How To Block Spam On Your WordPress Site Before It Becomes A Major Issue

This past year I’ve seen a drastic increase in the amount of spam that was hitting my WordPress sites. The spam plugin that I had installed, Akismet, while it did an OK job of finding and catching spam, wasn’t enough. Not only did I find that it was creating quite a few false positives (including sending many of my own comments on other sites to spam), but because of the way it operates it was still allowing spammers to bog my sites down and cause them to come crashing down from time to time.

Because of the site slowdowns I started looking around for some solutions to my problem – including finding a way to stop the spam request before they even started.

Continues after Advertisement

Today’s post will look at a variety of solutions that I’ve examined – and a few that I’ve used – in order to get rid of spam comments on my WordPress sites.

blocking wordpress comment spam

WordPress Plugins To Combat Spam

The first and easiest way that you can combat spam comments and trackbacks on your blog is to install spam nuking plugins.  Here’s a list of a few that I’ve found and had recommended to me.

  • Akismet:  While I’ve had issues with Akismet having false positives on a quite a few comments (in other words, good comments being classified as spam), for the most part it does a pretty decent job of catching the spam and sending it to the spam box.
  • Growmap Anti Spambot Plugin: I use Growmap in conjunction with Akismet to drastically cut down on the amount of spam I receive.  The way this plugin works is that it puts in a checkbox below the comment box, asking the user to check it in order to comment.  Most spam-bots will not complete that behavior, and therefore can’t comment.  After installing this it cut down on my spam substantially.
  • Spam Free WordPress:  I have a blogging colleague who uses this plugin and swears by it.  It claims to block 100% of automated spam. I’m not sure about that, but some people like it.
  • Conditional Captcha:  The plugin creates a captcha that the user needs to enter in order to comment.  Blocks most spam, although it may still allow some comments into the database before being deleted – which means there still may be some load on your server.  I have avoided captcha to some extent because I don’t like entering them on other sites myself.
  • NoSpamX:  Another friend uses this plugin and says it has basically dropped the number of spam to zero on his blog.  Blocks automated spam-bots and allows blacklists.
  • Quiz: This plugin quizzes commenters before they can complete the comment.  I don’t use this one either because i prefer to keep it as simple as possible for commenters.

I currently only use two of the plugins from the list above – Akismet and Growmap.   The rest are still decent plugins I’ve had recommended to me by satisfied bloggers.

Alternative Commenting Systems

Quite a few frustrated bloggers are moving away from the standard WordPress comments system and switching to an alternative commenting platform.  Here are a few choices that I’ve seen used:

These other commenting systems do have their own pros and cons that should be researched if you plan on using them, but for the most part they are pretty effective at combating spam.

 Denying Access To Spammers By Blocking Them With Your .htaccess File

While most the plugins that I use from the above list did help in blocking a lot of the spam that was coming through, I was still experiencing issues with spam-bots hitting my server constantly, and causing slowdowns on my site. In other words their spam comments weren’t getting through, but they were still hitting my server and causing severe loads on my server.  A spam comment and a real comment will have the same load on your server essentially.   At times the spam hitting my server was so bad that it would cause my site to go down altogether.

After doing some research I found the solution to my problem on the site on a post called “Combating Comment Spam/Denying Access“.  The article goes over a variety of ways that you can programatically block spammers from your site.

Block Spammers IP Addresses

First, they go over how to deny access to spammers by blocking their IP addresses from accessing your site.  It can be effective except for the fact that spammers are often on changing IP addresses.  Doesn’t hurt to try and block the worst offenders though, or certain countries if they are especially known for spammers.

Add this to your .htaccess to block spammers from certain IP addresses, or IP ranges.

Order allow,deny
Deny from
Deny from 156.156.156.*
Deny from 189.189.*.*
Allow from all

For more help on setting this up, see this post.

Deny Referrer Or Trackback Spam

Another thing that spammers will exploit is your trackbacks on your site.  Most bloggers will recognize trackbacks at the bottom of a post where links to that particular post will show up.  They show readers who has linked to your post, along with a link to the referrer’s site.

Spammers will send out bots to send fake trackbacks with links back to their spammy sites. You can set your .htaccess file to block known trackback spam bots.   To just get rid of those problems altogether I removed trackbacks from my main sites completely.

Deny Access to No Referrer Requests

This is the one that fixed my spam problem on my site in dramatic fashion.  Before I instituted this fix in my .htaccess file my site was going down a couple of times every day because of the major loads spam-bots were putting on my server.  Since the fix was made it rarely ever has problems anymore because of spam-bots.

What this fix does is to find illegitimate comments by determining if a comment has gone through a certain .php page.   When your readers comment for example,  the wp-comments-post.php file is accessed, processes the text, and creates the comment. The user’s browser will send a “referral” line about this.

When a spam-bot comes in, it hits the file directly and usually does not leave a referrer.  This means that we can detect those no-referrer posts and block them using the .htaccess file.  If you’re not familiar with .htaccess files or Apache directives, you may want to get some help on  this.  Add this to your .htaccess file.

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

NOTE: In the fourth line of the code above, make sure to change to your own domain name, without the www, or any prefix on the front.

What this code in your .htaccess file does is deflect the spam-bot back on itself so it never hits your server.

The code detects when a post is being made, checks if the comment is being made on “wp-comments-post.php” with a referrer of your domain.  If there is no referrer it sends the spam-bot back to the originating server’s (the spam-bot’s) IP address.

For more detailed instructions on how to set this up in your own .htaccess file, head on over to the post at


Spam is a troubling issue for bloggers. It can devalue your site, slow down your server and even bring it crashing down because of the resources it demands.  The good news is, there are solutions.

For me the solution was a combination of  a couple of WordPress plugins, as well some code in my .htaccess file.  The code in my .htaccess file was especially helpful because it stopped the spammers in their tracks, before they could even get to my server to start their nasty business.

My suggestion is to try something similar.  Install one or two plugins, and put the .htaccess rules in place. My experience has shown that this should be enough to allow you to live a spam free existence. Good luck!

Have your own trick, tips or plugins to help combat spam comments and trackbacks on your blog?  Tell us about them in the comments!

Last Edited: 5th March 2015


    Share Your Thoughts:

  1. says

    Very thorough article here Pete! I need to get on top of this since with my last host, spammers essentially caused the server to go down so they took me offline for a few days.

    Im considering moving to LiveFyre but I want to see how they perform over the next few months. I had some issues with the code that I wasn’t prepared to fix (read: pay developer to go in and fix it)

    • says

      Thanks Ginger! Yeah, I’ve heard some folks like LiveFyre, but others have mentioned that it seems to be a bit heavy on load time/etc. Because of that I’ve steered clear. I also just like having the interface all in once place in WordPress.

Previous Post: