Start » WordPress » In general » Stopping WordPress Comment SPAM

Stopping WordPress Comment SPAM

If you have a WordPress website, you are most probably familiar with spam comments, or website contact form spam. I still haven’t found a way to completely stop it, but I’ve managed to drastically reduce it, and this article explains how.


Table Of Contents (T.O.C.):

  1. Introduction – what is SPAM?
  2. WordPress anti-spam settings
  3. Creating and configuring Google reCAPTCHA
  4. WordPress reCAPTCHA anti-spam protection
    4.1. Installing a contact form plugin (optional)
    4.2. Installing and configuring a reCAPTCHA plugin
    4.3. Configuring the contact form plugin (optional)
  5. Conclusion
  6. AMP page reCAPTCHA troubleshooting


1. Introduction – what is SPAM?

“Spam” is a cheap meat product that was mostly the only one available in Great Britain after World War 2. People were fed up with it at the time.

The legendary Monty Pythons made a sketch on it in 1970 (a newer spam sketch video).

Inspired by that, people started using the term to describe the annoying advertising emails that piled in their e-mail boxes. That’s how the modern meaning of the term “spam” was born.

Today, spam is ubiquitous on the Internet – both by people “manually” sending it (en masse), and by people making bots to spread it (en masse times million).

I’ve been running my WordPress websites since 2015. Comments below my articles are educational: they mostly contain concrete questions and answers. I didn’t want that to be lost in a sea of spam adverts. The same goes for my mail inbox. What did I do to stop spam?

– T.O.C. –


2. WordPress anti-spam settings

The first thing to do is to secure your website – so it doesn’t get hacked and then used to spam yours, and other websites. For that, see the article: How to secure a WordPress website.

After that, we can move on to phase two: “How to not carry a lot of cash around.” 🙂
In other words: let’s disable the comments where they are not needed anyway. In the WordPress backend menu, we’ll choose the option:Settings -> Discussion. The following settings are good for a start (if you have a good reason to alter them, by all means, go ahead):

WordPress Discussion anti-spam settings
WordPress Discussion anti-spam settings
Picture 1

Each option is self-explanatory, so I won’t be going into details. Below these options, there are two large (white) boxes. Let’s see how to use those (the needed explanations are in the picture below):

Comment moderation, and automatically disallowed comment keywords, emails, IP addresses etc.
Comment moderation, and automatically disallowed comment keywords, emails, IP addresses etc.
Picture 2

Now we’re left with the avatar section. A 100% secure solution is to completely disable them. But that’s ugly. If you are actively keeping an eye on your comment section, this will do:

WordPress Discussion settings Avatar configuration
WordPress Discussion settings Avatar configuration
Picture 3

– T.O.C. –


3. Creating and configuring Google reCAPTCHA

Now we will create and configure Google reCAPTCHA spam protection for our website.

First, log into your Gmail account. If you don’t have one, create it (link to Gmail website) – the procedure is simple and I won’t be explaining it here.

Then go to:
www.google.com/recaptcha/about/

Google reCAPTCHA starting page
Google reCAPTCHA starting page
Picture 4

Now we can list our website(s) and choose the options we like:

Configuring and creating a Google reCAPTCHA spam protection
Configuring and creating a Google reCAPTCHA spam protection
Picture 5

The next screen will display our public (“site”), and private (“secret”) keys. Write them down (copy/paste). Though, you can always see them by going to the Google reCAPTCHA admin console:
www.google.com/recaptcha/admin/

By clicking on the small sprocket (“Settings”), then on the “reCAPTCHA keys:”

Google reCAPTCHA v3 public ("site"), and private ("secret") keys
Google reCAPTCHA v3 public (“site”), and private (“secret”) keys
Picture 6

Now we can go back to WordPress and see what all this “gymnastics” was good for. 🙂

– T.O.C. –


4. WordPress reCAPTCHA anti-spam protection

Before you do anything else, configure WordPress for SMTP mail sending. This is important and it’s not related only to spam protection, but to good functioning in general (any kinds of website notifications etc).

It’s time for our efforts to pay off, only a few more steps:

  1. Installing a contact form plugin (optional)
  2. Installing and configuring a reCAPTCHA plugin
  3. Configuring the contact form plugin (optional)


4.1. Installing a contact form plugin (optional)

If you want people to contact you via email from your website, there are two ways.

The first way is less practical for the visitors, but offers a better spam protection.
Write down your email in a “strange” way. It sounds silly, it should be relatively easy to program a bot to overcome this obstacle, but it’s proven to be very effective in my experience. What do I mean by “strange?”

My name (relja) @ this domain (bikegremlin.com).
You know how to contact me now, don’t you? And even the fact my email is bolded doesn’t bring in many spammers.

The second way is more convenient for the visitors, but a wee bit less spam-resistant (though still quite good).

It starts by installing the Contact Form by BestWebSoft plugin (how to install a WordPress plugin). And we’ll stop there for now – on to the spam protection, and then we’ll go back to configuring this plugin.

