If you have ever logged into your WordPress dashboard and found hundreds of spam comments waiting in moderation, you already know the frustration. Links to dubious pharmacies, generic “Great post!” messages attached to keyword-stuffed names, bot floods that hit your site within hours of publishing. Spam comments are not just annoying. They waste your time, pollute your site’s content, and can even affect SEO if low-quality links slip through to publication.
Akismet is the plugin most people reach for first. It comes pre-installed with WordPress, it works well, and for personal blogs it is free. But Akismet is not always the right answer. Commercial sites must pay for an API key. Privacy-sensitive sites (especially those serving European visitors under GDPR) may have concerns about sending comment data to a third-party server. And some site owners simply want a solution that lives entirely on their own hosting infrastructure.
The good news: you have many effective options. This guide walks through every practical layer of WordPress comment spam defense, from native settings that cost nothing to lightweight plugins and server-level rules. By the time you reach the end, you will have a plan you can put in place today.
Why Akismet Is Not Always the Right Fit
Akismet processes comment data on Automattic’s servers to determine whether a comment is spam. That model works well at scale and catches a high percentage of spam without any configuration from you. But there are legitimate reasons to look elsewhere.
- Commercial licensing cost. The free Akismet plan is restricted to personal, non-commercial use. If your site earns money through advertising, affiliate links, or selling products, you need a paid plan starting at $10/month per site. For a blog owner managing several sites, those fees add up.
- GDPR and data handling. When a visitor submits a comment, Akismet receives that data including the commenter’s IP address, email, and comment content. For sites with a privacy-first stance, or those operating under strict GDPR compliance requirements, sending personal data to an external service introduces complexity around consent and data processing agreements.
- Vendor dependency. If Akismet’s API goes down or changes its pricing structure, your spam protection disappears. Owning your defense stack removes that dependency.
Start With Native WordPress Comment Settings
Before installing any plugin, tighten up what WordPress gives you out of the box. These settings live at Settings > Discussion in your admin panel.
Manual Moderation
Enable Comment must be manually approved. This means nothing goes live until you approve it. Combined with the other filters below, you can reduce the moderation queue to near zero. For low-traffic blogs, manual moderation is the simplest complete solution.
You can also use Comment author must have a previously approved comment. Once a real person gets their first comment approved, future comments from the same email address go straight through. Repeat spammers who were never approved are held automatically.
Disallowed Keys (Comment Blocklist)
Still in Settings > Discussion, scroll to Disallowed Comment Keys. Enter one word, phrase, IP address, or URL fragment per line. Any comment containing a match is moved directly to trash without entering moderation. Useful patterns to add:
- Common spam anchor text:
buy cheap,free download,casino,payday loan - Known spam domains you see repeatedly in your queue
- IP address ranges of repeat offenders
There is also a Comment Moderation box just above it. Words placed here hold a comment for review rather than trashing it. Use this for ambiguous terms where you want to inspect before deleting.
Limiting Links in Comments
Most spam comments contain multiple links. WordPress has a setting called Hold a comment in the queue if it contains 2 or more links. Lower that number to 1 or even 0 if your readers rarely need to post URLs. This alone catches a large share of comment spam since bots almost always include links to the sites they are promoting.
How Honeypot Fields Work
A honeypot is an invisible form field added to the comment form. Human visitors never see it and never fill it in. Bots, which fill every field they find, write into it. If the field arrives non-empty with the comment submission, the system knows it was a bot and discards the comment.
Honeypots are effective against simple bots that blindly fill forms. They are not effective against sophisticated bots that parse HTML and skip hidden fields, or against human spam operations. But they are completely transparent to legitimate users, add zero friction, and require no external data transfer. Combining a honeypot with a few other layers gives excellent coverage.
The Antispam Bee plugin (covered in the next section) includes a honeypot field. Several other lightweight plugins also offer this without any additional configuration.
CAPTCHA Options for Comment Forms
CAPTCHAs add a challenge to the comment form that bots cannot easily solve. There are three main options worth knowing.
Google reCAPTCHA v3
reCAPTCHA v3 runs invisibly in the background, analyzing user behavior to assign a confidence score between 0 and 1. No checkbox, no image puzzle. You set a threshold (typically 0.5) below which submissions are flagged or blocked.
Pros: Zero friction for users, high detection rate, free.
