7 April 2022

The way WordPress deals with user comments by default is far from ideal. Anyone can submit comments, and comment forms don’t have any spam protection. Unless you disable comments or add spam protection you are likely to quickly get thousands of spam comments. By default, these comments are not published on your website – they are instead stored in the “pending” queue under Comments in the WordPress dashboard. However, they still need to be dealt with one way or another. Also, letting spam bots submit comment after comment after comment is a waste of resources. Spam bots can affect your website’s performance.

A screenshot of a standard WordPress comment form. User can enter a comment and their name, email address and website address.
Image: the default WordPress comment form is every spam bot’s dream come true.

Changing the default comment settings

You can change the comment settings via Settings » Discussion. To disable comments you can simply untick Allow people to submit comments on new posts. At the same time you probably also want to untick Attempt to notify any blogs linked to from the post and Allow link notification from other blogs. The latter two settings are for so-called pingbacks. Like comment forms, they are mostly used by spammers.

An image of the default comment settings in the WordPress dashboard. By default, comments are enabled.
Image: the default discussions settings.

Changing comment settings using a plugin

It is worth noting that the new settings only apply to new posts. Any existing posts on your website will still use the old comment settings. Unfortunately, WordPress doesn’t have an option to change the settings for all existing posts. If your website only has a few existing posts then you can change the settings for each individual posts, one by one. Alternatively, you can use a plugin such as Disable Comments.

You can use a plugin to disable comments for existing posts and pages. The image shows the settings of the Disable Comments plugins. If you want you can disable comments everywhere, but you can also pick and choose (for instance, you can disable comments for pages but not for posts).
Image: plugins such Disable Comments let you change the comment setting on old posts.

Adding spam protection

If you website has comment forms and/or a contact form then it is important to add spam protection to the forms. Without spam protection your website is likely to be inundated by spam bots. This causes a lot of useless traffic to your website, which can also impact the performance of your website. And, dealing with spam is annoying. You might suddenly have to deal with over a hundred thousands spam comments awaiting moderation.

WordPress itself doesn’t have any spam protection. It does advertise Akismet, which is a commercial anti-spam solution. The Akismet plugin is installed by default, but to use it you need to sign up for an Akismet account and, in most cases, pay at least £8 per month. You could get four Mega Deal hosting packages for that price!

Stopping spam comments using All in One Security

Luckily, there are plenty of anti-spam plugins that are trustworthy and free. I personally tend to use the All in One Security plugin, as it has a couple of other useful options, such as the option to change the default login URL.

The plugin has two options for blocking spam comments: it can add a so-called captcha to comment forms and it can add a rule to your website’s .htaccess file that blocks evil spambots.

An image of the Spam Protection settings in the All in One Security plugin. The interface shows two checkboxes: one to add a captcha to comment forms and another to add a rule that aims to block evil spam bots.
Image: the All in One Security plugin’s spam prevention settings

The captcha can be a simple maths question, such as “how much is 3 * 6?”. Most spambots are unable to answer questions like that, and those that can are likely to be blocked by the .htaccess rule. The rule blocks any POST requests on wp-comments-post.php where the referer is not your website. This stop scripts that submit comments without even visiting your website. If you are curious, this is the rule the plugin creates:

# BEGIN All In One WP Security

RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
RewriteCond %{HTTP_REFERER} !^http(s)?://example\.com [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* [L]

# END All In One WP Security

One thing to be aware of is that not all anti-spam plugins work with website builders such as Elementor. If you use tools such as Elementor then there are alternative solutions. A quick online search should yield plenty of results.

Other tips

This article is part of a series about things you can do to optimise your WordPress website and make it more secure. You might also be interested in these articles: