Short answer: WordPress comment spam is solved in layers, not by one toggle. Start with native settings (Settings > Discussion) to require approval and enforce sensible defaults. Add Akismet or Antispam Bee for content-based filtering. Tighten with a honeypot field or hCaptcha for bot-driven submissions. Disable trackbacks and pingbacks entirely – they are 99% spam in 2026. If comment spam is overwhelming despite these layers, the cleanest fix is to stop the bots before they reach WordPress at all, which is the edge-detection layer. Most sites get clean inboxes with three: native moderation, Akismet or Antispam Bee, and disabled pingbacks. Sites with active discussions add a CAPTCHA or honeypot.
WordPress comment spam is one of the oldest categories of unwanted traffic on the open web, and the methods to fight it have not changed much since 2010: filter the content, slow the bots down, or stop them from reaching the form. What has changed is how aggressive and well-distributed the spammers have become. A single new WordPress site with comments enabled and Akismet missing will collect 50-500 spam comments in its first week, almost all of them generated by automated tools that scan for fresh WordPress installs. By the time you notice, your moderation queue has 200 items and your
wp_commentmeta
table has 80,000 rows.
This guide covers every layer where you can stop the spam, the tradeoffs between them, and a few traps that make the wrong layer look like it worked when it did not.
The layers where you can stop comment spam#
| Layer | What it does | Effort | Catches |
|---|---|---|---|
| Native WP settings (Settings > Discussion) | Require manual approval, lock down comment fields | 2 minutes | Nothing automatically, but pre-stages everything below |
| Disable trackbacks and pingbacks | Closes the XML-RPC pingback amplifier | 1 minute | The entire pingback spam channel – 99% noise in 2026 |
| Akismet or Antispam Bee plugin | Content-based filtering (Bayesian, fingerprinting, blacklists) | 5 minutes | ~95% of generic spam content with low false-positive rate |
| CAPTCHA on comment form (hCaptcha, reCAPTCHA) | Forces a challenge before submit | 10 minutes | Cheap automated submitters that cannot solve CAPTCHA |
| Honeypot field (custom or plugin) | Hidden field that humans cannot fill but bots usually do | 10-30 minutes | Same as CAPTCHA, with zero friction for real visitors |
| Disable comments entirely (chosen pages or whole site) | No form, no spam, no comments | 1 minute | All of it – the nuclear option |
| Edge bot detection (server-level) | Stops the spammer before the request reaches WP | Host-dependent | Bots, regardless of comment content |
The layers compose. A typical defensible setup is native moderation + Akismet/Antispam Bee + disabled pingbacks. Sites with active discussions add a honeypot or hCaptcha. Sites that do not want or use comments at all skip everything and use the nuclear option.
Method 1: Lock down WordPress's native comment settings#
Most spam-related WordPress settings live under Settings > Discussion. Before installing anything, walk through this page and set sensible defaults. The settings that matter:
Default article settings
- Uncheck Allow link notifications from other blogs (pingbacks and trackbacks) on new posts. Pingbacks are 99% spam in 2026 – see WordPress pingbacks and trackbacks: what they are and why to disable them for the full story.
- Keep Allow people to submit comments on new posts on if you actually want comments. If you do not, turn it off here AND read Method 6 below – the setting only applies to new posts.
Other comment settings
- Check Comment author must fill out name and email – removes the bulk of drive-by anonymous spam.
- Check Users must be registered and logged in to comment if you can require that without scaring off real readers. On most public blogs you cannot, but on internal/community sites it works well.
- Set Automatically close comments on posts older than 30 days (or 60, 90 – whatever fits your editorial pace). Old posts are a primary spam target. Bots crawl old indexed pages to find comment forms because those pages still rank but get less moderation attention.
- Check Enable threaded (nested) comments if you actually engage in discussion. Pure noise filter, but it improves the experience for the real comments that get through.
Before a comment appears
- Check Comment must be manually approved if your traffic is low enough that you can review each one. This stops 100% of spam from showing up publicly but does not stop it from arriving.
- Or, for higher-traffic sites, check Comment author must have a previously approved comment. First comment is moderated, subsequent comments from the same email auto-approve.
Comment moderation
The two text boxes here are powerful. The moderation queue box holds back comments matching any listed word, URL, or IP. The disallowed comment keys box discards them entirely. Both accept partial matches.
A small word list goes a long way. Common spam patterns include words like “casino”, “viagra”, “loan”, “essay writing service”, “buy followers”. Add the patterns you see repeatedly to the disallowed list – they will never enter your queue again.
