How to Stop WordPress Spam Comments Without Plugins

How to Stop WordPress Spam Comments Without Plugins

BySantosh Raut

Spam comments can be one of the most frustrating nuisances for WordPress site owners. They not only clutter your site but can also negatively impact your SEO and user experience. Although many turn to plugins for a quick fix, several effective methods exist to combat spam without adding extra plugins. 

In this guide, we’ll dive deep into several strategies and code-based techniques you can implement directly into your theme’s files to keep your comment sections clean and secure.

Why Avoid Plugins for Spam Control?

Plugins are great for adding features quickly, but relying on too many can slow down your site and create compatibility issues. By handling spam prevention with custom code:

  • Improved Performance: Fewer plugins mean less overhead, leading to a faster website.
  • Enhanced Control: Tailor your anti-spam measures to your specific needs instead of relying on one-size-fits-all solutions.
  • Learning Opportunity: Writing your code helps you understand WordPress better and gives you the confidence to solve future challenges.
  • Reduced Conflicts: Fewer plugins reduce the chance of conflicts with other components on your site.

Understanding the Problem: What Makes a Comment Spam

spam comment examples

Before diving into the solutions, it’s essential to understand what makes a comment spam. Typically, spam comments are automated submissions that include:

  • Promotional or irrelevant links
  • Generic content repeated across multiple posts
  • Suspicious keywords (e.g., Viagra, casino, free money)
  • Abnormal submission patterns (e.g., comments submitted almost instantly)

Bots and automated scripts generally follow predictable patterns. By exploiting these patterns, we can create effective defenses.

Technique 1: Stop Spam Comments Using WordPress Discussion Settings

WordPress has native features in the Settings<Discussion that can help you control and filter spam comments. 

wordpress dashboard settings discussions

By configuring these options correctly, you can significantly reduce the amount of spam without the need for additional plugins. Here’s how you can optimize your settings:

Step 1: Default Post Settings

default post settings
  • Pingbacks and Trackbacks: Uncheck Allow link notifications from other blogs (pingbacks and trackbacks) on new posts if you don’t want to receive messages from external blogs. This can help reduce unwanted pingback spam.
  • Allow Comments: Decide whether you want to allow people to submit comments on new posts. If necessary, you can override this setting on individual posts.

Step 2: Other Comment Settings

other comment settings
  • Require Comment Author Information: Enforce that every comment must include the commenter’s name and email address. This extra step can deter spambots, which often submit blank or incomplete forms.
  • User Registration for Comments: Enable the settings. Users should register and log in to comment. Requiring user authentication is a powerful deterrent, making it harder for automated bots to post spam.
  • Automatically Close Comments on Old Posts: Set a time limit (for example, 14 days), after which users cannot comment on older posts. This keeps your site tidy and prevents spammers from targeting outdated content.
  • Show Comments Cookies Opt-In: Enabling the opt-in for comment cookies can improve user session management and potentially reduce spam by associating comments with cookie data.
  • Enable Threaded (Nested) Comments: While not directly related to spam prevention, enabling nested comments can improve the readability and organization of discussions, making it easier for you to spot and manage suspicious activity.

Step 3: Comment Pagination and Email Notifications

comment paginations and email
  • Break Comments into Pages: If you receive many comments, paginating them can reduce the load on your site and make it easier to moderate spam. For example, you can set Top level comments per page to a lower number (like 50) and choose to display the last page by default.
  • Comment Order: Set comments to display in an order that makes sense for your site, whether you prefer older or newer comments at the top, this can help you track spam comments more effectively.
  • Email Alerts for New Comments: Enable email notifications for new comments. While this might seem like extra work, it allows you to review quickly and moderate comments before spam goes unnoticed.

Step 4: Moderation and Disallowed Comment Keys

comment moderation and comment keys
  • Comment Moderation: Use the moderation queue to hold comments that meet certain criteria. For example, you can hold any comment that contains two or more links, a common trait in spam. This ensures that such comments don’t go live without your approval.
  • Disallowed Comment Keys: Create a list of words, IP addresses, or URLs frequently used in spam comments. WordPress automatically moves any comment that contains these keys to the trash. Keep in mind that it matches within words, so choose your generic terms carefully to prevent false positives.

Technique 2: Using a Honeypot Field

One of the simplest yet effective methods to combat spam is adding a honeypot field to your comment form. A honeypot is a hidden field that human visitors won’t see or fill out, but bots, which typically fill every available field, will.

Step 1: Add a Honeypot Field to the Comment Form

To add code in functions.php, go to Appearance<Theme File Editor. In the right side you can see theme files.

add honeybot field

You can insert this field by adding the following snippet to your theme’s functions.php file:

// Add a hidden honeypot field to the comment form
function add_honeypot_field() {
    echo '<p style="display:none;">Leave this field blank: <input type="text" name="my_honeypot_field" value=""></p>';
}
add_action('comment_form', 'add_honeypot_field');

This code uses the comment_form hook to output a hidden input field. Because it is hidden using inline CSS, genuine users won’t fill it in. However, spambots that automatically complete every field will likely populate it.

