A WordPress website provides a means to create community and communicate with your customers. Whether you’re a business, non-profit or an individual blogger – this is invaluable. But it’s not without its downsides. Among the biggest is in dealing with the inevitable WordPress spam that can arise from all corners of your website.
Spam is something that has been around for decades. We first came to know it through those piles of unsolicited emails arriving in our inboxes. It’s come to have an impact on all of us at one time or another.
But when we talk about WordPress spam, it’s a multi-faceted subject. It can cover things like comments, contact form emails, user registrations and even posts. Plus, there’s also a security component tied into the issue.
While it may sound like a major challenge, WordPress spam protection is very possible. It just takes the right tools and approach.
Let’s have a look at the different types of spam associated with WordPress websites. From there, we’ll provide you with some tips and tools for taking control.
The Main Types of WordPress Spam
WordPress Spam Comments
By using the WordPress comment system on your site, you invite discussion. Unfortunately, you also invite loads of automated spam comments as well. They take away from a potentially meaningful conversation and muddy the user experience.
Just as bots look for WordPress security vulnerabilities, they also search out open comment forms. If your site is left unprotected, they can litter your website with all manner of nonsense in a very short period of time.
Spam Comments Example
Spam comments (aside from the obvious ones, like garbled characters or blatant ads) tend to stand out because they’re complementary but contain no specifics:
Excellent weblog here! Additionally your site loads up very fast! What web host are you using? Can I get your affiliate hyperlink to your host? I wish my site loaded up as fast as yours lol This one is great $3 hosting with FREE .com domain and free SSL included:
I do believe all of the ideas you’ve presented in your post.
They’re very convincing and will definitely work.
Still, the posts are very quick for newbies.
May just you please lengthen them a bit from subsequent time?
Thanks for the post.
I blog frequently and I really appreciate your information. This article has really peaked my interest.
I will book mark your site and keep checking for new details about once
per week. I subscribed to your RSS feed as well.
Are Comment Systems Worth It?
One of the most effective ways to stop comment spam on your WordPress website is to simply turn off commenting – that is, if you’re not committed to using it. For the majority of websites, this is recommended.
However, there are a number of sites that have a need for the comment system. If your site falls into that category, you may wonder how to stop spam comments on WordPress. In short, it takes a combination of helpful plugins (which we’ll get to in a bit) and commonsense comment spam administrative practices.
For example, the default comment settings (Settings > Discussion) can be tweaked to limit the damage a spammer can do. Under the Other Comment Settings heading, checking the boxes next to “Users must be registered and logged in to comment” and “Automatically close comments on posts older than __ days” are quick solutions.
The first option means only registered users of your website can post comments. While it may discourage some legitimate commenters, it also offers another layer of protection against spam.
The second option allows you to turn off commenting for posts older than the number of days you specify. This means that spammers can’t go back to old posts and litter them with comments. Neither are complete fixes, but they do help.
Tools to Stop WordPress Spam Comments
If you have comments active, the easiest way to stop spam from taking over your blog is to install a WordPress spam blocker plugin. The great thing about these plugins is that, in general, they require very little in terms ongoing maintenance. After the initial setup, they simply do their job and save you from dealing with spam.
Let’s take a look at two outstanding options:
Akismet
The first is Akismet – one of the default plugins that come packaged with every WordPress installation. To that end, we find it to be the best spam blocker in WordPress. It actively filters out suspected spam comments and lets you moderate them. In addition, Akismet’s “discard” feature will block out known spam – saving you from the hassle of even seeing it.
It’s worth noting that Akismet isn’t free. For personal websites, there’s a pay-what-you-want plan. Plans for commercial websites start at $5 per month. However, that small fee is worth it when you consider the amount of junk that this plugin detects and filters out.
WPBruiser
With WPBruiser, you get a free and customizable WordPress spam blocker plugin. It doesn’t rely on any third-party services, meaning there’s no need for API keys or privacy concerns.
The plugin will create a WordPress comment blacklist, preventing bots from even submitting comments in the first place. It can also be set to clear out logs after a specific amount of days and won’t slow down your website.
For a detailed view, our own Harper Phillips created a terrific guide to configuring WPBruiser.
Spam Registrations on WordPress Websites
User registration is another great feature that’s built right into WordPress. It’s highly useful for online communities, membership websites and allowing for customer accounts on eCommerce shops.
But again, it’s a target that spammers can focus their bots on. These phony registrations are annoying, as they might lead to spam comments or cluttering sites with a front-facing membership directory. Even worse is that they can be a security threat.
Every so often, we see theme and plugin vulnerabilities that allow low-level users, such as subscribers, to gain access to administrative settings. While these security flaws usually require some roundabout method to take advantage, a seemingly-dormant account could be ready and waiting to do so.
Tools to Stop Spam Registrations on WordPress
You may be wondering, “How do I stop spam registrations on WordPress?” First, utilizing a WordPress spam blocker plugin such as the aforementioned WPBruiser can help by preventing bot registrations. That makes for a great first layer of defense. However, there are other simple steps you can take.
Implement CAPTCHA on WordPress Account Registration Forms
CAPTCHA is a “challenge response” test. Its aim is to determine whether a user is human. Traditional CAPTCHAs force users to enter in randomly-generated characters they see on their screen or pick out photographs with specific attributes.
However, thanks to Google’s reCAPTCHA, these tests have been reduced to either a simple checkbox or even an “invisible” test that requires no user input. They’re easier to use, while still blocking bots from submitting a form, logging into or registering for a website.