Comment author name length limit. Spammers often use long, keyword-stuffed author names. A simple snippet in your theme’s
functions.php
or a mu-plugin can limit comment author names to a reasonable length and reject anything longer:
add_filter('preprocess_comment', function($comment) {
if (mb_strlen($comment['comment_author']) > 50) {
wp_die('Comment author name is too long.');
}
return $comment;
});This stops a meaningful fraction of automated spam without affecting any legitimate commenter.
Method 2: Disable trackbacks and pingbacks#
This is the single most effective spam reduction for sites that are not actively using pingbacks (which is most sites in 2026).
For new posts: uncheck the pingback setting under Settings > Discussion, as described above.
For existing posts (the setting above only affects future posts):
# Via WP-CLI
wp post list --post_type=post --format=ids | xargs wp post update --ping_status=closedOr via the database:
UPDATE wp_posts SET ping_status = 'closed' WHERE post_status = 'publish';At the protocol level (kills inbound pingbacks even if a setting changes back), block
xmlrpc.php
at the server. The full mechanics including the case where you actually need XML-RPC for Jetpack or the WordPress mobile app are in WordPress XML-RPC: what it is and how to disable it.
On most WordPress sites pingbacks closed at all three places (Discussion settings, existing posts, server-level XML-RPC block) eliminate an entire category of spam plus a brute-force amplification vector. It costs 5 minutes and the only thing you lose is a feature you probably did not use.
Method 3: Akismet or Antispam Bee#
Plugin-based content filtering is the workhorse of comment spam control. Two strong options:
Akismet#
Akismet is Automattic’s own anti-spam service. Every comment is sent to Akismet’s servers, scored against their network-wide spam signals, and either approved or flagged. It is the default option because it works well and comes pre-installed in every fresh WordPress install since version 2.0.
Free for personal use, paid for commercial sites. Personal/non-commercial sites get free Akismet with an API key from Akismet.com. Commercial sites need a paid tier starting at $10/month per site.
Setup:
- Sign up at akismet.com to get an API key
- Activate the Akismet plugin (pre-installed)
- Enter your API key under Settings > Akismet Anti-Spam
- Choose discard-or-spam-folder behavior under the same settings
Akismet handles roughly 95% of generic spam without manual intervention. Its weakness is that it sends every comment, including the commenter’s IP and email, to a third party (Automattic). For some sites – EU sites with strict GDPR posture, sites with privacy commitments to commenters – that data transfer is a problem.
Antispam Bee#
Antispam Bee is the popular German-developed alternative, free with no API key, no third-party data transfer, and no commercial tier:
- Install and activate Antispam Bee from the WordPress plugin repository
- Review Settings > Antispam Bee – the defaults are usually fine
How it works: a combination of strategies, including BBCode detection, language filtering, fast-submit detection, honeypot field, and an optional public spam-IP blocklist (off by default, can be turned on). No content leaves your server unless you opt into the public blocklist.
Effectiveness: comparable to Akismet for the bulk of generic spam, slightly weaker on the most sophisticated content-based spam but stronger on bot-driven submissions because of the speed-based and honeypot checks.
When to pick Antispam Bee over Akismet:
- You run a non-commercial site and want a free option with no signup
- You are bothered by the third-party data transfer to Automattic
- Your site is EU-based and you want a tool with simpler GDPR posture
- You want bot-detection (honeypot, speed) in addition to content filtering
Other content filters#
- CleanTalk – paid (around $8/year), cloud-based like Akismet, also handles contact forms and registration forms. Good for sites with many submission types beyond just comments.
- WP Cerber – free, broader security plugin that includes anti-spam features alongside firewall, IP blocking, and login protection.
- Spam Destroyer – free, focuses on the bot-submission angle specifically with a JavaScript challenge.
For most sites, picking Akismet OR Antispam Bee covers the content-filter layer. Running two simultaneously does not double the protection and can flag false positives.
Method 4: Honeypot field#
A honeypot is a form field that is hidden from human visitors via CSS but visible to bots that parse the HTML. If anything fills that field, the submission is rejected as a bot. Honeypots are silent, frictionless, and effective against the cheap automated submitters that make up the majority of comment spam.
Several plugins implement comment-form honeypots:
- WP Spam Shield Lite (free) – simple comment-form honeypot, no settings
- Antispam Bee (already covered above) – includes a honeypot among its strategies
- WP Armour (free) – honeypot for comment, contact, and registration forms
You can also add a honeypot manually with a snippet:
add_filter('comment_form_default_fields', function($fields) {
$fields['url_alt'] = '<p class="comment-form-url-alt" style="position:absolute;left:-9999px;" aria-hidden="true">'
. '<label for="url_alt">Leave this field empty</label>'
. '<input id="url_alt" name="url_alt" type="text" value="" autocomplete="off" /></p>';
return $fields;
});
add_action('preprocess_comment', function($comment) {
if (!empty($_POST['url_alt'])) {
wp_die('Spam detected.');
}
return $comment;
});This adds a hidden
url_alt
field. Real visitors never see it because the CSS pushes it off-screen and
aria-hidden
removes it from assistive tech. Bots parse the form, fill every field, and trip the trap. The submission is rejected before WordPress writes anything to the database.
