The Ultimate Guide to WordPress Spam

The Ultimate Guide to WordPress Spam

Akismet, the most popular spam killing plugin for WordPress, encounters 7.5 million pieces of spam per hour on average. That’s twice as much spam as there are people in Los Angeles. Every hour.

Back in 2007, WordPress co-founder Matt Mullenweg knew spam would be a growing problem for the CMS, saying at the time it was getting so bad that it was “effectively a denial-of-service attack on people’s websites,” adding that 94% of blog comments were spam.

And here’s another scary stat: If you compare this year with 2008, and self-hosted WordPress site experience 82,183 times more spam items per hour in 2016. Woah.

Besides DDoS attacks, spam can bring your site down in lots of other ways – XSS vulnerabilities and brute force attacks just to name a couple.

It goes without saying that if you don’t have a solution for dealing with spam on your site you’re not only leaving yourself open to hacking attempts, but also a deluge of spam you’ll need to delete at some point in time.

This article deals with what you need to do to make your WordPress site secure from spam. It has been divided into eight main sections. Click any of the links below to skip ahead to the appropriate section:

  1. Common Types of Spam in WordPress
  2. Why and How Your Site is Vulnerable
  3. How Your Site is Attacked
  4. Basic Prevention Steps
  5. Cleaning Up Spam
  6. Advanced Spam-Fighting Techniques
  7. Spam-Combating Plugins
  8. Ensuring Continued Protection

Note: I encourage you to bookmark this article for future reference as you’ll no doubt find it useful when you’re are tackling spam on other WordPress sites you develop.

1. Common Types of Spam in WordPress

You can usually identify spam right away when you see it. It’s those odd messages you get about irrelevant things you’re not interested in and never signed up to receive in the first place. Though it may seem like an easy thing to sniff out, it’s not always the case as spammers are getting smarter and are always trying new ways to fool you.

Recently, spammers have returned to old tricks when it comes to email spam, using email attachments laden with viruses and other threats. Since many people let their guard down because attachment spam, well, went out of fashion, hackers are trying this old trick again.

Unfortunately, it’s worked too well. Astonishingly, American Economic Association found that spammers cost American businesses and consumers nearly $20 billion every single year.

When you know what kind of spam is lurking out there it’s easier to combat threats.

Comment Spam

This kind of spam shows up in the comments on your site. Typical spam comments are often riddled with links or contain a single link to a site filled with malware and viruses or even sales pages for pharmaceutical drugs, knock-off designer clothes, and accessories or other goods.

A spam comment reported in the WordPress dashboard.
Spammers try to sound genuine to fool you into clicking.


The word splog is a combination of two words: spam blog. When a Multisite network has registrations enabled, a spammer can register for a site and suck up bandwidth and resources to post spam or affiliate links to questionable items. Often, they’re made to look and read like genuine posts but are obviously not.

A post with affiliate links to questionable product.
A popular blog hosting site has a splog registered.

Trackback Spam

When another site links to your post in one of their posts, they can manually notify you and it shows up as a comment on your site, called a trackback. An excerpt has to be included. It’s meant to be used to share relevant content and create a sense of community, but it’s a huge target for spammers.

A sample trackback for comment moderation.
Trackbacks are often irrelevant to your post.

Pingback Spam

Pingbacks are the same as trackbacks, except the process is automated. In either case, both sites need to have pingbacks and trackbacks enabled in order to receive them. Pingbacks also don’t usually show an excerpt and are more secure so it results in less spam when compared to trackbacks.

A sample pingback approved as a comment on the post. It says "Pingback:" then a hyperlinked title of the post is displayed.
A pingback usually displays as a link to the post that sent the pingback.

These are the most common ways spam reaches your site, but could it really happen to your site? Unfortunately, the answer to that is a resounding yes. No matter how big, small, private or niche your site is, it’s still a potential target and at some point, it’s more than likely that your site will be attacked.

2.  Why and How Your Site is Vulnerable

Money. Money makes the world go ’round, right? The biggest reason spam exists is because there’s relatively easy money to be made.

In the book Cybercrime in Progress: Theory and Prevention of Technology-enabled Offenses by Thomas J. Holt and Adam M. Bossler, this link has been brought to light:

“Those nations with higher unemployment rates also had higher rates of spam distribution.”

There may be room for error in AC Kigerl’s 2012 study, which came to the above conclusion since IP addresses that produced spam were tracked and information could be faked. But more studies have been conducted, all with similar findings.

Another study by Burruss, Holt and Bossler in 2013 also came to the same conclusion as the AC Kigerl study, highlighting it was the case as long as the economic issues in the country did not affect the access available to a suitable internet connection. The study also found that oppressive nations had higher reports of spam and malware production.

So what makes WordPress such a huge target?

Easy: It’s hugely popular. alone publishes 58.6 million posts and about 49 million comments every month. Also, 17 posts are published every second on WordPress sites around the world.

A sample of the traffic stats map. has live traffic stats.

All WordPress sites account for over 59% of sites using a known CMS and powers over 26% of the entire web.

Plus, because all the WordPress core code is made publicly available, making it easy for anyone to look for points of vulnerability and exploit them. Fortunately, the WordPress project has a security team that has been able to keep the core code up-to-date with the latest fixes, but this doesn’t do you any good if you don’t keep your site updated.

If your site is using an older version of WordPress, you’re automatically at a higher risk than sites that are up-to-date. Only about 22% of WordPress sites are up-to-date. Is your site one of them? It should be and if not, you need to consider updating it as soon as possible.

For more details on the vulnerabilities in previous versions of WordPress and how to update your site, check out one of our other posts The Ultimate Guide to Updating WordPress and Multisite.

Here are a few more stats to scare you:

  • The Wordfence security plugin team found that about 70% of sites are hacked just to post spam.
  • In April of 2015 alone, Akismet caught over 4 billion spam comments – and that was a slow month.
  • For 2014, the Akismet team had reported 90,326,951,500 pieces of spam were removed from sites that had the Akismet plugin enabled or hosted their site. (You could add up the sales of the top 10 grossing movies and still have to quadruple it to come up with a number like that.)
  • Our Anti-Splog plugin has scanned 6,212,009 blog signups up to April 2016 and has caught 2,047,643 splog registrations across 7442 active domains.
  • Globally, spam has been reported by SpamLaws as accounting for at least 45% of all messages. Some researchers say it’s much higher at 73%.
Illustration of a skull and cross bones and binary behind it.

3. How Your Site is Attacked

You have likely heard of the quote “Know thy enemy” from Sun Tzu’s book The Art of War and there’s a reason why it’s so well-known: If you know how your enemy works, you can figure out a suitable way to keep them at bay without having to return fire.

As far as WordPress goes, if you know how your attackers are getting in and mucking about you can better arm and protect your site.

Hackers usually attack sites automatically with spambots and hackbots. A spambot is a program designed to collect, or harvest, e-mail addresses from the Internet in order to build mailing lists for sending unsolicited e-mail, A hackbot is similar in that it’s also a program designed to automate illegal actions, but instead it targets websites with the aim of changing content in some way. For example, some hackbots are designed to get into a site and replace all content with spam. The site’s popularity, bandwidth and other resources are then used to spread spam until it’s stopped.

These programs are created so thousands of sites can be attacked in a short amount of time without the hacker needing to do any manual work. They can keep the program running and successfully gather all the personal information they want.

There are the many ways spammers typically use spambots and hackbots to get into WordPress sites. Let’s go through each of them below to help you better understand what you’re dealing with.

Database Queries

Spam can make your site run really slow. Each piece of comment, trackback and pingback spam increases the number of database queries that your site requests. And the more requests, the more resources your site is going to use up.

When you have splogs on a Multisite network with many sub-sites, the problem is magnified.

Link Injecting

SEO spam, otherwise known as link injecting, is a type of spam where links are left in comments, trackbacks or pingbacks. These links often lead to a site that the spammer created that’s usually full of either malware and other viruses or affiliate links.