– T.O.C. –


4.2. Installing and configuring a reCAPTCHA plugin

For running our Google spam protection on the website, we’ll install the reCaptcha by BestWebSoft plugin (how to install a WordPress plugin).

Then we’ll go to reCaptcha -> Settings to configure it. We’ll now use the public (“site”) and private (“secret”) keys we got from Google’s reCAPTCHA console as shown in chapter 3.

reCaptcha by BestWebSoft basic setup and reCAPTCHA verification
reCaptcha by BestWebSoft basic setup and reCAPTCHA verification
Picture 7

After a successful verification (3 and 4 in the picture above), we can configure the rest of the options and save our settings:

Completing the reCaptcha configuration
Completing the reCaptcha configuration
Picture 8

Don’t forget to purge/clean all the website cache after this.

If you are using a website contact form, we’ll need to configure that plugin – read on.

– T.O.C. –


4.3. Configuring the contact form plugin (optional)

Here I won’t be going into details on how to configure the contact form plugin (maybe in a separate article, until then, there’s BestWebSoft’s documentation). But I will explain all the settings related to spam prevention.

We start by entering an email address where we want all the “letters” sent via the website’s contact form to arrive:

Entering an email where we want all the "letters" sent via the contact form to arrive
Entering an email where we want all the “letters” sent via the contact form to arrive
Picture 9

Now we’re off to the “Additional Settings.” Under point 3 in the picture below, enter an email address that your website can really send emails from (how to configure WordPress for SMTP mail sending).

Configuring mail sending and enabling reCaptcha protection
Configuring mail sending and enabling reCaptcha protection
Picture 10

In the next screenshot, I’ve cut out the language and form field setting options – that is beyond the scope of this article.

Finishing the setup and clicking the "Save Changes" button
Finishing the setup and clicking the “Save Changes” button
Picture 11

Now you can add a contact form to any page by adding the “Shortcode” Gutenberg block with this code: “[ bestwebsoft_contact_form ]” (just remove any spaces between the text and the brackets).

– T.O.C. –


5. Conclusion

It’s great that WordPress provides two-way communication with website visitors. Because of that one percent of people who think that spamming is a good idea, this kind of spam protection is necessary.

WordPress settings explained in chapter 2 can help a lot. You can manually create a spam list using the options shown in picture 2. However, every spam comment will be written to the database (and then deleted when you click on “Empty Spam”). This slows down the website performance to a degree. I think it’s better to have reCAPTCHA prevent spam comments from being posted in the first place.

Spammers keep coming up with new ways to pile websites with spam – while anti-spam protection tries to keep up. The methods explained in this article have worked fine for me so far. If anything changes, I’ll update the article.

– T.O.C. –


6. AMP page reCAPTCHA troubleshooting

At the time of writing the first version of this article, reCaptcha by BestWebSoft plugin doesn’t work with the AMP website version if you set reCaptcha Version to “Invisible.” If you insist on using this version (for whatever reason), you should disable (“Suppress”) this plugin for AMP.

I tested this for a few days. I hadn’t seen any spam from the AMP website version (on the “normal” website version, without reCAPTCHA there are dozens of spam comments per day). Though, as the picture above shows, this plugin provides a checkbox to “hide reCaptcha Badge for Version 3…” so that’s what I’ve opted for.

Nonetheless, just in case it helps anyone, here’s how to “Suppress” reCaptcha for AMP:

Disabling ("Suppressing") reCaptcha by BestWebSoft plugin for the AMP website version
Disabling (“Suppressing”) reCaptcha by BestWebSoft plugin for the AMP website version
Picture 12

However, after one of the updates over the past month, I started having problems with comments on the AMP website version. This error was shown to anyone trying to comment:

“Error: User response is missing. Click the BACK button on your browser and try again.”

Even “Suppression” of the reCaptcha plugin (as shown in picture 12) and deleting the LiteSpeed cache didn’t help. I can’t easily solve this problem because I’m not sure if it’s caused by reCaptcha plugin alone, or by some conflict between it (or some other plugin) and the theme (or even with the LiteSpeed cache). That’s the “joy” of using WordPress.

A Solomon’s solution is configuring the Questions & Answers page to not use AMP, and adding a message shown only to AMP visitors, that contains a link to that page. The message is shown right below the “Post Comment” button. Here’s the child theme code for that:

// BEGIN comments for amp - goes after main content
$gremlin_amp_comments = function() {
  if ( function_exists( 'is_amp_endpoint' ) && is_amp_endpoint() ) {
    ?>
    <p>If you're having <strong>problems with posting a comment</strong> (from a smartphone),<br />
    <visit the <a title="Questions &amp; Answers Page" href="https://io.bikegremlin.com/18172/questions/" target="_blank"><strong>Questions &amp; Answers Page</strong></a>.</p>
    <?php
  }
};
// For Paired/Native mode.
add_action( 'generate_after_main_content', $gremlin_amp_comments );
// END comments for amp - goes after main content

Here’s what the message looks like:

If you’re having problems with posting a comment (from a smartphone),
visit the Questions & Answers Page.

– T.O.C. –

Leave a Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Google chosen content: