Wipe Out WordPress Comment Spam Without Driving Your Readers Nuts

Word Cloud of Spam Comments Submitted to The Hobby Blogger

Last day of comment spam on The Hobby Blogger (generated using Wordle).

Check out the word cloud above. It has the most common words from all the spam comments submitted to my blog in one day back in February. 153 comments submitted by spambots that I had to sift through and delete.

In the nearly five months since that day, I’ve had a total of four spammy comments. I’ve virtually wiped out all the comment spam from my blog.

And I’ve done it for free!

How Spambots Work

A spambot is simply a computer program that helps automatically send spam. In the case of WordPress blogs, most bots attempt to automatically fill out comment and contact forms.

They can do this because, by default, the comment forms on all WordPress sites have the same input names for the Name, Email, Website, and Comment boxes (author, email, url, and comment, respectively).

Once a bot finds your WordPress blog’s posts, it can fill out the form very quickly by directly accessing the


file without even having to visit your site.

How to fight comment spam

Blocking empty referrer requests

You can block some spambots by making sure comments can’t be submitted unless the form is filled out directly on the web page containing the post. I’ve explained this technique here.

However, as I’ve experienced, this technique only goes so far. More sophisticated spambots can fool your server into thinking the comment was submitted from the post’s comment form.

Change it up a bit

To make it harder on the spammers, you need to add a wrinkle to your comment form—something different that a spambot can’t easily anticipate. For instance, you can require readers to complete an additional task before a comment can be submitted, such as a solving a CAPTCHA, or clicking a checkbox.

You’ve probably seen these before. CAPTCHAs are the “squiggly word” puzzles solved by figuring out the text and typing it into a text box. See my contact form for an example. Other times you might see a check box at the bottom of the comment form saying something like, “Confirm you are NOT a spammer.”

In both cases, the extra input box (usually added with a plugin) is not part of the default WordPress installation. You’ve made extra work for the spammer to figure out how to automatically fill out the form. After adding the extra task, spammers will usually prefer to leave your blog alone and target other unprotected blogs.

Don’t make it too hard on your readers

Unfortunately, the extra input also makes it harder on your readers to submit comments. Some tasks, like the checkbox, are easy for humans. Others like reCAPTCHA, are more difficult, if not frustrating for people to perform.

The key is to find the right balance between making submissions hard for spammers, and relatively painless for legitimate readers. While blocking spam is great, you don’t want reduce your blog’s reader engagement.

I created the graph below to help visualize the issue using some common (and free) WordPress plugins.

WordPress Comment Plugins: Reader Burden vs. Spammer Burden

While not exactly scientific, the graph shows the relative burden created for spammers and readers in order to submit comments.

With the yellow zones, you’re picking your poison. Either you maintain reader engagement and have to moderate a ton of comments, or you limit spam at the expense of legitimate comments.

By default, submitting comments on WordPress blogs is very easy for spammers and genuine readers alike. Most bloggers start out this way until the spam becomes a significant hassle. On the other end of the spectrum, reCAPTCHAs can be hard for people to solve, and some people just hate math and won’t solve the equation-based form offered by CAPTCHA. In this case, blocking spam isn’t worth frustrating your readers.

Obviously, stay away from plugins in the red zone, where plugins make it easy for spammers and hard for readers. Though I’ve never come across a plugin that would be categorized in this area.

Finally, plugins in the green zone are the Holy Grail—they make it a pain for spammers without your readers giving a second thought about completing the task. Two such plugins are Growmap, and Conditional CAPTCHA.

When I was getting slammed with spam earlier this year, Growmap is the one I decided to use.

Growmap Anti Spambot Plugin (aka G.A.S.P)

Growmap is a free WordPress plugin by Andy Bailey, the developer of CommentLuv, which adds a checkbox to your comment form. Readers have to click on the checkbox before they can submit a comment. Just scroll down to the comment form on this post to see it in action. In fact, try it out and leave a comment!

