Reduce Comment Spam on WordPress without Paying for a Plugin

Reduce Comment Spam

Image copyright redmal –

Eventually, your blog will draw enough traffic and attention that you’ll have to deal with a significant amount of comment spam.

It’s almost a rite of passage. You’re getting your content out into the blogosphere, Google starts to rank your site, and new readers visit your blog. Unfortunately, spammers also become aware of your blog, and they’re very eager to get their links onto your comments section.

With traffic comes spam

I got a nice bump in traffic last week after StudioPress featured my blog on their showcase.

Then yesterday, I started getting hammered by comment spam—thirty-one spam comments in one day. Okay, I know that’s not a lot considering others might have to deal with a few hundred a day, but to this point, I never had to deal with more than ten in a given day. In fact, thirty-one were more than I had over the blog’s first five and half months!

I love any comment I can get on this fledgling blog, but I only have a few hours a day to devote to it. So having to manually filter spammy comments to make sure the legitimate ones don’t get overlooked was going to be a real drag.

I realized I might have to start using a plugin like Akismet to filter the spam. The problem is that because of affiliate ads hosted here, The Hobby Blogger is now a commercial blog, which means I have to pay $5 a month to use Akismet; big bummer since I’m not making any money yet.

And while Akismet seems to be the de facto comment spam blocker, it’s not perfect. You’ll still have to check for legitimate comments that get marked as spam (false positives).

So what do you do? Is there any way to put off using a plugin to combat spam? Yes there is. I found the answer on WordPress’s Combating Comment Spam/Denying Access page.

Referrer Requests

There’s a key difference between readers and spam-bots when they post comments. When a reader posts a comment, their browser tells WordPress from which webpage he or she’s requesting to leave a comment. So if you comment on this post, your browser accesses wp-comments-post.php and says the browser was referred to that code from

When a spam-bot tries to leave a comment, it will bypass your site altogether and directly access wp-comments-post.php. In this case, wp-comments-post.php usually gets an empty referrer request.

Your server can detect this empty referrer request allowing you to deny the spam-bot access and send it packing.

To do this, you’re going to add the following code to the .htaccess file in your WordPress root folder. This is the folder that has folders such as wp-admin/ and wp-content/. In most cases this will be in your public_html or www folder.

# BEGIN Deny access to No Referrer Requests
RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

# END Deny access to No Referrer Requests

This code detects when a request is made to post a comment. If the request is not made from a page on your site, or if there’s no referring page with the request, the requester (spam-bot) is denied access and redirected back to its own IP address.

Edit .htaccess file in cPanel

If you’re using a cPanel-based host like HostGator, you can edit the .htaccess file in your browser. Click on the File Manager icon in Files section of cPanel.

File Manager Icon in cPanel Files Section

Navigate to your WordPress root folder, click once on the .htaccess file to select it, and then click on the Edit icon at the top.

cPanel File Manager WordPress Root Folder

If you get a popup asking to select the encoding, just click on the Edit button at the bottom right.

cPanel Text Editor Encoding Check

Now paste the code at the end of the file and click on the Save Changes button at the top right of your browser. Make sure you replace on line 5 with your own domain, without the www.

It works!

This little trick was huge. I haven’t had a single comment spam since denying access to no referrer requests.

It won’t stop all spam, and I’m sure some more sophisticated bots will find their way here and try to leave their mark. For the time being at least, I’ve put off having to spend any money to stop them.

Update July 28, 2013

While this method worked for about a year, spambots eventually found their way around it. I found a new way to stop the mountain of spam that returned, and I write about it here. And yes, it’s still free.

Article by Bryan Kerr

I love breaking down the techie side of blogging into easy-to-understand tutorials. That's mostly what you'll find here on The Hobby Blogger.


  1. Great Post.

    I usually hate technical things, but I am enjoying so much on your post. I am going to bookmark this one for my technical guidance :)

    • Bryan Kerr says:

      Thanks Okto. One of my goals is to help make things easier for people who are less technical, so I’m glad it helped.

  2. Wow, that is one way of doing it! I always worry that somehow I will end up blocking a loyal readers comment by doing something like that. Since I started using Akismet I have been able to filter out most of the “crap”. By using that and a captcha I have been able to filter all the spam, I just select all and delete once a week, (after reading some of the stupid things spammers say of course…)


    • Bryan Kerr says:

      Very few readers will be blocked by this method. By default, all the major browsers leave referrer info. At some point, I probably will have to use Akismet, but this tweak reduced my comment spam down to only a handful per week.

  3. I have this bookmarked as well – I am trying to “lighten the load” as it were for the plugins I use so this will be quite helpful.

    For those that are a bit more technical. You could always use your favorite FTP program to make the changes to the .htaccess and then re-upload it.

    Last thing – you should always backup your .htaccess file before making changes to it! Saves you a ton of time and hassle if you accidentally mess something up.

  4. wow this seems a better way to eliminate spam from blogs. I will surely give it a try. Anyways good job.

  5. Hi Bryan,
    The spam I seem to get now is trackback spam. Apparently there is a site or plugin or something that allows people to send trackbacks to your site. It’s really annoying and Spammy.

    • Bryan Kerr says:

      Hey Justin. Did you know you can choose not to receive pingbacks and trackbacks? Go to the Settings -> Discussion panel in your WordPress Dashboard, and near the top of the page, uncheck the box next to “Allow link notifications from other blogs (pingbacks and trackbacks).”

      With all the spammers out there, using that option never seemed worth it to me. Has it helped your traffic?

  6. Wow. I know this is an old post, but I have been banging my head on the desk (well not literally but it feels like it) trying to figure out how to combat all of these spam-bots and still let my loyal commenters comment. I think this will do the trick. Thanks so much.

    • You’re welcome DeAnna. Though as my traffic grew, blocking empty referrer requests wasn’t enough. I recently had to find another (but simple) way to block the 200 or so spam comments I was getting every day. A post for next week.

      Thanks again for commenting!

  7. That’s awesome!!@# Thank you so much for the tutorial, I recently started a blog, I don’t have any traffic yet but i got 5 spam comments already.

  8. I am getting huge spam traffic these days. Hope your solution might fix my problem.. thnx

    • Bryan Kerr says:

      I hope it works for you too, Ansh. Let us know. I’ve also got a post coming soon about another free way to fight spam. Thanks for commenting.

  9. Hello Bryan,
    This is really Nice and informative post.
    I m also suffering with this spam problem i m getting 100-200 spams daily.
    I added you given code in my Htaccess file it really help me but the major problem is arriving that my website pages goes down excluding home page…..

    Please Help Me M really in need…

    Thanx In Advance..

    • Bryan Kerr says:

      Hi Rv. Your web host provider would be the best place to ask this because they’ll know best how their system is setup and whether the .htaccess changes conflict with something on their end.

Speak Your Mind