DiggingIntoWordPress

by Chris Coyier & Jeff Starr

You Don’t Need Any Plugins to Stop Comment Spam

Posted by on

I think one of the biggest WordPress myths is that you need a bunch of plugins to control comment spam. Pretty much all of the posts out there on preventing WordPress comment spam are telling you to install some list of “must-have” anti-spam plugins. Some authors insist that you need only a few “choice” plugins, while others advise you to load up on everything you can get your hands on. Such advice is all well-intentioned, I’m sure, but it’s all based on the assumption that plugins are actually necessary to control comment spam. They’re not. WordPress is well-equipped to handle the job all by itself. Plugins may provide additional anti-spam functionality, but they are by no means essential to running a spam-free site.

Not even Akismet..

“Sure,” you are thinking, “you don’t need any plugins except for Akismet.” I mean, you definitely need that plugin, right? After all, it’s included with WordPress, so it’s got to be important. Umm, not so much. Yes, there are certain blogs that would probably be wise to take advantage of the additional spam-protection that Akismet might provide, but for 99% of the sites out there, it really isn’t necessary.

WordPress is strong enough..

I think one of the most underrated strengths of WordPress is its built-in anti-spam functionality. With an ounce of knowledge and a pound of forethought, you can configure your WordPress Discussion settings to act as a powerful and effective defense against the evil forces of spam. No plugins required! Let’s look at WordPress’ anti-spam tools and see why they’re all you need for a spam-free site..

Default article settings
First up, consider your default article settings. If comments aren’t enabled, of course you know that you don’t need Akismet or any other anti-spam plugin for that matter. If comments are enabled, you can cut out a significant portion of spam by simply disallowing pingbacks and trackbacks. By clicking a single checkbox, all of that crap that comes rolling in as trackback spam will stop. That’s a huge step right there, and it will eliminate every plugin that has anything to do with displaying or controlling ping/trackbacks.
[ WordPress Default Comment Settings ]
Comment author must fill out name and e-mail
Another smart move, although I think most sites do this one already. By requiring your commentators to at least fill out these two fields (even if it is just dummy data most of the time), you brush off all of those lazy spammers who are picking up the easy ground fruit. Most legitimate commentators don’t mind filling in this info because they usually have something they want to say. Lazy spammers, not so much.
Users must be registered and logged in to comment
If possible given the specific goals of your site, requiring users to log in before commenting is an extremely effective way of preventing comment spam. Although requiring registration will stop a lot of legit comments as well, it is a powerful deterrent to lazy spammers and completely stops automated scripts. Sure, you may still get some trolls stinking up the place, but you would be getting those anyway. Plus, if they’re registered, it makes it easier to deal with them.
[ WordPress Comment User Settings ]
Automatically close comments on articles older than XX days
This is my favorite WordPress anti-spam feature. For a long time, we needed a plugin to get this done, but now that it is built into WordPress, everyone should be using it. Here at Digging into WordPress, we close comments on old posts after 90 days, which seems to be just about the right amount of time. Anything longer than that, and your posts begin to get targeted by spammers and automated spam scripts. Especially if your posts tend to do well and build up a lot of page rank, they will be prime targets for spam as time rolls on.
Break comments into pages with XX comments per page
This one’s not as obvious, but it is also a great way to reduce the incentive to spam your site. Spammers target strong pages for their junk, so by breaking your comments into pages of, say, 20 comments each, you get the best comments on the first page (the same page as the article), and then the typically declining-quality comments on subsequent non-ranking pages. Just make sure you are using meta canonical tags to keep the juice where it should be.
[ WordPress Comment Display Settings ]
E-mail me whenever..
Unless your site is literally flooded with comments on every post, getting email alerts for new comments is an excellent way to kill any spam nonsense that gets through. I have done this at Perishable Press for four years now, and you would be hard-pressed to find even one spam comment anywhere on the site.
[ WordPress Comment Notification Settings ]
Before a comment appears an administrator must always approve the comment
This could get kind of labor-intensive, but it is a 100%-guaranteed way of completely eliminating spam without using any plugins whatsoever. Zero. Nada. Nil. If you are one of the many millions whose blog receives fairly few comments, this method will keep your comments squeaky clean.
Comment author must have a previously approved comment
A super-effective strategy that is not as labor-intensive as moderating all comments and not as restrictive as requiring registration. The idea here is that you get a chance to “meet” each one of your commentators and leave the door open only for the good guys. This technique drastically cuts back on human spam, and virtually eliminates automated spam (unless you don’t catch it the first time).
[ WordPress Comment Approval Settings ]
Hold a comment in the queue if it contains XX or more links
Lots of comment spam is just crawling with links. A few mindless words and then BAM — they drop in a few hundred links. Some of the more subtle spammers are less obvious, but still have to unload their payload somehow, so they usually integrate a couple of links within some not-so-carefully crafted text. You know what I’m talking about. You definitely want to moderate anything with more than like two or three links. This trick is great for catching some of the craftier spam maggots.
[ WordPress Comment Link Settings ]
Comment Moderation Blacklist and Spam Blacklist
A finely tuned WordPress Blacklist list eliminates the need for many types of plugins, scripts, and third-party blacklists. Any words, characters, or IP addresses included in either the Moderation or Spam Blacklist will be used to innoculate your site against any matching comments. Granted, it takes a bit of persistence to build up a good list, but once you do, it is very difficult for spammers to get around it. Note that, unless you are absolutely sure, you should probably stick with the Moderation Blacklist (regular expressions are powerful things!).
[ WordPress Comment Moderation Blacklist ]
[ WordPress Comment SPam Blacklist ]

All of these great anti-spam features are like having fifty plugins already built-in to WordPress. With them, you can configure a powerful anti-spam strategy for just about any type of site without any plugins — not even Akismet.

Why not just use a bunch of plugins instead?

Because you don’t have to. Plugins require maintenance, frequent updating, etc. Every upgrade of WordPress and/or your plugins opens the door to possible issues and conflicts. Further, plugins consume valuable server resources, affecting the performance and consistency of your site. In general, the fewer plugins you have, the easier and more efficient things are going to be. I guess my feeling is, try to take the “zen” approach as much as possible — if something isn’t absolutely necessary, don’t bother with it. More and more, I am realizing that anti-spam plugins simply aren’t needed to run an effective and spam-free site.

48 Responses

  1. Hmm, well I still prefer using Akismet. It’s caught about 35,000 spam comments in total on my blog. I like being able to basically “set it and forget it”, without having to go through the moderation queue looking for legitimate comments in a pile of spam comments (of course, every so often I still go through the spam list looking for legitimate comments).

  2. Couldn’t agree more, native blacklist and related settings were more than enough for a first year at my blog.

    Now only anti-spam plugin I use is my own, barely few lines of code. It checks incoming comments for similar comments already in WP spam. Kind auto-educated blacklist.

    And mandatory mention of my Akismet troubles. I had issues with it spamming my comments everywhere for no apparent reason, so I have a LOT of trouble with 99% of plugin-related posts saying it is a “must”.

  3. Good stuff – my WP site is so overrun with plugins, I need to start deleting stuff.

  4. A agree about disabling pingbacks, as it is a horrible protocol.

    I also agree that Akismet is a bad front-line defense against spam because of its “spam inbox” concept.

    The rest of the suggestions, while informative, are going to be inadequate for any well-trafficed website.

    The fundamental problem with WordPress and spam is that the underlying engine is incredibly easy to exploit, and open source. As a result, automated spamming systems are highly effective.

    The fundamental solution, therefore, is variation. Customizing and hacking WordPress installations is a good way to eliminate automated spam, and significantly reduce the human-injected noise.

  5. Good information and useful post.

    I do think it’s good to rely on fewer plugins when possible. But I also think that Akismet is one of the *key* plugins needed. Most of us have a lot more junk in our plugin list and if the main goal is to streamlline plugins we can find somewhere else to do that. Because Akismet is bundled into the WordPress install and is supported by them I doubt that future updating or integration problems will ever be an issue as they are with third party plugins.