The goal here is to get their spam site ranking higher in search engines since Google’s algorithm ranks sites higher when it sees that many other sites are linking to it. When this happens, Google determines that the site must be of great quality if so many people are referencing it.

Google recognized this as a problem in 2005 and announced that nofollow links wouldn’t get any credit in search engine rankings.

This means that any link that has an attribute of nofollow in links is discredited and since WordPress 1.5, this has been part of the core code. A link with this attribute looks similar to the example below:

Every time a link is posted in WordPress by a user, it automatically has the nofollow attribute attached to it. This means that even if you get comment spam on your site, the spam won’t rank higher on search engines.

The trouble is, it doesn’t stop this kind of spam from happening and it’s still going on full force because spammers have found other ways around it. They hack sites to change its contents to spam, exchange links with other spammers for posting, create splogs and more.

Content Replacing

This method involves a hacked replacing content on a site with spam, malware, religious or political propaganda and the like.

The hacker usually keeps certain elements intact such as the site title, for example, in order to leverage the traffic the site would normally get, except now the only thing the visitor sees is spam. The hacker’s hope is that the visitors click on and interact with the spam thinking it’s from a legitimate source.

A hacked site where content has been changed to spam.
If a site’s title reflects an actual business, but all the content is spam, it’s likely a hacked site.

Much of the time, the content is poorly written, doesn’t make sense and is completely irrelevant to the original site’s subject.

Many hackers also engage in backlinking. They post links from other spammers and vice versa so that their other sites and spam can get around the nofollow attribute and be ranked higher on search engines.

Post Skimming

If your site has a lot of comprehensive content, especially when it’s regularly posted on your blog, your site is seen as being an authority on your site’s topic. Since Google rewards sites that are a total authority, these kinds of sites are ranked higher in search results.

To accomplish this, spammers steal posts from legitimate sites and publish them on their spam sites to legitimize the spam and make the site seem like an authority. This is called post skimming. Spammers do this to trick search engines (read: Google) into ranking the site higher in results to help move more traffic to their site.

Even if your site isn’t hacked or under constant attack with spam, your content can still be stolen and published on spam sites.

Malicious Redirect

Hackers can also get into your site’s files and if they’re successful, they can change your .htaccess file to add a redirect. What this does is direct anyone who visits the original site to the one the hacker set in the .htaccess file.

When a legitimate site is redirected to a spam site, it’s goal is to trick visitors into believing the redirected site is legitimate in order to scam the user.

A spam site where visitors can buy Facebook "likes."
A malicious redirect in action. The original site is redirected to spam.

Even if the site looks professional, the content may not be. I was able to find the example above of a site with a malicious redirect where the spam site offered payment plans to purchase Facebook “likes.” If someone were to make a payment, a network of fake Facebook accounts created for this purpose would start liking your page.

The main problem with this is that you may be thinking you’re paying for real people who genuinely like your page and want to engage in your company, but you’re not and it’s far from that. While there are some sites that pay real people to “like” pages, they’re not genuine likes. Once these individuals like your page, they won’t come back again. This kind of service is referred to as a click farm.

Most of the time, the Facebook users aren’t real people or the accounts have been hacked. Facebook has a team to track these fake accounts and shut them down. If they suspect your page is fraudulent because of the fake likes, your page could be at risk of getting shut down, too.

On the Facebook for Business page, they outline the problem:

“Selling likes created by fake accounts or people without real intent is only profitable when it can be done at scale …. We write rules and use machine-learning to catch suspicious behavior. When we catch fraudulent activity, we work to counter and prevent it – including blocking accounts and removing fake likes.”

Referral Spam

To fully understand what referral (or referrer) spam is, you need to know what a referrer is in the context of your site. When you look at the traffic statistics for your site, such as when you check your Google Analytics, you should see a section dedicated to referrers. These are the sites that suggested and pointed visitors to your site and the visitor clicked through to visit you. Typically, you would see referrers such as social media sites or email services like Gmail where you shared your posts and pages, as well sites that linked to you in their posts and similar avenues.

A site’s URI is stored in the header under what’s called the HTTP referrer. This is the information that’s displayed in most site analytics services. Spammers change this information to reflect a site they wish to promote, then use bots to flood your site (and thousands of other sites) with requests. Your analytics stats show these page views and the spam site shows up in your list of referrers.