The downside of honeypots is that the sophisticated end of the spam-bot market reads them too. They are not a complete defense, but they remove the cheapest submitters at zero friction to real visitors – which is exactly the right tradeoff for most blogs.
Method 5: CAPTCHA on the comment form#
CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) force a challenge before the form is submitted. They work, but they impose friction on every legitimate commenter, which costs you real engagement.
Modern options:
- hCaptcha – free, privacy-friendly alternative to reCAPTCHA, no Google involvement. The plugin “hCaptcha for WordPress” integrates it with the comment form.
- Google reCAPTCHA v3 – invisible, score-based (no checkboxes), free up to 1M assessments/month. Plugins like Advanced Google reCAPTCHA add it to the comment form.
- Cloudflare Turnstile – free, no checkbox, no captcha image, designed to replace reCAPTCHA with less friction.
Pick hCaptcha or Turnstile if you care about privacy / GDPR posture and the visible challenge is acceptable. Pick reCAPTCHA v3 if you want zero visible friction and accept Google’s involvement. Skip CAPTCHA entirely if your spam volume is manageable with Akismet/Antispam Bee + honeypot, because CAPTCHA is the layer that most affects real commenter experience.
Method 6: Disable comments entirely#
If you do not actually use comments – many sites do not – disabling them everywhere is the cleanest answer. No form, no submissions, no spam, no moderation queue, no database bloat.
Disable on new posts via Settings > Discussion (uncheck “Allow people to submit comments on new posts”).
Disable on existing posts:
# Via WP-CLI - all published posts
wp post list --post_type=post --format=ids | xargs wp post update --comment_status=closed
# All published pages too
wp post list --post_type=page --format=ids | xargs wp post update --comment_status=closedOr via SQL:
UPDATE wp_posts SET comment_status = 'closed' WHERE post_status = 'publish';Hide the form even if the option drifts back on. Add to your theme’s
functions.php
or a mu-plugin:
add_filter('comments_open', '__return_false', 20, 2);
add_filter('pings_open', '__return_false', 20, 2);Plugin shortcut. The free Disable Comments plugin (5M+ active installs) wraps all of the above in a single settings page with options to disable comments site-wide, by post type, or to also remove the Comments menu from wp-admin entirely.
For sites that are blogs in the editorial sense but not in the “community” sense – corporate blogs, knowledge bases, documentation sites – disabling comments is often the right call. Modern web traffic does not really comment on commercial articles in 2026; the discussion happens on social media. The comment form mostly catches spam and noise.
Method 7: Edge bot detection (the server-level layer)#
Plugin-layer spam filters and CAPTCHAs both run inside WordPress, which means the bot has already loaded a PHP worker, queried the database, and rendered the comment form before being stopped. For most sites this overhead is invisible. For sites under heavy spam-bot traffic, it adds up – the comment form is a particular target because every page on the site loads it.
The edge detection layer stops abusive bots before they touch WordPress. The same patterns that flag a bot as a comment-spammer also flag it as a login brute-forcer, a content scraper, and a vulnerability scanner. A single edge filter covers all of those use cases without adding code to your site.
On Hostney, the server-level bot detection layer catches automated comment-spam submitters at the OpenResty edge before the request reaches PHP. The behavioral signals – hitting the form repeatedly across many posts, filling forms faster than a human could read them, hitting honeypot URLs, scanning many WordPress paths in sequence – are the same patterns that abusive bots use across every other vector. Spam-bot blocking is essentially a free byproduct of the broader bot-detection layer.
The edge approach has one tradeoff with content-filter plugins: edge filters are behavior-based, content filters are content-based. They catch different things. The strongest setup is both – edge detection removes the high-volume bot traffic, content filters catch the lower-volume human-or-cheap-bot spam that slips through. The two stack.
Common mistakes#
Leaving Akismet inactive on a fresh install. Every new WordPress site ships with Akismet but it needs activation and an API key to do anything. New site owners often skip this and assume the spam will sort itself out. It will not.
Turning on “all comments must be approved” and treating that as protection. This stops spam from being publicly visible, but spam still arrives, still bloats your
wp_comments
table, and still wastes your time reviewing it. Pair the moderation requirement with a content filter (Akismet/Antispam Bee) so the queue stays manageable.