Step 2: Validate the Honeypot Field on Submission

Next, you need to check the value of this field for comment submission. Add the following code snippet to your functions.php file:

validate honeybot field
// Check the honeypot field during comment submission
function check_honeypot_field($commentdata) {
    if (!empty($_POST['my_honeypot_field'])) {
        // If the honeypot field is filled, it is likely spam.
        wp_die(__('Spam detected. Please go back and try again.', 'textdomain'));
    }
    return $commentdata;
}
add_filter('preprocess_comment', 'check_honeypot_field');

The above code hooks into preprocess_comment to inspect the submitted data. If the honeypot field isn’t empty, the function halts the comment processing with a friendly error message.

Technique 3: Implementing a Time-Based Check

Spambots are designed to submit forms almost instantly. Introducing a simple time delay ensures that users spend a reasonable amount of time on the form.

Step 1: Add a Timestamp Field

Start by embedding a hidden timestamp field into your comment form in functions.php:

add honeybot field time stamp
// Add a timestamp field to the comment form
function add_timestamp_field() {
    echo '<input type="hidden" name="comment_timestamp" value="' . time() . '">';
}
add_action('comment_form', 'add_timestamp_field');

This code outputs the current Unix timestamp when the comment form is loaded.

Step 2: Validate the Time Elapsed Before Submission

Next, check the time difference between when the form was loaded and submitted. Add the following function to your functions.php file:

validate honeybot field timestamp
// Validate that a reasonable amount of time has passed before submission
function check_comment_time($commentdata) {
    if (isset($_POST['comment_timestamp'])) {
        $time = (int) $_POST['comment_timestamp'];
        $time_difference = time() - $time;
        // If the form was submitted in less than 5 seconds, assume it is spam
        if ($time_difference < 5) {
            wp_die(__('Your comment was submitted too quickly, please try again.', 'textdomain'));
        }
    }
    return $commentdata;
}
add_filter('preprocess_comment', 'check_comment_time');

This function calculates the elapsed time between the timestamp and the current time. If the comment is submitted too quickly, indicating a bot, the submission is rejected.

Advanced Tips and Considerations

spam comment advanced tips and considerations

While the techniques above are highly effective for most sites, here are some additional tips to further secure your comment sections:

  • Monitor and Adjust Your Keyword List: Spam tactics evolve. Regularly update your keyword filter with new terms that you notice in spam comments. Keep a log of suspicious terms and refine your list periodically.
  • Combine Techniques for Greater Security: No single method is 100% foolproof. Combining the honeypot field, time-based checks, and keyword filtering significantly increases the difficulty for spambots. These layered defenses work together to stop the majority of automated submissions.
  • Educate Your Users: Sometimes, legitimate users get caught by overzealous spam filters. Ensure your error messages are clear and guide them on resubmitting their comment if it was incorrectly flagged. This helps maintain user trust and encourages genuine interaction.
  • Backup Your Files: Back up your site before changing your functions.php or theme files. Custom code changes can sometimes have unintended consequences, and having a backup ensures you can quickly restore your site if needed.
  • Use a Child Theme: Consider using a child theme to ensure your customizations aren’t lost during theme updates. This way, you can add your anti-spam code to the child theme’s functions.php file without risking overwrites when the parent theme is updated.
  • Test Across Browsers and Devices: After implementing your new spam prevention measures, test your comment form across different browsers and devices. This ensures that legitimate users have a seamless experience and that the custom code works reliably in various environments.

Final Thoughts

In conclusion, stopping WordPress spam comments without plugins is achievable and can empower you as a site owner. You have the tools and knowledge to maintain a safe, clean, and engaging comment section while keeping your site lean and efficient.

Following this guide’s strategies, you can effectively minimize or eliminate spam comments without relying on external plugins. With some initial effort and ongoing adjustments, you’ll create a secure comment system that enhances your website’s performance and visitors’ experience.

Feel free to experiment with the code, adjust the settings to your liking, and share your experiences in the comments below. Your journey to a cleaner WordPress site starts now!

Happy blogging, and may your comment sections remain spam-free!

Related Tutorial

How to Add Google reCAPTCHA in Contact form 7

How to Add Google reCAPTCHA in Contact form 7 

BySantosh Raut

Adding robust security measures to your website is essential to protect against spam and automated abuse. One of them is to add Google reCAPTCHA in Contact Form 7!  It’s a highly effective strategy to secure your site‘s contact forms. This integration not only boosts security but also ensures a seamless user experience. Therefore, it allows…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.