Spammers do this in the hope that you click the link, visit their site and buy their products, which of course are complete scams. If you share your analytics with everyone in your network or within your business, then even more people are exposed to the spam link.

Since bots send referral spam to thousands of sites, it means the spam link is sent to thousands of people. This is where referral spam can be lucrative. With so many individuals exposed to the link, there’s potential for hundreds if not thousands of people to click the spam link and be scammed.

The Semalt website.
Semalt is one of the top offenders for sending referral spam.

There are other reasons why this is not only annoying but can have a huge impact on your business. If your site doesn’t pull in tons of traffic, a hundred spam requests to your site can seriously throw off your data and make it difficult for you to sort everything out for marketing purposes. Plus, all that extra traffic costs you bandwidth and server resources that you have to pay for even though it’s illegitimate traffic. If you get large amounts of spam requests, it could also slow down your site for genuine visitors.

Using a CDN helps distribute your visitors across multiple servers to help keep your site loading quickly even if you get referral spam. The trouble is, depending on the type of CDN you have, it may not be enough, especially if you’re on a free or basic plan and you receive more spam traffic than your CDN service is setup to handle for your account. It won’t always be an issue, but it’s something to consider.

Phishing (Identity Theft)

A lot of spam out there is directed toward stealing personal information and credentials to either be sold or used to distribute more spam or malware. Phishing is one of these types of spam.

It often starts with a hacker compromising a site using a vulnerable plugin, brute force attack or other methods and creating a page that they hide within the site’s folders. The page they create replicates a well-known site’s login page such as WordPress, Gmail and even financial institutions. It’s usually hidden somewhere you would least expect to find a page file such as in the wp-includes folder or among JavaScript files, though, this isn’t always the case.

They start sending this link to many users within an email and try to fashion the message to seem like it’s legitimate. The email often asks the user to login to update outdated plugins in the case of WordPress, but there are many other variations.

In the case of other types of accounts, the email may ask a user to verify their identity by logging in since someone may have compromised their account or other similar messages.

The end goal is to get the user to click a link and log in to the fake site with their real credentials. The login details are then sent to the spammer.

Since most self-hosted WordPress login pages look the same, it’s easy for the spammer to replicate the page, especially when all the code is publicly available. They would just need to make some minor adjustments to make sure the information is sent to them, rather than actually attempting to log you in.

Instead, they many send you to a page that indicates some kind of minor error to make it look like everything’s fine. The error may indicate that the site’s over capacity or that the request timed out. Since these errors aren’t usually a cause to panic, the user would go about their day, possibly not even realizing that they have been a victim of phishing.

This is also the case for any site and not just for WordPress. There are plenty of phishing emails sent asking you to login to your Google account, email, online banking and just about every major site. This is why it’s crucial to be able to detect a phishing scam so you can avoid it.

There are a few main ways to identify phishing spam in emails and on sites. Here are some common red flags:

  • The email suggests you have made recent actions that you haven’t. For example, if you are asked to log in to review a recent order or package that you didn’t send. Often times, you can visit the site on your own (without clicking links) and see that there is no order or package.
  • The email header displays a “from” address that isn’t normally used by the company from which the email claims to be sent. For example, if you receive an email from [email protected], but the email seems to be sent from your WordPress site or a financial institution. Sometimes the spammer can cloak their email to look like it’s legitimate so this isn’t always a sure sign.
  • The email “To:” field may also display an email address that isn’t yours, though, this isn’t always the case.
  • The email message itself doesn’t display any personally identifiable information such as your name, account number or other information that should normally be present.
  • You can hover over the link in your email and see if the URL that’s displayed at the bottom of your browser actually reflects the company’s URL or if it’s different. For example, if you receive an email from Google asking you to log in, though, the actual URL doesn’t start with Some spammers are clever and they’re able to cloak the URL so it looks legitimate so you should still be cautious if other red flags are present.
An example phishing email with all the red flags.
This email has many red flags. It’s definitely a phishing email.
  • In the above example, you can see all the red flags are present in this email from “Apple.” When I hovered over the Confirm Now link written in the message, my browser displayed a URL at the bottom of the window. The URL had a long string and it started with which isn’t an Apple site address.
  • The URL is made to look like it’s from Amazon since it’s a sub-domain of which is likely a compromised site.
  • There’s also one more red flag you can check for, but only if you already clicked the link in the email. The URI in your address bar displays a site that you know doesn’t reflect the company who supposedly sent the email. For example, if you see something similar to instead of to access your Gmail account. This last red flag is usually the best indication, though, it’s not recommended that you click the links. Try to determine whether there are enough red flags for you to delete the email before clicking on the link. When in doubt, go to the legitimate page directly and without clicking on any email links or contact the official support team of the company in question.