  6. I agree, I just use Akismet. But at the moment I’m getting around 140+ Russian (spam) comments a week. I want to install a plugin to delete them instead of just marking them as spam.

    • Try installing the Tan Tan Noodles plugin. It should stop a lot of those before they hit Akismet.

    • Or, if the spam contains actual Russian glyphs, you could simply add a few of them to your Comment Blacklist. No plugin required.

  7. Ryan Rampersad November 2, 2009

    I use Akismet. I get a rare false positive but that’s not so bad. That’s all I use for anti-spam on my blogs; it’s worked pretty well so far.

  8. Great Article. Just means we have to take a bit of time when we originally set up a site to adjust the parameters correctly. I generally just activate Akismet probably like most other people and leave most of the settings mentioned above alone but after reading this I may end up rethinking that.
    Thanks again.

  9. You’re overthinking this one wayyyy too much.
    90% of the spambots out there do google searches for things that appear / make a blog typical WP. Search for things like “Submit Comment”. “powered by wordpress”, “Subscribe to responses via email” etc etc.

    The easiest way I’ve found to do this that works is just remove the things that lets google or other SE’s know you’re using WP.
    Just rename stuff yourself and you’re golden.

    • If only it were that easy. If you spend countless hours figuring out what all you needed to change or delete, it might help a little. Those bots are pretty good at spotting when it’s possible to comment on a website.

      They keep getting smarter with each counter we make.

      I think it depends on how much traffic you get on your site. I bet if you had as much traffic as Mashable you’d be considering some of these as great ideas.

      For everyday bloggers, you might not need to use all of them.

  10. Great article but I feel more comfortable with Akismet enabled because it’s so much trusted that I never had any problem with it. And most importantly, it does the job automatically without disturbing.

    Otherwise how can I take care of one thousand spam comments a day?

    • Otherwise how can I take care of one thousand spam comments a day?

      Easy. By using some of the methods described in the article! It’s all there :)

  11. I completely disagree on not using a plugin. The kind of spam that you would have to control is phenomenally huge! On small blogs it is ok, but for a slightly bigger blog… you would go crazy!

  12. Andrey C November 2, 2009

    I use Akismet alone, because I prefer not to have to manually select “spam” for the minimum of 50 spam comments I receive each day. Most of the deterrents you describe I have already enabled.

  13. This article has pretty much convinced me to just use Akismet for anti-spam as opposed to putting the burden on me and me users

  14. Another surprising way to reduce spam is the addition of a checkbox. For one blog I was working on, they needed a checkbox to agree the commenting policy.

  15. Great post. Akismet works just fine, I have comments open, no registration or log in. All spam is caught.

  16. just a quick note to say that I detest the “close comments in XX days” idea, It might be ok for some really time dependent blog’s, but it does really limit the amount of good feedback you can have for the creative types of blog’s.

  17. I don’t bother with 90% of this article, and I don’t even use askimet.

    I use 1 capcha plugin for comments. 1 plugin. No updating blacklist, no registration requirements for users, no closing comments on old posts, no spam que, none of that. Just 1 plugin.

    although i do moderate comments if it’s a first time commenter, but the capcha keeps tons of crap from even getting to that point.

  18. Jeff, I don’t suppose you have a good list of blacklist of terms we can use, do you?

    • Good call, John – I will share my personal WordPress blacklist in the next post. Until then, there’s a couple of older (but still effective) lists in this article at Perishable Press.

      • Steve Holderness January 27, 2010

        Jeff, did you ever post your personal WordPress blacklist other than what you show at Perishable Press? I can’t seem to locate if you did.

      • Not yet, but I’ve been meaning to do that. I have it on the list now so hopefully I will get to it next week. Thanks for the reminder.

  19. i think this has some useful ideas in it. i think i’ll use akisimet anyway, but even with that in mind. the fact you go through and explain what the functions in wordpress do has given me food for thought on how i want to run my sites so that’s definitely useful.

