Spam protection for WordPress can save you countless hours, resources, and money from going to waste. Spam comments are also a big turn-off for site visitors, eroding trust in your website.
While spam is in decline, thanks to improved filtering technologies, it still costs businesses an average of $712 per employee each year. This figure does not include time spent looking for lost messages, which would raise the cost even higher.
In this article, we will look at the best spam protection technologies available for WordPress today. From CAPTCHA and geo-blocking to whitelisting and filtering, we will look at the best anti-spam plugin or service for each category.
Table of contents
CAPTCHA
CAPTCHA is a battle-tested spam protection security measure. It can protect your WordPress site from WordPress spam comments and other submissions through a test. The test is optimized in such a way that humans find it easy while bots struggle to complete it.
CAPTCHA comes in different flavors, enabling you to pick and choose the type of CAPTCHA that works best for you and your websites. While reCAPTCHA is the most known, hCAPTCHA and Cloudflare Turnstile are more than worthy contenders. You’ll also find different versions of reCAPTCHA, which will give you control over the balance between WordPress spam protection and user experience.
CAPTCHA 4WP is our anti-spam plugin for WordPress that offers a slew of features for spam protection. It offers five different CAPTCHAs to choose from, as well as features such as:
Configurable reCAPTCHA score
reCAPTCHA V3 failover
3rd-party plugin support
CAPTCHA customization options
How to add CAPTCHA to forms on your WordPress website
Getting CAPTCHA anti-spam protection is easy when using our own CAPTCHA 4WP. The free edition includes all versions of ReCAPTCHA. The premium edition, on the other hand, adds hCAPTCHA and Cloudflare Turnstile among many other features, for even more CAPTCHA options.
You can install the free version directly from your WordPress admin by navigating to Plugins > Add New Plugin. Search for CAPTCHA 4WP and then click Install, as shown in the screenshot below.
The configuration wizard will automatically kick in once you install and activate the plugin. Do keep in mind that regardless of which method you choose, you will need to obtain a Secret Key and a Site Key. Together, this key pair enables the CAPTCHA you choose to work on your site.
The wizard will walk you through the entire process of setting up CAPTCHA. The plugin itself includes numerous options, such as ReCAPTCHA V3 adjustable score and failover, 3rd party plugin integration, and much more.
Geo-blocking
Some regions tend to be more prone to sending spam comments and messages than others. Tools like Cisco Talos make it easy to identify problematic areas. If you do not service these areas, geo-blocking is a great tool you can deploy to reduce message and comment spam on your WordPress site.
It should be noted that spammers often use VPNs and proxies to circumvent geo-blocking measures. As such, geo-blocking on its own is not enough of a deterrent. However, it is a great supplement to other measures such as CAPTCHA.
The easiest way to enable geo-blocking on your website is through a plugin. You can also implement geo-blocking rules through the CDN or Firewall—if the feature is available. Since we used CAPTCHA 4WP before, we will use this same plugin to walk through WordPress geo-blocking implementation.
To enable ge-blocking with CAPTCHA 4WP:
First, we need an IPLocate API key. To configure this, go to CAPTCHA 4WP > Settings and click on the Integrations tab.
Follow the provided instructions to obtain your key. Then, enter it in the IPLocate API Key textbox and remember to click Save.
Next, navigate to CAPTCHA 4WP > Form Placements.
Scroll down to the very last section titled Do you want block/allow protected form submissions based on a users location?, choose location rule and enter the ISO of the countries you would like to block or allow.
Whitelisting
Whitelists, also known as allowlists, block all submissions except from the sources listed in the list. This is a very restrictive measure that should only be deployed when you know exactly who will be making submissions.
Typically, allowlists include the IP addresses of those people who are allowed to submit comments or emails. Do be aware that most people do not have a static IP. As such, you may need to update the list regularly – even if you only have a few people in your list.
Plugins such as WPForms enable you to configure email address allowlists by form. The option is included in the free version of the plugin, making it accessible to everyone.
