How to Protect Your WordPress Blog from SPAM Comments?

Do not rely on a single plugin. Use a 3-Layer Strategy:

1. Native: Automatically close comments on posts older than 30 days.
2. Plugin: Install Antispam Bee (Free & GDPR compliant) or Akismet.
3. WAF: Enable Cloudflare Bot Fight Mode to block the bots before they even load the page.

Spam comments are rarely written by humans. They are automated scripts (bots) that scan for the `comment_form` ID and inject links to gambling or scam sites.
Manual moderation is a waste of time. CAPTCHAs hurt the user experience. The goal is to make your site invisible to bots or too difficult to bother with, without annoying your real readers.

Checklist

• Discussion Settings: Go to Settings > Discussion. Ensure "Comment author must fill out name and email" is checked.
  
• The "Link" Trap: Reduce "Comment Moderation" links allowed to 1. If a comment has more than 1 link, it automatically goes to moderation.
  
• The Hidden Requirement: Disable XML-RPC. Many bots bypass your comment form (and your CAPTCHA) by posting directly via the `xmlrpc.php` file. You must disable this file using a plugin or `.htaccess`.
  

Step-by-Step Guide

• Step 1: Native Hardening (The "Blacklist")
  Go to Settings > Discussion.
  Find the section "Disallowed Comment Keys" (formerly Blacklist).
  Paste common spam words here (one per line):
  `casino`, `viagra`, `forex`, `crypto`, `loan`.
  Any comment containing these words will be trashed instantly without you seeing it.
  
• Step 2: Close the "Backdoors"
  In the same settings menu, check the box: "Automatically close comments on articles older than [14] days."
  Why? Spammers target old posts because they think you aren't watching them. Real users rarely comment on 2-year-old news.
  
• Step 3: The Plugin Solution
  Install Antispam Bee (by Pluginkollektiv).
  Unlike Akismet, it is free for commercial sites and doesn't require an account.
  Settings: Enable "Trust approved commenters" and "Block comments from specific countries" (if you only serve a local audience).
  

How It Works & Hidden Details
The "Website Field" Trick:
The main reason bots spam you is to get a "Backlink" from your site to improve their SEO.
If you remove the "Website/URL" field from your comment form, 50% of spammers will give up because there is no profit for them.
You can remove this field by adding this snippet to your `functions.php`:

Code Select Expand

add_filter('comment_form_default_fields', 'unset_url_field');
function unset_url_field($fields) {
if(isset($fields['url']))
unset($fields['url']);
return $fields;
}

Things to Watch Out For

• Risk 1: False Positives. Never set your spam plugin to "Delete immediately." Always send to "Spam Folder" and review it once a week. Legitimate users often get flagged if they use a VPN.
  
• Risk 2: "Lazy Load" Comments. If you use a plugin to lazy load comments (load only when scrolling down), standard anti-spam bots might fail to protect the form because the form doesn't exist when the page loads.
  

Frequently Asked Questions

• Q: Is Akismet better than Antispam Bee?
  A: Akismet is excellent but requires payment for commercial sites (even if you make ₹1 from ads). Antispam Bee is completely free and respects user privacy (GDPR).
  
• Q: Should I use a CAPTCHA?
  A: Only as a last resort. CAPTCHAs lower engagement. Try Cloudflare Turnstile first—it verifies humanity without making users click traffic lights.
  

Update: Additional Details & Recent Changes

• The AI Spam Shift (Turnstile is Mandatory):
  In 2026, "dumb" bots have been replaced by AI Agents that can read your site and write relevant comments to bypass keyword filters. The "Math Question" or "Honeypot" logic often fails against these agents.
  New Standard: You should implement Cloudflare Turnstile (via a plugin like Simple Cloudflare Turnstile). It uses "Behavioral Analysis" to detect non-human traffic without showing a CAPTCHA puzzle, stopping AI bots that standard plugins miss.
• Cloudflare "Block AI Scrapers" (One-Click):
  If you are using Cloudflare (Layer 3), go to Security > Bots. Even on the Free Plan, there is now a dedicated toggle: "Block AI Scrapers and Crawlers." Enabling this stops LLM bots (like GPTBot, ClaudeBot) from scraping your comment section to train their models, effectively reducing "harvesting" traffic.
• Antispam Bee "Trust" Settings:
  While Antispam Bee remains the best free plugin, ensure you uncheck "Trust commenters with a Gravatar." Spammers now automate the creation of Gravatar accounts to bypass this specific "Trust" filter. Rely only on "Approved Commenters" (those you have manually approved before).
• Native "Disallowed Keys" Update:
  Add these modern spam triggers to your Disallowed Keys list in WordPress settings:
  `whatsapp`, `telegram`, `invest`, `profit`, `partner`.
  Most 2026 spam is not selling Viagra; it is trying to move the conversation to encrypted messaging apps for crypto scams.

The Hidden Requirement: Disable XML-RPC. Many bots bypass your comment form...

Update: This remains the #1 backdoor. If you cannot edit `.htaccess`, install the "Disable XML-RPC-API" plugin immediately. In 2026, most "Brute Force" login attacks and "Trackback Spam" floods still originate here.