The ONLY Way to Stop WordPress Comment Spam

Like most WordPress sites my popular ones get hit by 100’s of spam messages a day. I’ve only found one method that works well against spam and that is to use a custom question field. A custom question field asks the poster to answer a simple question correctly when submitting the post. This works because the website owner chooses the question, so a bot will have no idea what to do with it. The only way the bot can get around the question is for a human to come in and program the bot with the answer. Most spammers will not bother to do this.

I recommend choosing a question that is related to the content of your site to make it easy for your readers. For example in this blog I might choose a question like “What is the aquatic animal in the name of this blog?”. Make sure to set multiple answers to the question like “fish”, “Fish” and “FISH”. Also don’t choose a question like “What is 7 + 3?” as some bots might be able to figure this out. I use the plugin WP No-Bot Question to implement this service.

Previously I had tried other antispam services and i’ll list them below and say why they didn’t truly work.

#1. Askismet

Askismet is a service that uses a computer to read the contents of the comment and from that it will attempt to detect if the comment is a spam message. Askismet works fairly well, BUT the major problem I had with Askismet was that it was constantly detecting legitimate comments as spam. This was because some of my commenting users did not have perfect English or grammar – characteristics of spam messages. It got so bad that it was flagging about 75% of legitimate messages as spam. And with such a huge spam folder I had no chance of finding these real comments.

#2. Image Captchas.

Image captchas work by asking the user to type in some text or numbers displayed in an image. The problem with this is that most spam bots now have the capability to actually read these images and translate them into text. It is possible to make the captchas harder to read, but then they become harder to read for humans as well. Captchas have been broken for a few years now.

#3. Cookies/Javascript Detectors.

These plugins detect spam through the presence of a specially placed cookie and/or check if Javascript is enabled. As most bots don’t have cookies or Javascript enabled they will be caught. The problem is that spam bot programmers are catching on to this and are enabling their bots with cookies and Javascript. I must say though that these plugins still do reduce the amount of spam you receive and in my case reduced spam by about 50%. You might be best suited to running one of these types of plugins in conjuction with a custom question field.

#4. IP Blocking Plugins.

These plugins work by detecting spam in some way through the above methods (or through a global database of known spam IPs) and then blocking the IP address of the spammer. A blocked IP means that the spammer will be unable to access your site at all. The problem with this is that most bots these days spoof their IP address (use fake IPs). In my case the bots were using the IPs of Google services causing my site to be blocked from Google. Not good for SEO at all. Even if they do not spoof their IP, spammers tend to have many IPs at their disposal. Another danger is that sometimes one IP address could belong to many PC’s. For example a university or company might have one IP with many PCs behind it. Blocking an IP could unintentionally block a large amount of legimate users.

So in the end the only method that really worked was the custom question solution. I must note though that custom questions will only work against bots. If you have a human spammer targeting your site it will not work.