etc. But, blacklisting a word such as ass will automatically delete comments containing ass, asses, assistance, passionate, assumption, etc.
Moderate All Comments
Depending upon the amount of comments and control you want over comments on your WordPress site, you may want to moderate all comments on your site.
In the Settings > Discussion panel, check the box next to An administrator must approve the comment (regardless of any matches below).
Pre-approve Comments from Old Commenters
You can also set your Settings > Discussion panel options to allow previously approved comments to avoid moderation. Check Comment author must have a previously approved comment.
Restrict Comments to Registered Users
If you allow only registered users to comment, you can restrict comments to only registered users.
Go to the Settings > General panel
- Under Membership:, select Users must be registered and logged in to comment.
Inform Users When Comments are Moderated
When people submit comments, they expect them to appear on your blog immediately. Implementing comment moderation and not telling people will almost certainly result in some people repeatedly submitting the same comment as they think it has disappeared. To prevent this from happening, and to avoid disgruntled and confused readers, inform people that their comment is under review by doing the following:
If you use popup comments, edit comments-popup.php and if you do not, edit comments.php.
Look for the following code:
<p> <input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" /> </p>
Change that to the following, adding your own customization:
<p> <blockquote> Comment moderation is in use. Please do not submit your comment twice -- it will appear shortly. </blockquote> <input name="submit" type="submit" tabindex="5" value="<?php _e("Say it!"); ?>" /> </p>
Comment Spam Hacks
The following are not recommended for average users. They involve editing WordPress core files. BACKUP your files first.
The ultimate end-all solution to your comment spam troubles. This will effectively disable comments and is good for stopping comment spam floods. No one will be able to comment on your WordPress site.
The ultimate end-all solution to your trackback spam troubles. This will effectively disable trackbacks and is good for stopping trackback spam floods. This will mean that no one will be able to trackback your posts, so do this after consideration.
Denying access with .htaccess
While drastic, you can make modifications in your .htaccess file if you are using an Apache server. Check the Internet and Apache for more information.
- Use nofollow
- The nofollow attribute is another method used to strip spammers of their page ranks. According to Google, "when Google sees the attribute (rel="nofollow") on hyperlinks, those links won't get any credit when we rank websites in our search results." Under WordPress v1.5, the nofollow attribute is automatically added to all links in the comments section.