Cons: Sends behavioral data to Google. If privacy is a concern, this may not fit. Occasionally flags real users, and there is no challenge for the user to retry. Integration requires registering a site key at google.com/recaptcha/admin. Plugins like Advanced Google reCAPTCHA handle the WordPress integration.
hCaptcha
hCaptcha is a privacy-focused alternative to reCAPTCHA. It presents image challenges to users who score below the bot threshold. Unlike Google, hCaptcha does not build advertising profiles from the data it collects, making it a better fit for GDPR-conscious sites.
Pros: Privacy-respecting, free tier available, works as a drop-in in many forms.
Cons: Visible challenge can add friction. Some legitimate users find the image tasks annoying. Site registration required at hcaptcha.com. The hCaptcha for WordPress plugin handles integration.
Cloudflare Turnstile
Cloudflare Turnstile is the newest of the three. It validates users through cryptographic challenges that happen entirely client-side, usually without showing anything to the user. If it needs to show a UI, it displays a simple checkbox with no image puzzles.
Pros: Excellent privacy posture (does not build profiles), free with a Cloudflare account, typically invisible, very low friction.
Cons: Requires a Cloudflare account. A small percentage of users may see the checkbox challenge. Integration via the Simple Cloudflare Turnstile plugin or by adding Turnstile directly to your theme’s comment form template. Get site keys at cloudflare.com/products/turnstile where you can register your domain and obtain the site key and secret key needed for the plugin.
Of the three options, Turnstile is often the best balance of privacy, user experience, and spam effectiveness for WordPress blogs in 2024 and beyond.
Anti-Spam Plugins Worth Using
If you want more coverage than native settings provide but do not want to touch code, several plugins deliver strong results.
Antispam Bee (Free, GDPR-Friendly)
Antispam Bee is the plugin I recommend most often to site owners who want Akismet-level protection without the cost or privacy trade-offs. It has over 700,000 active installs and is maintained by a German team with a strong GDPR track record.
What it does: honeypot field, time-based checks (comments submitted too fast are from bots), language filtering (reject comments not in your blog’s language), trusted commenter lists, and an optional integration with the public spam database at stopforumspam.com. No data is sent to Antispam Bee’s servers. Everything processes locally or through the public StopForumSpam API which you can disable if preferred.
Setup: Install from the WordPress plugin directory, activate, and visit Settings > Antispam Bee. Enable Use a honeypot, Consider the comment time, and optionally Spam IP check via public databases. Leave Consider the commenter’s IP address unchecked unless you want aggressive blocking that might catch mobile users on shared IPs. One underrated Antispam Bee feature is the language filter. If your blog is written in English and you are getting spam comments in Russian, Chinese, or any other language, enable Allow comments written in certain languages only and select your language. This alone eliminates a large percentage of the generic template spam that bots send across thousands of sites at once.
CleanTalk
CleanTalk is a cloud-based spam protection service that checks comments, registrations, and contact form submissions against a massive shared blacklist. It catches things that local honeypots miss because it has real-time data across millions of sites.
The service costs around $8/year for a single site, which makes it one of the most affordable cloud-based options. Setup requires creating an account at cleantalk.org, generating an API key, and entering it in the CleanTalk plugin settings.
Pros: Very high accuracy, works on comments plus other forms, affordable yearly pricing rather than monthly.
Cons: Cloud-based, so comment data is processed on CleanTalk’s servers. Not a zero-data-transfer solution. If GDPR compliance is your main concern, document this in your privacy policy and consider a Data Processing Agreement with CleanTalk.
Cerber Security
Cerber Security is primarily a security and anti-spam suite. Its comment spam feature works by checking submitter IPs and email addresses against its own cloud and applying bot behavioral detection. You get comment spam protection as part of a broader hardening plugin that also handles login protection, firewall rules, and file integrity monitoring.
The free version handles basic comment spam. If you were already planning to add a security plugin, Cerber covers both needs without requiring a second install.
Disabling Comments on Old Posts
A large share of comment spam targets old posts, because older URLs have more backlinks and the site owner checks them less often. WordPress has a built-in setting specifically for this.
Auto-Disable by Age
In Settings > Discussion, find Automatically close comments on posts older than X days. Check the box and set the value. A common starting point is 180 days (six months). Posts older than that typically get few legitimate new comments anyway.
This setting applies going forward. It will not immediately close comments on existing old posts.
Bulk-Close Comments on Existing Posts
To close comments on all existing posts at once, go to Posts > All Posts. Select all posts using the checkbox at the top, then use the Bulk actions dropdown and choose Edit. In the bulk edit panel that appears, find the Comments dropdown and set it to Do not allow. Apply the change.
If you have more posts than fit on one screen, increase the number of posts shown per page first (Screen Options in the top right), or repeat the process across multiple pages.
Alternatively, use WP-CLI (covered at the end of this guide) to do this in a single command regardless of how many posts you have.
Setting Up Comment Moderation Workflows
Even with all the defenses above, some borderline comments will need human review. A well-set moderation workflow keeps the queue manageable.
Auto-Approve Trusted Commenters
The WordPress setting Comment author must have a previously approved comment means anyone who got through your filter once and was approved manually will comment freely in the future. This creates a trusted list automatically, without extra plugins.
For larger communities where you want finer control, the Comment Moderation Role plugins let you grant trusted users a role that bypasses moderation entirely.
Email Notifications
WordPress sends email notifications for comments held in moderation. If you are getting so many that the emails become noise, turn off moderation emails at Settings > Discussion and check the queue on a schedule instead, say once per day. Antispam Bee and similar plugins reduce the queue size enough that a daily check takes under two minutes.
When to Disable Comments Entirely
Not every page needs a comment section. In fact, leaving comments open on pages where no one would realistically comment creates unnecessary exposure.
- Static pages (About, Contact, Privacy Policy): Disable comments by default. In Settings > Discussion, uncheck Allow people to submit comments on new posts, then on individual pages use the Discussion metabox to turn them off.
- Product pages (WooCommerce): WooCommerce disables comments on product pages by default and uses its own reviews system. If you somehow have comments enabled on product pages, disable them.
- Landing pages and sales pages: Disable comments entirely. These pages are conversion-focused and a spam comment appearing on them damages trust.
- Sites where engagement moved elsewhere: If your community discussion happens on Discord, a Facebook Group, or a dedicated forum, disabling comments sitewide and linking to your community is a clean solution that eliminates the attack surface entirely.
To disable comments sitewide in WordPress 6.x, go to Settings > Discussion and uncheck both comment-enabling checkboxes. Then use WP-CLI to close existing posts as described below.
.htaccess Rules to Block Comment Spam Bots
If you are on an Apache server (most shared hosting environments), you can add rules to your .htaccess file to block requests from known spam bot user agents before they even reach WordPress. This reduces server load and stops bots that ignore your application-layer defenses. While you are hardening at the server level, this is also a good time to back up your WordPress site before making changes to core configuration files.
The comment submission endpoint in WordPress is wp-comments-post.php. You can block direct POST requests to this file that do not come from your own domain:
# Block direct POST to wp-comments-post.php from outside the site
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} \.wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain\.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>Replace yourdomain.com with your actual domain. This rule redirects back to the bot’s own IP address any POST to the comment endpoint that lacks a valid referrer from your site, or that has an empty user agent string. Bots that directly POST to wp-comments-post.php without visiting the page first (very common) get blocked at the server level.
You can also block specific user agents known to be associated with comment spam campaigns. Add these above your WordPress rewrite rules:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} (casper|checkprivacy|clshttp|cmsworldmap|comodo|curl|digger|download|emailcollector|emailsiphon|emailwolf|extract|extractor|eyenetie|feedfinder|flaming|frontpage|getright|getweb|go-ahead-got-it|go!zilla|grabnet|grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot|indy library|infoskout|interget|internet ninja|internetlinkagent|jakarta|java|jennybot|jetcar|jetbot|junglekey|kenjin spider|keyword density|larbin|leechftp|libwww|linkscan|loader|masfinalizar|mass downloader|miner|mirrorleech|mister pix|moget|mozilla/4.0-|netants|netmechanic|netspider|netzip|nicerspro|ninja|npbot|octopus|offline explorer|offline navigator|orion|pagebot|papa foto|pavuk|pcbrowser|pockey|propowerbot|prowebwalker|psbot|pump|query n|realdownload|reaper|recorder|rma|ruby|siphon|site ripper|sitebot|sitecheck|siteliner|sitesucker|sitevista|slurp|spam|spankbot|spbot|spegla|sphider|spider|spinne|superbot|superhttp|surfbot|suzuran|szukacz|takeout|teleport|telesoft|the intraformant|theuselessweb.com|titan|todobuscado|true_robot|turingos|turnit|urly warning|vacuum|vci webviewer|void-bot|web ripper|web-st|webattack|webcopier|webdevil|webdownloader|webreaper|websauger|website extractor|website grabber|website quester|webstripper|websucker|webvac|webviewer|webwhacker|webzip|wget|whatsapp|widow|wisenut|wonderbrowser|worm|wwwoffle|xaldon webspider|xenu|zeus) [NC]
RewriteRule .* - [F,L]
</IfModule>This is a broad list. Review it against your own analytics to make sure you are not blocking legitimate crawlers like Googlebot (which is not in this list). Add the rule, then check your error logs for false positives over the next 24 hours.
