Combating WordPress Spam Comments Without Any Plugin

September 19th, 2023

Many people think that WordPress does not have inbuilt security or has fewer inbuilt security features to combat spam comments. Their assumption about WordPress’s inbuilt security is entirely wrong. The CMS has inbuilt solid anti-spam functionality, including options to block the comment spam.

You do not need any plugin, even default Akismet, to stop WordPress spam comments. The plugins are only meant to provide you additional functionalities to fight against spam. Through this write-up, you’ll get familiar with the inbuilt options of WordPress to block the comment spam on your site without making use of any third-party plugins or services. Let’s get started!

Navigate to Discussion Settings

Login at your WordPress site and go to Settings >> Discussion.

Image 1

This is the place where you can set up your site to be free from WordPress spam comments.

#Default Article Settings

The pingbacks and trackbacks are the main things that invite WordPress spam comments. You can uncheck the box titled ‘Allow link notifications from other blogs (pingbacks and trackbacks) on new posts‘ option to disable all trackbacks and pingbacks to your articles.

Image 2

#Other Comment Settings

In the following option, you can select that a commenter should provide his/her name and email address to comment on any article. If you think that the commenter should register with your website first, check the option ‘Users must be registered and logged in to comment.‘ This option is useful when you are integrating login features at your website. Another best option to block WordPress spam comments is to close the comments after some days. For example, you can select ‘Automatically close comments on posts older than XX days.’

Image 3

The spammers target the websites having irrelevant and/or more comments than others. If you expect to get a large number of comments, you can divide the appearance of the comments. You can set the last option in the above settings to break comments into pages with XX top-level comments per page. You can also set it to display either the first or last comment page.

#Email the Admin on Comments

The next two settings are quite important to fight against WordPress spam comments. In the first setting, you can select the option to email you when someone comments on any article or post, and in the second option, you can choose the option to email you whenever a comment is held for moderation.

Image 4

#Before a Comment Appears

The second settings allow you to reserve your rights to approve the comments and show them with your approval only.

Image 5

You can also select to approve the comments of the previously approved commenter automatically. This setting helps the existing commenters to continue their discussions without waiting for any approval.

#Comment Moderation

Most of the WordPress spam comments are created only to add links. You can set WordPress not to accept comments with more than one or two links. You can do this in the comment moderation setting.

Image 6

Comment moderation settings also allow you to hold the comments for moderation if they contain specific words. You can also specify the IP addresses of which comments you want to hold for approval. The comments either containing specific words or from entered IPs will be sent to the moderation queue and appear only after your approval.

#Disallowed Comment Keys

The moderation queue shows the IP Addresses from which the comments have been entered. You can block these IP Addresses and stop them from commenting anymore on your website. The Disallowed Comment Keys section gives you this option. Just enter the IP Address and sit back and relax. Whenever someone from a specified address comments, then his/her comments will automatically be marked as spam. You can also enter the words in this list to filter out the WordPress spam comments.

Image 7

#Block Spam IP Addresses

Suppose you are getting bulk WordPress spam comments from the specific IP address(s). Then you can disable the IP addresses. Next, you can edit the .htaccess file to block the IP Addresses from accessing your site. The .htaccess file resides in the root directory (public_html) of your website’s file system. You’re recommended to hire experienced WordPress developers to deal with the .htaccess file, as any damage to this file can lead your website to no use. Steps to block IP Addresses through .htaccess are mentioned below.

  • Access the File System of your Website through an FTP or SFTP Client
  • Download the .htaccess file from the root directory
  • Take a backup of .htaccess before doing any editing
  • Open the file in notepad and enter the following lines

Order allow,deny
Deny from
Allow from all

You can change the with the IP Address, which you want to block. You can mention one IP Address to block per line.

  • Save the file and upload it to the root directory of your website.
  • Open your website in the browser and check whether it is working or not. If you get any error, then restore the backup .htaccess file to the website’s root directory.

Note: if you’re a non-technical person, then do not touch the .htaccess file. You can refer to the official WordPress article for detailed information on denying access to IP Addresses.

#Advanced Step

Again, this advanced step is not for non-technical users. If you are not getting success with the above steps and the best plugins to stop WordPress spam comments, then the last way is to delete wp-comments-post.php and wp-trackback.php files. The deletion of these two files will permanently disable the comments and trackbacks, respectively.

#Stay Up-to-date

You should update WordPress and your theme regularly as soon as you get a notification. The updates will make your website more secure and provide you with a better option to fight against WordPress spam comments.

Stopping WordPress spam comments is a big necessity for everyone, and we can effectively do that using inbuilt options along with a few additional steps discussed above. You can also use plugins like WP-reCAPTCHA, Antispam Bee, Akismet, etc., for extra protection.

Certifications &