Sadly, spam is an inevitable part of digital life. We get it in our email every day, and as website administrators and bloggers, we also get spam in our contact forms, comments and other website forms. How can we stop WordPress spam?!

Credit: Randy Glasbergen

It’s so annoying and a major waste of time to have to deal with the spam. And occasionally you get hit with a spam bomb where hundreds of spam get dumped on you in a single day. Every time I get spam bombed, I’m tempted to just shut off all the forms on the website.

But then how will our customers reach us without a contact form? How will we engage with our website visitors without blog comments?

Luckily there are solutions that can help. This article will share what we use and recommend to help block spammers from your website.

Add a honeypot to your website forms

A simple way of stopping spam in your contact form / any website form is to use a “honeypot”. A honeypot is a trap that adds a hidden field to your form. Human visitors can’t see the hidden field and will therefore leave it blank.

Spambots however will fill out all fields indiscriminately, including the honeypot field. This tells the form that the submitter is not human and the form will block the submission. Genius!

The good news is that most WordPress forms plugin automatically include an antispam honeypot feature – WPForms, Ninja Forms and Gravity Forms certainly do.

https://wordpress.org/plugins/contact-form-7-honeypot

And if you’re a Contact Form 7 user, install and activate the Contact Form 7 Honeypot plugin. You’ll get a new tag in the CF7 form generator called Honeypot. Now you can use that to add a honeypot field to your form. (Video tutorial)

Next, let’s take a look at how to secure the comments from spam.

Lock down your comment settings

Let’s start by looking at the built-in tools that WordPress has to stop comment spam. You’ll find them under Settings → Discussion.

Discussion Settings – Default article settings

Under Default article settings, you can complete disable comments if you don’t need them. That’s a surefire way to stop comment spam. The settings here apply to all content by default, but you can override them on individual posts and pages.

Another setting to consider is to Automatically close comments on old articles. Blog posts tend to get comments soon after they are published. After the first 3-6 months, the comments you get are generally spam. If you don’t mind closing comments, this is a great way to limit spam on your site.

Next, we move to Before a comment appears. We recommend that you select the “Comment author must have a previously approved comment” option. So this way, you approve a commenter once and the subsequent comments are automatically approved.

Under Comment Moderation, there is a setting to automatically moderate a comment if it contains links. 2 is a good default.

Discussion Settings – Comment Moderation

Next are fields where you can fill with a blacklist of words. Any words matching the blacklist will automatically be sent to the moderation queue or trash. Jeff Starr has compiled an awesome blacklist for you to copy and paste – Custom Comment Blacklist.

And if you want to go overkill, Grant Hutchinson’s blacklist contains over 30,000 keywords and phrases – wordpress-comment-blacklist.

Antispam Bee

Our top recommendation for reducing comment spam is to use the Antispam Bee plugin. We love it because:

  • It’s free and doesn’t come with ads
  • It’s lightweight and doesn’t slow down your website
  • It works without captchas so it doesn’t annoy visitors
  • Out of the box, it doesn’t rely on 3rd party services so it’s a great option for privacy-conscious website owners.
https://wordpress.org/plugins/antispam-bee

It’s only drawback is that it doesn’t protect contact forms from spam. But if your forms plugin already comes with a anti-spam “honeypot”, you won’t need Antispam Bee to protect your contact forms anyway.

Antispam Bee is easy to use as well, with a single settings screen. Here are the settings we recommend:

Recommended Antispam Bee settings
Click for larger version

In our opinion, Antispam Bee and a good comment blacklist will stop 99% of spam on your website.

Invisible reCaptcha for WordPress

This next plugin will work to prevent spam in both WordPress comments and contact forms.

Invisible reCaptcha for WordPress is a plugin that integrates with Google’s reCAPTCHA service. From the reCAPTCHA website:

reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.

Google
https://wordpress.org/plugins/invisible-recaptcha

Once you’ve enabled reCAPTCHA and setup the plugin, it will stop spam on comments and WooCommerce product reviews, prevent spam signups to your website, as well as prevent brute force attacks on the login. It also integrates with Contact Form 7 and Gravity Forms out of the box.