  20. “Why not just use a bunch of plugins instead?
    Because you don’t have to. Plugins require maintenance, frequent updating, etc. Every upgrade of WordPress and/or your plugins opens the door to possible issues and conflicts.”

    -Amen brother

    Jeff, It’s good to see you branching out from Perishables Press. The community needs more rational discussions like this. Less is more!

    -Gene

  21. Hmm, this article seems pretty interesting.

  22. Greg Johnson November 2, 2009

    This article notwithstanding, you get an average what 10 – 15 comments approved per post? Looks to be the same on your personal blog. These ‘preventive measures’ are okay for modest needs, but it’s poor advice for anyone with a well trafficked site.

    One of my projects gets about 30 legitimate comments a day (I post there once every few months) and around 100 spam. Akismet has caught a little over 53k comments so far.

    I disagree with closing off discussion after any amount of time. It seems like a poor solution to penalize your visitors for your unwillingness to run a wordpress plugin.

  23. The casual user or a beginner is not going to understand what all these settings are. Just install WP-Spamfree (plugin) and enjoy 0 spam per month. It’s worked for me for over a year, from 100 spam comments a month (with Akismet running) to 0. And it’s even compatible with Akismet.

  24. Nice post, but I still think Akismet is one of those plugins that you must have. It does a superb job.

  25. “Comment author must have a previously approved comment”

    Two weaknesses with that one (in my opinion):

    1) When your comment volume starts to get quite large, it bottlenecks the conversation for any new commentators who need to wait for approval.

    2) There seems to be spammers or scripts that post short, harmless comments like “Nice post, very helpful” to get the first one approved so they can start spamming you afterwards.

    Of course I understand that any one of these steps in itself has weaknesses but taken together they are a decent strategy.

  26. Its amazing that wordpress now has all this functionality built in. While I love the idea of closing commenting on all posts older than 90 days, I would be more comfortable if it had the additional feature of closing public commenting on posts older than 90 days and posts older than that requiring members to sign in before they can comment. Now that would be amazing.

  27. Great post, I totally agree with it. The same thinking can be apply to avoid SEO plugins.

  28. Nice article, but Askimet makes life easier.

  29. I had the same post like you but not detailed like this one. I have drafted but not yet published and just knew this through WPwebhost. Thanks

  30. I like more to use a plugin like intensedebate or disqus, their scripts will load the comments and moderate them. With them you will not lose comments, if there is a problem and you need to upload backups.

  31. Anonymously November 30, 2009

    Buy ch34p V14gra

    • Trying to make a point? I could have easily deleted this comment, but I’ll leave it as an example of something that could easily be blacklisted, especially considering that real words don’t include numbers. Makes it all too easy ;)

  32. I tend to disagree that WordPress alone will be able to fend off the comment spam. Yes it has tools built in, you can be notified of any new comments and go through an approval queue but then you would be doing moderation all the time instead of website building and content writing. Akismet use to be a great plugin, but it has now been superceeded with even better Molum, which eliminates moderation completely so you can focus on better things, besides it relieves your server of the headaches as the spam filtering is done on their server using their technology and black lists. If you are interested, you can look at an article I did which shows the advantages of using Mollom and how easy it is to integrate with a content management website.

  33. Jason Bradbury December 2, 2009

    I disagree, you should use the wordpress plugin. I also use a spam blacklist tool I use to check the lists in real-time… spamblacklist.co.uk

  34. Guys,

    I recently used the information you posted at http://digwp.com/2009/11/dont-need-plugins-to-stop-comment-spam/ to really solve a problem I was having. A client was using Akismet but getting 15K-20K spam comments a month. Akismet was catching most of them, but still missing 20-30 a day which was a big problem to moderate. I implemented a 30-day comment close and the .htaccess hack and instantly the spam dropped from 300 – 800 a day to 3 – 5 a day.

    The comments on the story were closed, but just wanted to say thanks and that the info you posted really does work.

    David

    view screenshot

Comments are closed. Contact us with any critical information. Thank you!

Code is poetry