To add an allowlist to a WPForms forms:
Using an existing or new form, make sure that one of the fields is Email
Click on the Email field in the form builder and then click on Advanced in the left-hand menu
Scroll down to the section titled Allowlist / Denylist and choose Allowlist from the drop-down menu
Enter the email addresses you want to include in your Allowlist, and remember to save.
Blacklisting
Blacklists, also known as disallowlists, are a form of spam protection that prohibit specific IP addresses from posting comments or submitting forms. While spammers can very easily change their IP address, blacklisting allows us to block the worst offenders.
Do note that it is impractical to blacklist every IP that sends spam. Keeping up with the list would require full-time staff just to manage the process.
Disallowlists can be added in different ways. If you would like to completely disallow certain IPs from interacting with your site, you’ll need to add the proper directives to the .htaccess file.
Keyword filtering
Another WordPress spam protection mechanism is keyword filtering. This functionality is available in WordPress straight out of the box without needing to install any specific WordPress anti-spam plugins.
Keyword filtering is a form of spam protection that looks for specific words in comments. WordPress can do one of two things whenever these words are detected – automatically delete the comment or hold it for moderation.
Which keywords you want to filter will largely depend on the topics you cover on your website. For example, if you cover the latest tech news, any medical product reference is likely a spam message. However, if you do cover health topics your audience is more likely to mention medicinal products.
To get started with keyword filtering, log into your WordPress dashboard, then navigate to Settings > Discussion.
Comment Moderation
The comment moderation feature enables us to automatically move comments to the moderation queue when they meet certain criteria. These are as follows:
Number of links
WordPress allows us to automatically move comments to moderation if they have a given number of links. Spam comments typically include a large number of links, enticing people reading to comment to click on them.
By default, WordPress sets this limit to 2 or more. However, you can increase or decrease this by entering the appropriate number in the relevant files.
Keywords
We can also define specific words in the Comment Moderation text box, which, when present, will automatically move the comment to the moderation queue. Keywords will be matched against:
Content
IP addresses
URLs
Author name
Email
User-agent string
Equally, we can define keywords, that when present, the comment will be moved to the Trash automatically. These keywords need to be entered in the Disallowed Comment Keys section.
Notable mention: Akismet anti spam plugin
If you do not want to manually manage keywords and IP addresses, a WordPress anti-spam plugin might very well be a better choice for you. Akismet, which is developed by Automattic, uses machine learning and algorithms to filter out spam.
Akismet is installed by default with all WordPress sites. However, you can also install it by navigating to Plugins > Add New Plugin and searching for Akimet.
Once you’ve installed the plugin, you will need to get an API key from the Akismet website. There are different plans available, depending on your requirements.
Akismet uses machine learning to determine whether a comment is spam. Processing is done on the cloud, thus consuming minimal resources on your WordPress server.
Akismet also integrates with 3rd party plugins such as Contact Form 7 and Gravity Forms for more consistent WordPress spam protection across your website.
How to decide which method or plugin to use
With many spam plugins for WordPress to choose from, finding the right one (or more) can feel like an intimidating task. Whether you’re working on your own website or that of a client, balancing security and performance is surely at the top of your list. So, how do you go about it?
Spam evolves to counteract the security measures we put in place. As such, when looking to combat spam, you need to ensure that any anti-spam tools you use evolve with it.
The best anti-spam plugins receive regular updates with new functionality. This ensures that you can continue keeping spam at bay.
While there is no such thing as a WordPress zero-spam plugin (some spam will inevitably get through), finding a plugin that offers multiple ways to eliminate spam comments can prove to be a more effective solution.
Frequently Asked Questions
WordPress comes with built-in comment moderation tools, targeting spam comments. Available through the WordPress dashboard, these moderation tools enable you to automatically delete or move to the moderation queue any comments with specific keywords or the number of links.
While WordPress includes moderation tools out of the box, you can enhance spam protection with plugins. CAPTCHA 4WP is one such plugin with the free edition offering integration with all ReCAPTCHA versions, including ReCAPTCHA V3 failover, to avoid genuine users falling through the cracks.