Keep in mind that some companies send confirmation emails after signing up since someone could have accidently made a mistake entering their email and entered yours instead, especially if they only need to be one character off. These emails usually are legitimate, but they also ask you to ignore the email if you didn’t try signing up recently.


Our best pro WP tools in one bundle

Try free for 7 days
30-day money-back

If ever you aren’t sure if an email you receive is legitimate, don’t reply and don’t click on any links within the message. If you reply, the spammer would know your email is real and not out-of-date so they can continue spamming you or sell it to others. If you click any links within the message, you could unknowingly and automatically download viruses or malware.

Hijacking (Redirect) Scripts

Sometimes, when your site becomes compromised, the hacker’s intention is to hijack your site and redirect its traffic. They upload a script that sends all your traffic to their site instead. Also, redirect scripts still use your server’s resources to work and it can eat away at your bandwidth and memory since visitors initially have to land on your site before they’re directed elsewhere.

Not only do you have to pay to display a spam site, but you also miss out on potential sales or conversions since genuine visitors can’t actually get to your site. Your reputation can also plummet as your business begins being associated with spam.

Brute Force Attacks

When a hacker attempts to guess your login details and tries logging into your site with different combinations of usernames and passwords, it’s called a brute force attack. For this kind of attack, the hacker is relying on you to use easily guessable usernames and passwords such as “admin” and “password1234” respectively. It’s also typically done manually.

This is why it’s important to change your admin username and also use a strong password. You can check out one of our other posts WordPress Security: Tried and True Tips to Secure WordPress for details on basic security best practices.

Unfortunately, many hackers are successful, especially if they already stole your credentials from a separate phishing email or if they purchased your login details from a fellow hacker. Unfortunately, repeated brute force attacks can costs you a lot of bandwidth and memory.

XML-RPC Attacks

XML-RPC has been around since 1998 and it’s used in WordPress in the form of an application program interface (API) called the WordPress API. XML-RPC lets your site communicate with other sites or apps remotely to transmit, process, and return data. It uses XML for the data and processes procedure calls using HTTP.

It’s used to power your site’s trackbacks and pingbacks, but the API is also used to connect various apps to your site. Possibly some of the most well-known examples are the WordPress mobile apps and the Jetpack plugin.

The WordPress API lets your site connect with other sites to send and receive trackbacks and pingbacks as well as connect with apps so you can remotely publish posts, upload images as well as manage comments, users, posts and more.

XML-RPC is often exploited in WordPress by hackers because they can use it to execute a mass of commands within one HTTP request. You can read more about XML-RPC in our article XML-RPC and Why It’s Time to Remove it for WordPress Security.

Normally, visiting a site and logging in takes one request and you can only try to log in once per request. By exploiting the XML-RPC-based API, a hacker could make hundreds or even thousands of login attempts per request. They would be amplifying their brute force attacks and using up your site’s resources.

If the brute force attacks aren’t successful, it could lead to a DDoS attack.

Distributed Denial of Service (DDoS) Attacks

A denial of service (DoS) attack isn’t an attempt to hack into your site or steal your personal information. Instead, it’s a product of those attempts. When a hacker tried to compromise your site such as with a brute force or XML-RPC attack, they send so many requests through your server that it eats away at your bandwidth and memory.

Your site is sent so many requests, that your resources become exhausted and your site goes down. Depending on your hosting provider, your site may go down permanently if they think your site has been compromised or if you breached their terms of service agreement by using up way too many resources.

A distributed denial of service (DDoS) attack is similar, but with a twist. Hackers can infect many computers and sites with viruses and scripts that serve to target other sites where the end result is a DDoS attack.

Thousands of sites and computers can be infected to attack thousands of other sites. The infected sites could be programmed to hack other sites or send spam, but in either case, it usually ends with the targeted sites being overloaded and kicked off the web.

If your site goes down, you could lose a lot more than genuine traffic. You could lose money and your search engine ranking could plummet. Not to mention all the time you’re likely going to lose trying to fix the aftermath of a DoS or DDoS attack.

SQL Injection

WordPress sites are powered by databases and PHP so that dynamic content can be displayed. If your site includes scripts or plugins that don’t have their data sanitized and validated, it becomes a vulnerability that could lead to SQL injections.

This means a hacker could input SQL queries and statements into your site’s URL in order to gain otherwise unauthorized access to your database. They could then pull up personal information and login details that are stored in your database.

With this information, they could compromise your site further with other forms of attack including inserting hijacking, phishing, malicious redirect scripts and a whole host of other intrusions.

Sanitizing and validating your data is beyond the scope of this article, but you can check out Functions to Validate your Data and Functions to Escape and Sanitize your Data for details.

Troubleshooting a hack

Cross-Site Scripting (XSS) Attacks

In an analysis done by Wordfence, it was found that out of the 1599 hacked sites they reviewed, 47% of them were compromised by a cross-site scripting (XSS) attack.

There are different ways it could happen, but XSS attacks usually begin when improperly written plugins, themes and scripts lets a hacker inject code (typically Javascript) into a website. Sometimes, this is done through an input field in a form on your site. If they’re successful, the Javascript is executed and they compromise the visitor’s browser and can control it.

If a hacker is able to take advantage of an XSS vulnerability, they could:

  • Use the access they gain into a user’s browser to steal their personal or financial information
  • Steal a user’s session cookies to gain access to the site they compromised, including the admin account
  • Write to the database to do all sorts of things including injecting malware or spam
  • Inject a redirect script
  • Create pages, scripts and forms for phishing
  • Have access to you or your users’ geolocation, webcam and microphone if certain modern browsers are compromised
  • Many more outcomes could result depending on the type of site that’s compromised and what’s it’s designed to do

In order to avoid creating an XSS vulnerability if you’re writing a plugin, theme or script, you need to make sure your code is properly sanitized, escaped and validated. You can check out Introduction to WordPress Front End Security: Escaping the Things for details.

Cross-Site Request Forgery (CSRF) Attack

A cross-site request forgery (CSRF) attack can be described as a more specific type of XSS attack. The difference is CSRF attacks inject code or strings into a URL instead of a form input field. Then, distribute it to unsuspecting visitors for them to click on.

Once a user visits the infected link such as the administrator, the added code could be used to send or submit data to the hacker or somewhere else without the user intending or knowing about it.

Any of the above results of an XSS attack could also come from a CSRF infiltration and patching this kind of vulnerability is the same except you should also use nonces. You can get the details on how to use nonces by checking out WordPress Nonces in the WordPress Codex and WordPress Front End Security: CSRF and Nonces.

4. Basic Prevention Steps

There are some settings you can change in order to help prevent spam on your website including disabling registration, comments, trackbacks and pingbacks as well as enabling comment moderation.

Keep in mind that the settings in this section may not be suitable for everyone. If you need your site to keep these options enabled, but you also want to prevent spam, check out the Advanced Spam-Fighting Techniques section of this post.

Disabling Registrations

To disable registrations on Multisite networks, go to your super admin dashboard > Settings > Network Settings > Allow new registrations and select the Registration is disabled radio button, then click Save Changes at the bottom of the page.

This eliminates users signing up for a new account or site across your entire network so you can avoid splogs or spam registrations.

The Network Settings page.
You can disable the registration process for your entire network.

