Sadly, spam is an inevitable part of digital life. We get it in our email every day, and as website administrators and bloggers, we also get spam in our contact forms, comments and other website forms. How can we stop WordPress spam?!
It’s so annoying and a major waste of time to have to deal with the spam. And occasionally you get hit with a spam bomb where hundreds of spam get dumped on you in a single day. Every time I get spam bombed, I’m tempted to just shut off all the forms on the website.
But then how will our customers reach us without a contact form? How will we engage with our website visitors without blog comments?
Luckily there are solutions that can help. This article will share what we use and recommend to help block spammers from your website.
Add a honeypot to your website forms
A simple way of stopping spam in your contact form / any website form is to use a “honeypot”. A honeypot is a trap that adds a hidden field to your form. Human visitors can’t see the hidden field and will therefore leave it blank.
Spambots however will fill out all fields indiscriminately, including the honeypot field. This tells the form that the submitter is not human and the form will block the submission. Genius!
And if you’re a Contact Form 7 user, install and activate the Contact Form 7 Honeypot plugin. You’ll get a new tag in the CF7 form generator called Honeypot. Now you can use that to add a honeypot field to your form. (Video tutorial)
Next, let’s take a look at how to secure the comments from spam.
Lock down your comment settings
Let’s start by looking at the built-in tools that WordPress has to stop comment spam. You’ll find them under Settings → Discussion.
Under Default article settings, you can complete disable comments if you don’t need them. That’s a surefire way to stop comment spam. The settings here apply to all content by default, but you can override them on individual posts and pages.
Another setting to consider is to Automatically close comments on old articles. Blog posts tend to get comments soon after they are published. After the first 3-6 months, the comments you get are generally spam. If you don’t mind closing comments, this is a great way to limit spam on your site.
Next, we move to Before a comment appears. We recommend that you select the “Comment author must have a previously approved comment” option. So this way, you approve a commenter once and the subsequent comments are automatically approved.
Under Comment Moderation, there is a setting to automatically moderate a comment if it contains links. 2 is a good default.
Next are fields where you can fill with a blacklist of words. Any words matching the blacklist will automatically be sent to the moderation queue or trash. Jeff Starr has compiled an awesome blacklist for you to copy and paste – Custom Comment Blacklist.
And if you want to go overkill, Grant Hutchinson’s blacklist contains over 30,000 keywords and phrases – wordpress-comment-blacklist.
Our top recommendation for reducing comment spam is to use the Antispam Bee plugin. We love it because:
- It’s free and doesn’t come with ads
- It’s lightweight and doesn’t slow down your website
- It works without captchas so it doesn’t annoy visitors
- Out of the box, it doesn’t rely on 3rd party services so it’s a great option for privacy-conscious website owners.
It’s only drawback is that it doesn’t protect contact forms from spam. But if your forms plugin already comes with a anti-spam “honeypot”, you won’t need Antispam Bee to protect your contact forms anyway.
Antispam Bee is easy to use as well, with a single settings screen. Here are the settings we recommend:
In our opinion, Antispam Bee and a good comment blacklist will stop 99% of spam on your website.
Invisible reCaptcha for WordPress
This next plugin will work to prevent spam in both WordPress comments and contact forms.
Invisible reCaptcha for WordPress is a plugin that integrates with Google’s reCAPTCHA service. From the reCAPTCHA website:
reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.Google
Once you’ve enabled reCAPTCHA and setup the plugin, it will stop spam on comments and WooCommerce product reviews, prevent spam signups to your website, as well as prevent brute force attacks on the login. It also integrates with Contact Form 7 and Gravity Forms out of the box.
This makes Invisible reCaptcha a very powerful plugin. However it does have its drawbacks as well.
- The plugin will send details about your website visitors (IP address, browser settings, etc) to Google
- If legitimate users get blocked by reCAPTCHA, you have no way to tell Google that the mistake has occurred. Your only option is to disable the plugin temporarily so that the website visitor can comment / register / login.
If you feel that the reward outweighs the risk, here are the steps to enabling the Invisible reCAPTCHA plugin.
- Create a set of reCAPTCHA keys (instructions here)
- Install and activate the Invisible reCAPTCHA plugin with the keys you created in step 1, then enable the modules as needed.
As an alternative to the Invisible reCaptcha plugin, you can also consider Akismet, the longest serving WordPress anti-spam service. Originally created to stop comment spam, many form plugins will integrate with Akismet to check their form submissions too.
Akismet is a product of the same people behind WordPress.com and is provided on a “pay what you want” basis for non-commercial websites, or $5/mo for commercial websites.
Bye Bye Spam!
Spam is a big waste of time, but investing some time to prepare for it you can stop spam dead in it’s tracks. Now what are you going to do with all that extra time?
Do you have any recommendations or advice of your own? Please share them in the comments. Questions welcome too!
P.S. If you find any of the plugins mentioned here useful, give them a rating in the plugin directory. The authors will appreciate the gesture ?