Disabling comments via theme but not at the WordPress level. Themes can hide the comment form, but a determined bot still POSTs to
/wp-comments-post.php
directly. The form must be closed at the post level (
comment_status = 'closed'
) for the POST to be rejected.
Forgetting that old posts have different settings. A site that has been running for years probably has thousands of old posts with the original “allow comments” / “allow pingbacks” settings. Changing the global default in Settings > Discussion only affects new posts. You have to update existing posts via WP-CLI or SQL.
Stacking three anti-spam plugins. More plugins doing the same job is not more protection – it is more chances for one to mark a legitimate comment as spam. Pick one content filter (Akismet OR Antispam Bee OR CleanTalk), add a honeypot if you want, stop there.
Leaving pingbacks on while running anti-spam. Pingbacks are a separate channel that anti-spam plugins do not always inspect. Close them at the protocol level (xmlrpc.php) and at the per-post level – they are 99% spam and you almost certainly do not need them.
Storing 100,000 spam comments forever. Spam comments live in the
wp_comments
table even when they are marked “spam” and never displayed. Run
wp comment delete $(wp comment list --status=spam --format=ids)
periodically to actually remove them. After cleanup, optimize the database so the table reclaims the space.
Using CAPTCHA as the primary defense. CAPTCHAs work against bots, but they also cost you real comments because legitimate readers do not always bother to solve them. Use a CAPTCHA only if Akismet/Antispam Bee + honeypot + native moderation are not enough.
How Hostney reduces comment spam#
The server-level bot detection layer that runs in front of every WordPress site on Hostney catches automated comment-spam submitters before they ever reach your WordPress install. The same behavioral signals that flag a bot as a login brute-forcer or a vulnerability scanner also flag it as a comment-form submitter: hitting many URLs in fast sequence, filling forms faster than a human can type, hitting honeypot paths, scanning the site for WordPress signatures. Once flagged, the bot is challenged or banned at the OpenResty edge – the request never starts a PHP worker, never queries the database, never reaches your comment plugin.
This means Akismet’s monthly comment count on a Hostney-hosted WordPress site is often dramatically lower than on the same site running elsewhere, because most of what would have been comment spam is being absorbed at the edge instead. You still want Akismet or Antispam Bee active for the human-driven and cheap-bot spam that does get through – the layers stack rather than replace each other.
A few practical pieces:
- No setup required for the edge layer. Bot detection runs by default on every Hostney WordPress site. There is no plugin to install, no setting to enable.
- You still control the content filter. Hostney does not auto-install Akismet or any other anti-spam plugin. The choice between Akismet, Antispam Bee, CleanTalk, or no content filter at all is yours.
- Trackback/pingback channel hardening. Hostney’s default Nginx configuration restricts XML-RPC paths to make pingback amplification harder. If you do not use XML-RPC for Jetpack or the mobile app, you can disable it entirely from your control panel with no edits to the WordPress code.
For sites that are not blogs in any active discussion sense – business sites, knowledge bases, documentation – Hostney’s panel lets you disable comments site-wide with one toggle, which combined with the edge layer eliminates the entire spam vector without touching the WordPress install.
Quick checklist#
- [ ] Set sensible defaults in Settings > Discussion (require name + email, close comments after 30 days, manual approval or first-comment-moderation)
- [ ] Disable trackbacks and pingbacks (uncheck the Discussion setting + update existing posts via WP-CLI + close XML-RPC at the server)
- [ ] Install ONE content filter (Akismet OR Antispam Bee OR CleanTalk – not all three)
- [ ] Add a honeypot field via plugin or snippet for bot-driven spam
- [ ] Add the disallowed-comment-keys list with patterns you see repeatedly
- [ ] Decide whether you actually want comments – if not, disable them site-wide via Disable Comments plugin or WP-CLI
- [ ] Run
wp comment delete --status=spamperiodically to clear the spam table - [ ] If spam volume is overwhelming, consider whether the host’s edge bot detection is catching the obvious traffic
- [ ] Test the comment form yourself after configuring to make sure real comments still arrive
- [ ] Do not stack CAPTCHA on top of working filters – it costs real engagement
Summary#
WordPress comment spam in 2026 is solved in layers, not by one magic toggle. Configure native moderation, install Akismet or Antispam Bee, disable pingbacks at every level, add a honeypot, and the typical blog sees a 90%+ reduction in spam reaching the queue. Sites with active discussions add a CAPTCHA only when the lower-friction layers are not enough. Sites that do not use comments should just disable them – no form, no spam. The bots that drive the bulk of spam volume are catchable at the edge, before they touch WordPress at all, and that is the layer that scales best as your site grows. Pick the layers that fit your site and stack them – the goal is a moderation queue that has real comments in it, not 200 casino links and 5 actual readers.