Disabling Comments, Trackbacks and Pingbacks

To disable comments, trackbacks and pingbacks, go to your admin dashboard > Settings > Discussion > Default article settings and uncheck all the boxes for that section. When you’re done, click Save Changes.

The Settings > Discussion page.
You can disable comments, trackbacks and pingbacks in your settings.

The first checkbox stops your site from sending pingbacks, the second options stops your site from receiving trackbacks and pingbacks and the third option disables comments on posts. You can choose to override these settings for individual posts.

It may also be important to note that pages automatically have comments, trackbacks and pingbacks disabled by default.

You can also turn off commenting on posts that are older by going to the following Other comment settings section and checking the box for Automatically close comments on articles older than 14 days. Then, replace the number 14 in the text field with the amount of days you want.

Managing Comment Moderation

Turning off comments may not be the best solution for everyone. If you would still like to keep the native WordPress comment system active, you can still manage the amount of spam you receive by turning on and managing comment moderation.

With these options, you can choose to manually check each comment and choose whether it should be published, moved to the trash pile or marked as spam.

Go to your admin dashboard > Settings > Discussion > Before a comment appears and check the two options in that section that work for your site. The first checkbox enables comment moderation and the second option allows comments to be automatically approved, but only if the comment author already has a comment that was previously approved.

You can also automatically put a comment on hold so you have to manually approve it if it contains certain words, URL’s, emails or IP addresses that you previously chose.

To add these items, go to the Comment Moderation section on the same Discussion settings page and enter the values in the multi-line text field. Keep in mind that you need to place only one item per line.

The Discussion settings page.
You can choose to approve or deny every comment that’s submitted before it’s published.

Also, if a comment includes a large word that contains the same shorter word you enter, they’re matched and the comment is held for moderation. This means that if you include the word “press” the word “WordPress” in would trigger the comment to be placed on hold.

Above this field, you can also send comments to the moderation queue if they contain a certain number of links or more. Enter the number of links you want in the text field. The default amount is two.

Below the Comment Moderation field, there’s also the Comment Blacklist section where you can enter the same values with the same rules into the field to put submitted comments directly in the spam queue if they contain the words, links, emails or IP addresses you enter.

When you’re done, click Save Changes.

To manage all the comments that are held in your moderation queue, go to Comments and hover over one of the submitted comments in the queue.

Links should appear that you can click to manage the message:

  • Approve – Publish the comment as is
  • Reply – Write a comment back that references the one you’re moderating
  • Quick Edit – Change certain basic options
  • Edit – Change the comment text and any of its options
  • Spam – Move the comment into the spam queue
  • Trash – Move the comment to the garbage pile

It may be important to note that if you move a comment to the trash, it doesn’t delete the comment. Instead, it moves it to the trash queue which you need to visit to manually delete the comments there unless you install a plugin that does this for you.

The comments page.

You can click the links at the top of the page to view the different comment queues.

5. Cleaning Up Spam

There are different ways you can manually clean up the spam comments, trackbacks and pingbacks you get.

To empty your comment spam queue, go to Comments in your dashboard and click the Spam link toward the top of the page. Next, click the Empty Spam button to permanently remove everything in the queue.

The comments page.
You can empty your entire spam queue in a couple clicks.

You can also choose to sort through the comments and delete them one-by-one or in bulk. You can click the checkbox beside each comment or at the top of the list, then select Delete Permanently in the Bulk Actions drop down box, followed by the Apply button. This deletes all the comments on that page and there’s no going back once it’s done.

It’s important to note that if you have many spam comments that need deleting and you choose to click the Empty Spam button, this may o verload your server so be sure to use this option wisely.

You can also delete spam comments, trackbacks and pingbacks directly in your database by entering queries into phpMyAdmin. For details on how to do this, check out one of our other posts 10 Tips for Keeping a Squeaky Clean WordPress (and Multisite!) Database.

6. Advanced Spam-Fighting Techniques

If you’re in need of more than just the basic solutions for dealing with spam on your site, there are a number of advanced steps you can take to be sure you won’t receive any spam at all.