This makes Invisible reCaptcha a very powerful plugin. However it does have its drawbacks as well.

  • The plugin will send details about your website visitors (IP address, browser settings, etc) to Google
  • If legitimate users get blocked by reCAPTCHA, you have no way to tell Google that the mistake has occurred. Your only option is to disable the plugin temporarily so that the website visitor can comment / register / login.

If you feel that the reward outweighs the risk, here are the steps to enabling the Invisible reCAPTCHA plugin.

  1. Create a set of reCAPTCHA keys (instructions here)
  2. Install and activate the Invisible reCAPTCHA plugin with the keys you created in step 1, then enable the modules as needed.
Invisible reCaptcha modules

Alternative: Akismet

As an alternative to the Invisible reCaptcha plugin, you can also consider Akismet, the longest serving WordPress anti-spam service. Originally created to stop comment spam, many form plugins will integrate with Akismet to check their form submissions too.

https://wordpress.org/plugins/akismet

Akismet is a product of the same people behind WordPress.com and is provided on a “pay what you want” basis for non-commercial websites, or $5/mo for commercial websites.

Read more: Sign up and integrate Akismet into your website ›

Bye Bye Spam!

Spam is a big waste of time, but investing some time to prepare for it you can stop spam dead in it’s tracks. Now what are you going to do with all that extra time?

Do you have any recommendations or advice of your own? Please share them in the comments. Questions welcome too!

P.S. If you find any of the plugins mentioned here useful, give them a rating in the plugin directory. The authors will appreciate the gesture ?

About David

David has over 15 years of experience with web geekery and WordPress. That experience spans every­thing from cre­at­ing affordable websites for small businesses, developing custom themes to opti­miz­ing WordPress sites for thou­sands of page views in a day. Say hi to David on Twitter at @blogjunkie.

Reader Interactions

Comments

  1. David Turner

    Hi, thank you for this, I implemented Akismet on my site and spam comments appear to have stop abruptly. I agree that it is nice that it is possible to use such functionality for free.

  2. Eryanna

    I keep getting people, claiming to be writers, contacting me through my site’s simple contact form, asking if I accept submissions from guest authors. They typically include a link to one of their online articles. These are legit (I’ve checked these links) and, in fact, one of these contactors was a person who years ago was a writer for a magazine I was editor for (though I don’t think he knew exactly who I was when he filled out the contact form). The problem is that these people (including the guy I knew) are ignoring my very obvious instructions that are located above the contact form fields, clearly stating that I don’t accept submissions from laypeople (not in the medical field), and that if their submission doesn’t include their professional credentials, it will not be responded to. These instructions are the first thing that mobile and desktop users see when they click on “Contact.” What more can I do to discourage these contacts, if they’re ignoring obvious, easy-to-read instructions?

    • David

      Hey Eryanna, I get these too so I know how annoying they are. Unfortunately they aren’t automated bots that you can block – they’re actually filling out the form but they aren’t reading the instructions.

      Perhaps you can try hiding the submit button and even the message field until they have selected a choice. This will force them to read the options before they can fill out the form. Sort of what we have on our Contact page – https://clickwp.com/contact/

      You can add more conditional logic to make sure that required fields are filled out (e.g. medical license / credentials) before they are able to submit the form. More about conditional logic: http://shrsl.com/23ghg

  3. Tony McBride

    Another alternative is to use AI (artificial intelligence) to weed out spams. I use Ivertech Spam Free Contact (https://spamfreecontact.ivertech.com) which has AI built-in to recognize spams. I just needed to copy one line of HTML code and paste it to my site. It has Google reCAPTCHA as well. It’s surprisingly easy to set up.

  4. mark

    hello sir
    The problem is that these people (including the guy I knew) are ignoring my very obvious instructions that are located above the contact form fields, clearly stating that I don’t accept submissions from laypeople (not in the medical field), and that if their submission doesn’t include their professional credentials

Leave a Reply

Your email address will not be published. Required fields are marked *