Security plugins such as Wordfence and iThemes Security Pro can protect your site’s login forms via reCAPTCHA. And, should a bot still log in, these plugins can thwart any malicious code or activity. In addition, they can also be set to alert you when an administrator logs in from an unrecognized device.
CAPTCHA is a great way to control WordPress spam registrations, among other types of spam, provided it doesn’t ask too much of the user. Some methods are also more accessible to persons with disabilities, which should be a high priority when choosing an implementation.
WordPress Spam Posts
If you need another reason to put a stop to spam registrations, it’s the possibility that they could lead to WordPress spam posts as well. These posts often look to hijack your site’s SEO in order to advertise malware or other shady businesses. You may not even realize they exist until you see the posts show up within search engine results.
However, spam registrations are not the only method for creating WordPress spam posts. They could also be the result of a MySQL injection attack, which feeds spam posts directly into your site’s database.
Such an attack can be incredibly difficult to rectify unless you have a clean backup of your database. Therefore, prevention (and frequent backups) is key.
Tools to Prevent WordPress Spam Posts
One of the most important things you can do to prevent WordPress spam posts is to secure your site’s file system and database.
Check Your File Permissions
Key files within your WordPress installation, such as .htaccess
and wp-config.php
contain vital information. In the hands of a hacker, they can be used to compromise your website.
Therefore, it’s crucial to ensure that these files are set to use the recommended file permissions. Doing so will make it that much harder for someone to gain unauthorized access.
Secure Your Site’s Database
Beyond utilizing the proper file permissions, there are a couple of other commonsense ways to defend your site’s database.
The first is to use a strong password on the database itself. Depending upon your web hosting configuration, random passwords may be generated when you create your database. This is generally fine, but it never hurts to add a few extra characters onto the end of the generated password. This will make it even more difficult to crack.
Another important step is to generate security (salt) keys in your site’s wp-config.php
file. These long random keys provide an extra layer of protection. Changing them regularly will also invalidate existing login cookies, potentially kicking out any malicious actors.
WordPress Spam Emails via Contact Forms
For many websites, contact forms are a necessity. They facilitate communication in a user-friendly way. Spammers, of course, see yet another opportunity to ply their trade.
Unlike WordPress comment spam or registrations, which are natively built in, you have to install a plugin to use forms on your website. And there are a number to choose from. Plugins such as Contact Form 7, Gravity Forms and Ninja Forms are popular examples.
Just as each plugin has its own unique feature set, they also have different methods for dealing with WordPress spam emails. Spam protection features will generally be either built into the plugin settings, or require a separate companion plugin to work.
Tools to Stop WordPress Spam Emails
While WordPress spam emails are an annoyance, the solutions for stopping them are quite simple. The following is a combination that will help keep your inbox squeaky clean.
Install a WordPress Spam Blocker Plugin
If you’re a user of either Akismet or WPBruiser, you’ll be happy to know that they can each work in conjunction with a variety of WordPress form plugins.
Akismet works out-of-the-box with Contact Form 7, Gravity Forms, Jetpack and Ninja Forms. A little less variety, but these are among the most widely-used form plugins out there.
WPBruiser is a bit different, in that it requires a commercial extension to work with a WordPress form plugin. That being said, there is a wider range of options, including Contact Form 7, Gravity Forms, Ninja Forms, Formidable Forms and Fast Secure Contact Form. A free Jetpack contact form extension is included in the core plugin.
Whichever plugin you choose, they’ll use their ample spam blocking abilities to protect your forms.
Combine CAPTCHA With a Honeypot Field
Putting an end to WordPress spam emails begins with implementing a CAPTCHA on your contact forms. In most cases, signing up for a Google reCAPTCHA API key is your best bet, as it asks very little from your users. Yet, it’s still incredibly effective at determining who’s a bot and who’s not.
Another helpful solution for thwarting bots is the venerable honeypot field. A honeypot is a form field that is hidden within the code of your page. That makes it invisible to any humans browsing your website. However, it still attracts the attention of bots, as they “see” it as just another field to fill out.
The idea is that bots will fill out this hidden honeypot field, unaware of the consequences. That, in turn, tells the form that the entry is spam. Thus, it rejects the entry – saving it from hitting your inbox or other assorted mayhem.
In theory, this is an easy way to filter spam. The reality is that the technique can be hit-or-miss. Some of the more sophisticated bots are capable of bypassing a honeypot.
So, while many WordPress form and security plugins include a honeypot feature, it shouldn’t be your only solution. Combining it with a CAPTCHA and spam filter plugin will provide multilayer protection.
Keep WordPress Spam at Bay
Spam is a nuisance and, sadly, a part of everyday life. None of us (nor our websites) are immune. Therefore, we have to do what we can to limit its impact.
WordPress spam comes at us from many different angles: comments, registrations, posts and emails. The more of these features we utilize on our site, the more holes we have to plug – lest we become overrun with unwanted junk.
Thankfully, the tools and techniques we’ve shown you can help you gain the upper hand. With the right approach and careful vigilance, you can reduce spam to a minimum.
How do you add a honeypot field?
I believe I’ve been told that Gravity Forms has a honeypot field. I would guess some other WordPress form plugins do as well, but I’m not sure. In general, I understand it as a *concept* you can use anywhere, but it is a developer-level thing to do (because you need to be involved in the form processing process).