You may notice that if you keep comments, trackbacks and pingbacks enabled or even disabled on your site, you may still get bombarded with spam. Even if you don’t link to it anywhere, spammers can still send comments externally by using bots to send post requests.

If you don’t plan on displaying or using comments on your site at all, you can rename or delete the wp-comments-post.php in the root of your site’s files. Similarly, you can find and rename or delete the wp-trackback.php file in the same place if you wish not to display or use trackbacks in any way.

You can also close comments, trackbacks and pingbacks on posts using SQL queries. For details, check out 10 Tips for Keeping a Squeaky Clean WordPress (and Multisite!) Database.

If you would like to keep comments open, but help reduce the amount of spam you receive, disabling the URL field on the comments form can help a little. Spammers want as many ways as possible to drop links in comments so disabling this field helps, though, they can still add links to the comment body.

Before you remove this field, you need to create a child theme since you need to edit your theme’s functions.php file. You can get the details on child themes by checking out How to Create a WordPress Child Theme and How to Automagically Create Child Themes in WordPress. Don’t forget to make a full backup of your site as well.

Now for the code. Add it to /wp-content/themes/your-theme/functions.php:

To block all pingbacks and trackbacks, you could also add this rule to your .htaccess file:

Keep in mind that this also blocks all use of XML-RPC which means you won’t be able to use services that require the WordPress API such as Jetpack or the WordPress mobile apps.

You can also add Allow from IP Address before </FilesMatch> to allow only you to use these services, but you must have a static IP for it to work. Just replace IP Address with your real IP.

There are also several more tweaks you can make to your .htaccess file to prevent spam and increase your site’s security. For all the details, check out A Comprehensive Guide to Editing .htaccess for WordPress SecurityLimit Access to the WordPress Login Page to Specific IP Addresses and How to Stop Spam Bots from Ruining Your Analytics Referral Data.

If you wish to moderate your comments, but you’re unsure of the difference between genuine messages and spam, you can use these sites to look up the author’s IP Address against databases of known spammers:

DDoS attacks can happen to anyone and it’s important that you know if your server can handle this kind of attack. Fortunately, you can stress test your site to see how much traffic it can handle so you can be proactive and fix things before you’re attacked. Check out Stress Testing Your WordPress Site So You’re Ready for Traffic Spikes for all the details.

7. Spam-Combating Plugins

Installing plugins to help you automatically combat spam can not only save you from hours of manual labor, but it also keeps you routinely protected so you don’t have to worry about things like human error.

Don’t feel embarrassed. I forget to keep up with spam all the time and that’s why plugins can be helpful. You can check out 15 Top-Rated Plugins for Winning the Fight Against WordPress Spam for a handy list of spam-fighting plugins you can install.

Many plugins offer CAPTCHA to add to your site’s forms, but that’s not always the best option. While it works well, it adds an extra field for every visitor to fill out in order to be able to complete their submission.

This is generally fine, but it’s not user-friendly. Making your site as easy to use as possible helps keep your users happy and returning to your site regularly. If you’re adding more steps to any process, it’s likely to frustrate your users.

Using plugins that don’t require the use of CAPTCHA helps keep your user experience top notch.

8. Ensuring Continued Protection

It’s time to take spam seriously since it can have a deeply profound impact on your site. Not only does spam bloat your database, but it can also leave you open to numerous attacks.

In order to ensure your site is protected on a continuous basis and without interruption, you need to keep on top of it. Manually delete spam from your site when you see it or keep spam-fighting plugins installed so you can automate the process while also protecting your site.

It’s also a good idea to install a security plugin to make sure you have the maximum level of protection for your site. You can check out our own Defender plugin to harden your site’s security and keep it safe.

Have you had run-ins with spammers or hackers on your site? Did I miss any of your favorite tips for reducing spam? I would love to hear what you think so share your experience in the comments below.

Jenni McKinnon

Jenni McKinnon Jenni has spent over 15 years developing websites and almost as long for WordPress as a copywriter, copy editor, web developer, and course instructor. A self-described WordPress nerd, she enjoys watching The Simpsons and names her test sites after references from the show.