If you are on Nginx rather than Apache, the equivalent directive is deny from or a location block with return 444. The logic is the same; the syntax differs.
WP-CLI Commands to Manage Spam Comments in Bulk
If you have SSH access to your server, WP-CLI gives you fast, precise control over your comments table without touching the admin interface.
Delete All Spam Comments
wp comment delete $(wp comment list --status=spam --format=ids) --forceThis fetches the IDs of all comments with spam status and permanently deletes them. The --force flag skips the trash and removes them directly from the database. Run this in your site root (where wp-config.php lives) or pass --path=/path/to/wordpress.
Close Comments on All Existing Posts
wp post list --post_type=post --post_status=publish --format=ids | xargs -I{} wp post update {} --comment_status=closedThis pipes a list of all published post IDs into wp post update and sets comment_status=closed on each one. Adjust --post_type to include pages or custom post types if needed.
List Comments Awaiting Moderation
wp comment list --status=hold --fields=comment_ID,comment_author,comment_author_email,comment_content --format=tableOutputs a readable table of pending comments, which is faster than the admin interface when you have hundreds queued up.
Building Your Layered Defense
No single technique stops all spam. The goal is layers: each layer catches what the one before it misses, and together they get you to near-zero without blocking real commenters.
Here is a practical stack depending on your situation:
For a Personal Blog (Free, No Data Transfer)
- Native WordPress: manual moderation on first comment, link limit set to 1, disallowed keys populated
- Antispam Bee with honeypot and time check enabled
- Auto-close comments on posts older than 180 days
For a Business or Commercial Site
- Cloudflare Turnstile on the comment form (free, invisible to most users)
- Antispam Bee for local filtering
- Server-level .htaccess rule blocking direct POSTs to wp-comments-post.php
- Auto-close on posts older than 90 days
For High-Traffic Sites
- CleanTalk ($8/year cloud service) for real-time database checking
- Cloudflare Turnstile as a first-pass invisible challenge
- Cerber Security for firewall and login protection in addition to spam
- WP-CLI scheduled task to delete spam comments weekly via cron
Quick Checklist Before You Publish This Post
Run through this list on your own WordPress site and check off each item you have in place. Any unchecked box is a gap in your defense.
- Settings > Discussion: Comment must be manually approved or must have previously approved comment is checked
- Hold comments with more than 1 link
- Disallowed keys populated with common spam terms
- Comments auto-close on posts older than 90-180 days
- Antispam Bee (or equivalent) installed and honeypot enabled
- Comment form has a CAPTCHA challenge (Turnstile recommended)
- Static pages have comments disabled individually
- .htaccess rule blocking direct POST to wp-comments-post.php (Apache servers)
- Spam comments in your database deleted via WP-CLI or admin panel
Spam is not the only threat bots pose to WordPress sites. If you have ever seen visitors redirected to unrelated sites, read our guide on how to fix a WordPress redirect hack which covers a related class of bot-driven attacks. Spam comments are a solved problem for most WordPress sites when you treat them as a stack rather than a single plugin decision. You do not need to send data to Akismet. You do not need an expensive service. A combination of native WordPress settings, Antispam Bee or Cloudflare Turnstile, an auto-close rule, and optionally a server-level .htaccess block will stop the overwhelming majority of spam with no ongoing cost and no data privacy trade-offs.
Pick the stack that matches your site’s situation from the three options above, implement it today, and check your moderation queue again in 48 hours. You will likely find it close to empty.
Beginner WordPress Tips Essential WordPress settings Plugin Comparison
Last modified: April 29, 2026
Beginner’s Guide • How-To Guides • Site Maintenance Basics
April 29, 2026 • Views: 0
How to Moderate WordPress Comments Without Checking Them Every Day