If you run a blog that’s powered by WordPress, inevitably your website will be hit by a deluge of comment spam. More often than not, it comes from automated software tools designed to build links back to the spammer’s website for search engine optimization (SEO) purposes. If you leave your WordPress blog unprotected, your posts will be riddled with useless comments and you could possibly face a ranking penalty from Google for having user-generated spam on your website as Sprint recently did. Fortunately, it’s fairly easy to keep comment spam off your website. Here are the few basic steps to take to prevent comment spam from taking over your website:
Enable Akismet – Akismet comes pre-bundled with WordPress as a plugin, but you do need to activate it and enter an API key to make use of it. Akismet compares your comments to known spam comments and marks it as a spam comment if it looks suspicious. The WordPress Codex has information about how to setup Akismet on your website
Setup Hashcash Extended – One of my favorite anti-spam plugins in WordPress is WP-Hashcash Extended. This plugin relies on the fact that most comments that are generated by spam-bots are done using server-side software that does not work with JavaScript. The plugin forces the user’s web-browser to do some basic arithmetic using obfuscated JavaScript and if the commenter’s browser fails the tests, they’re more than likely a bot, since JavaScript is part of all modern web-browsers.
Configure WordPress’s Discussion Section – WordPress has a number of options to manage how comments are processed. To access these, go to the “discussion” tab in your WordPress Settings. I recommend disabling pingbacks and trackbacks all together, as they tend to almost always be spam. It’s also a good idea to close comments after a specific period of time (60 days or so), so that the original discussion on your posts are preserved and that spammers can’t sneak in comments on your old posts. Finally, I recommend checking “Comment author must have a previously approved comment” in the moderation section, unless you receive more comments than you are capable of moderating. This will allow you to white-list your most-frequent commenters and review posts of new commenters the first-time they show up on your website.
Don’t Install a Captcha – It might be tempting to install a captcha to try to stop spam in its tracks, but captcha’s create for a very bad user experience and tend to discourage actual commenters more than they actually stop genuine spam. The reality is, if you do the list of things above, you probably won’t need a captcha on your website.
Setting up Akismet, Hashcash Extended and configuring your comment settings on WordPress should be enough for most websites. If you find yourself deluged by hundreds of spam comments each day in your moderation queue as one of my sites does, you can consider setting up CloudFlare (a CDN which will block malicious traffic from ever getting to your web-server) or the Bad Behavior plugin, which will reject traffic from IP addresses known to be engaging in malicious behavior.