It’s a simple plugin with several useful features:

  • You can change the name of the checkbox – If spammers somehow figure out the name of your checkbox and spam starts getting through, all you have to do is go to Growmap’s settings panel, change the name, and the spammers are back to square one. I haven’t had to change the name of my checkbox once so far.
  • You can edit the label – Feel free to change the “Confirm you are NOT a spammer” label to suit your blog.
  • Reader friendly – If a reader forgets to check the box, a nice little reminder message pops up. The message is customizable.
  • Basic heuristics – If the bot does get past the checkbox, Growmap lets you set simple logic to detect possible spam based on the number of words in the comment name field or based on how many web URLs are in the comment text.

How well does Growmap stop spam?

To see how awesome Growmap works, check out the graph below.

Number of Daily Spam Comments on The Hobby Blogger

Late last year, my comment spam slowly began to increase. Then at the beginning of this year, it really took off. At one point, I was getting well over 200 spam comments a day. And since I get emailed every time someone posts a comment, it was a big hassle to wading through tons of email and trashing all the comment spam.

You can see from the graph that once I installed Growmap, the comment spam virtually stopped. I’ve had only four spammy comments, and those were submitted by people who actually visited the my blog, not bots.

So I’ve made it pretty hard for spammers to leave comments, but what about burdening my readers? Did Growmap make it too much of a pain for readers to leave comments?

Not at all.

The graph below shows the number of legitimate comments submitted to The Hobby Blogger per month.

Number of Comments on The Hobby Blogger

Growmap didn’t affect legit comments.

My comment rate stayed consistent after I installed Growmap even though I posted only twice during that time span.

What About Akismet?

Yes, Akismet seems to be the de facto standard for dealing with comment spam. After all, it comes pre-installed with WordPress. But I have a few qualms with Akismet.

First, if you monetize you blog in any way, then it costs $5 per month to use it. Second, you still have to moderate spammy comments. Akismet is not perfect and there’s still a chance that legitimate comments will get flagged as spam. If you care about your readers, you will still have to take time to sift through the comments in the spam bin to make sure genuine comments didn’t lost.

On the slightly more technical side of things, Growmap prevents spammers from submitting comments. Akismet allows spam to be submitted, then it just moves the comments to the spam bin. So Akismet makes your server work harder by accepting the spam, bloats your WordPress database by storing the spam, and makes you work harder by having to review and empty the spam bin.

However, if your blog gets huge amounts of traffic, spammers might take the time to figure out the name of Growmap’s checkbox and bypass it. In that case, Akismet makes more sense.

For the average blog, Growmap is the clear choice.

One Alternative – Conditional CAPTCHA

If you really want to use Akismet, then check out Conditional CAPTCHA. The Conditional CAPTCHA plus Akismet combination is probably the best of both worlds. When used together, Conditional CAPTCHA will require the reader to solve a CAPTCHA only if Akismet thinks the comment is spam.

Most readers will never have to solve a CAPTCHA, and your spam bin won’t fill up. The cool thing is that you can choose to serve a simple CAPTCHA, or the more difficult reCAPTCHA if you think it’s necessary.

I haven’t tried Conditional CAPTCHA. I can’t confirm that it’s all it’s cracked up to be. It does have a 4.9 out of 5 rating in the WordPress Plugin Directory, though, so it’s worth checking out.

What do you use?

Well, that’s what works for me. How about you? Tell us of your battles (victories and losses) with spam in comments.

Article by Bryan Kerr

I love breaking down the techie side of blogging into easy-to-understand tutorials. That's mostly what you'll find here on The Hobby Blogger.


  1. Hey Bryan,

    Awesome tips on limiting the spam comments. Of course, this doesn’t stop real spammers (as opposed to those using scripts or software) but it is super helpful. G.A.S.P. is one of the first things I install on any blog.

    I also install the Simple Trackback Validation plugin to reduce trackback spam, which can be just as annoying. Maybe not to the reader, but for the publisher at least.

    Thanks a bunch,

  2. Great post Bryan!

    I uses Akismet and its great for me at the moment but maybe in the future i will explore other options as my blog grows.

    BTW what plugin are you using for your author box?

  3. Thanks for introducing Conditional Captcha. Your Spammer Burder vs Reader Burden on leaving comment looks simple but great!

    There are two modes on the Conditional Captcha plugin, and the Akismet-enhanced mode is really awesome – it only appears when Akismet detects a comment to be spam.

    • Bryan Kerr says:

      Thanks Rudd. You’re right, the Akisment-enhanced mode of Conditional Captcha is definitely the best of both worlds, especially if you’re already paying for Akismet anyway.

  4. Thanks for those options Bryan. I’m all for anything that slows down spammers – not just because it wastes my time but hindering their behaviour can only be a good thing!

    Now I just have to decide which option I should try first! I really like the idea of captcha only for suspected spam so my readers don’t have to do anything but I also like anything by Andy Bailey, lol!

    • Bryan Kerr says:

      You’re welcome Tash. Yeah, Andy rocks. If you’re already committed to paying for Akismet, then Conditional Captcha is the way to go. I’m just trying to avoid paying for anything I don’t absolutely need.

  5. Hi Brian,

    Excellent write up. I had GASP too and with certain settings, it looks great. However, I received some funny spams which got through GASPs and my settings.

    Guess I got to do like what you said earlier, changing the spam box words etc :)

    Thanks for sharing this mate.

  6. There are two modes on the Conditional Captcha plugin, and the Akismet-enhanced mode is really awesome – it only appears when Akismet detects a comment to be spam..

  7. Ha I found your Wordle cloud when doing research for my own article. I recently had an issue with spam comments mostly from spam bots pushing bags and clothing. What I found interesting was that a lot of the spammers had broken content they were linking to. Often times I noticed that these bots were linking to pages with 404 errors. My guess is that this is a bot that just never stopped running after the offending site was shut down. Not quite sure I just noticed it was a trend. Great article.

    And no…I am most definitely not a spammer.

  8. Thank you for the Growmap recommendation!

    After several years on Drupal, I decided to start from scratch. So about mid-January 2014, I switched to WordPress for my personal site and began anew.

    I set up Akismet, since it came stock. And began getting hammered from day 1 with unbelievable amounts of junk comments…Though, to its credit, Akismet recognized every one as spam. All I had to do was click the “Empty Spam” button. But I couldn’t shake the feeling that there must be a better way.

    During my search for a child theme (for another site), I found your site via the StudioPress site. And your article “Wipe Out WordPress Comment Spam without Driving Your Readers Nuts” was front and center.

    To make a long story short, I have adopted a defence-in-depth strategy combining the htaccess method you linked to in another of your articles, with Growmap.

    I have not had a single spammy comment in two days. That may not seem like much to most, but (to give it some perspective) my newborn, still-in-early-development, site has received 2,843 spam comments between 16 Jan 2014 (the “one click install), and 09 Feb 2014.

    What follows is the htaccess code (for those who (like me) are new at WordPress solutions:

    #Begin Anti-Spam measures

    RewriteEngine On
    #Block commenters that are not using a browser
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*mydomain.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

    # End Anti-Spam measures

    # BEGIN WordPress
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress


  9. I Wish to thank you greatly for this list.. am so glad to have read this information cos am having a lot of spam issues with my blog and it’s getting real fustrating.. With the help of this post! now i know what to do.. Thanks :D

  10. Hi Bryan Thanks for the post – i have installed Akismet but that only move the comments to spam folder does not stop it – let me try the Growmap :D

  11. Hi,
    Thanks for your post. I haven’t still decided if installing Conditional Captha or Growmap.
    Do you know how much server resources Conditional Captha will use?


  12. Bryan,

    Yes Akismet has tendency to catch legitimate commenst & mark them spam. I would better use disqus commenting system.

  13. Thanks for sharing this great article. It was very informative. Keep sharing.

  14. Google actually does penalize sites for spammy incoming links now – it’s part of the Penguin update. While I know it’s not the point of this post, I did want to bring attention to that.

  15. Lately I’ve been using other platforms than WP, but on WordPress I highly suggest installing iThemes Security that is mainly a protection against hackers plugin, but it also has a checkbox “reduce comment spam” and after that, I barely don’t see any spam comments at all. I guess it blocks out spambots in some way, and the very few spam comments that get through are taken care of by Akismet.

  16. I get 100s of Spam comments inspite of using security plugins like Growmap . I use WP Spam cleaner plugin which automatically delete spam comments periodically.

Speak Your Mind