Comment spam is one of the hazards of running open comments on any blog or website. I’ve dealt with nearly 5,000 spam comments on my blog, and I don’t have nearly the traffic of any of the huge blogs out there. But recently my comment spam stopped dead because of four easy to use WordPress plugins and a configuration change or two.
Akismet – This is a spam filtering plugin, it comes with the default WordPress installation, you just need to activate it and sign up for a WordPress.com account to get your API key to start using it. Akistmet’s not going to stop the spam, but what it will do is identify comments that come from common spam sources. It will segregate those comments and you can then review them later to make sure there weren’t any comments labeled as spam erroneously. (Plugin Directory link: Akismet)
SI CAPTCHA Anti-Spam – You’re starting to see these everywhere. It’s a small image with a series of letters and numbers that you have to type in to confirm that you are a human. These work on the principle that a human would be able to read the image, while a computer (spam bot) would not. SI CAPTCHA Anti-Spam is a simple to use plugin, usually all you have to do is install and activate it and it starts working out of the box. Some people may need to make a small change to their theme to get it working but most downloadable themes are already setup to use it. (Plugin Directory link: SI CAPTCHA Anti-Spam)
TTC User Registration Bot Detector – Some spam bots try to get around non-open comment systems by signing up for an account at your blog and then using that account to post comments. The TTC User Registration Bot Detector checks every computer that tries to register an account on your website against the list of known spammers at Spamhaus. It also logs all registrations so if you see one IP address trying to register multiple accounts you can put it in your own blacklist to keep it from trying again. (Plugin Directory link: TTC User Registration Bot Detector)
WP-Ban – Sometimes, no matter how hard they try, the plugins above still let through a spam message every now and then. WP-Ban lets you ban computers from accessing your WordPress site based on their IP address, domain name, web site referrer, or user agent (browser type, bot type, etc.). When a banned computer tries to access your site, they are given an error message, which you can customize, telling them they have been banned. It prevents them from accessing every page on your site, including directly going to the wp-comments.php page which is the only place most spam bots go on your site. (Plugin Directory link: WP-Ban)
Those are the plugins I use to keep spam out of my comments now. There’s a couple other configuration changes you can make to your WordPress installation to assist those plugins as well.
Under the Discussion Settings you have three options that you can set to moderate spam. The first one is to hold a comment in moderation if it contains more than a certain number of website URLs in it. I currently have that set to two, which I believe is the default setting. The next box down will hold comments in moderation if they contain certain words, URLs, or IPs. You can specify words that are commonly used in spam messages on your site. The WordPress.org documentation Wiki includes a list of spam words that you can copy and paste into this box. Comments that are held in moderation are not considered spam until you mark them as such. Every time a comment is held in moderation you should get an email asking you what you want to do with that comment. The next box below that is the words blacklist box. This list bypasses comment moderation and automatically marks any comment containing the words in the list as spam. I consider this one to be a little more dangerous to use, so I don’t really use it. But if you wish to, you could again use the list of spam words from the WordPress documentation wiki.
I’ve been running this combination of plugins and settings for a week now and I went from about 15 spams per day on average down to zero. If you have a self-hosted WordPress installation and are struggling with spam then you might want to give this a try.