Wipe Out WordPress Comment Spam Without Driving Your Readers Nuts

Word Cloud of Spam Comments Submitted to The Hobby Blogger

Last day of comment spam on The Hobby Blogger (generated using Wordle).

Check out the word cloud above. It has the most common words from all the spam comments submitted to my blog in one day back in February. 153 comments submitted by spambots that I had to sift through and delete.

In the nearly five months since that day, I’ve had a total of four spammy comments. I’ve virtually wiped out all the comment spam from my blog.

And I’ve done it for free!

How Spambots Work

A spambot is simply a computer program that helps automatically send spam. In the case of WordPress blogs, most bots attempt to automatically fill out comment and contact forms.

They can do this because, by default, the comment forms on all WordPress sites have the same input names for the Name, Email, Website, and Comment boxes (author, email, url, and comment, respectively).

Once a bot finds your WordPress blog’s posts, it can fill out the form very quickly by directly accessing the

wp-comments-post.php

file without even having to visit your site.

How to fight comment spam

Blocking empty referrer requests

You can block some spambots by making sure comments can’t be submitted unless the form is filled out directly on the web page containing the post. I’ve explained this technique here.

However, as I’ve experienced, this technique only goes so far. More sophisticated spambots can fool your server into thinking the comment was submitted from the post’s comment form.

Change it up a bit

To make it harder on the spammers, you need to add a wrinkle to your comment form—something different that a spambot can’t easily anticipate. For instance, you can require readers to complete an additional task before a comment can be submitted, such as a solving a CAPTCHA, or clicking a checkbox.

You’ve probably seen these before. CAPTCHAs are the “squiggly word” puzzles solved by figuring out the text and typing it into a text box. See my contact form for an example. Other times you might see a check box at the bottom of the comment form saying something like, “Confirm you are NOT a spammer.”

In both cases, the extra input box (usually added with a plugin) is not part of the default WordPress installation. You’ve made extra work for the spammer to figure out how to automatically fill out the form. After adding the extra task, spammers will usually prefer to leave your blog alone and target other unprotected blogs.

Don’t make it too hard on your readers

Unfortunately, the extra input also makes it harder on your readers to submit comments. Some tasks, like the checkbox, are easy for humans. Others like reCAPTCHA, are more difficult, if not frustrating for people to perform.

The key is to find the right balance between making submissions hard for spammers, and relatively painless for legitimate readers. While blocking spam is great, you don’t want reduce your blog’s reader engagement.

I created the graph below to help visualize the issue using some common (and free) WordPress plugins.

WordPress Comment Plugins: Reader Burden vs. Spammer Burden

While not exactly scientific, the graph shows the relative burden created for spammers and readers in order to submit comments.

With the yellow zones, you’re picking your poison. Either you maintain reader engagement and have to moderate a ton of comments, or you limit spam at the expense of legitimate comments.

By default, submitting comments on WordPress blogs is very easy for spammers and genuine readers alike. Most bloggers start out this way until the spam becomes a significant hassle. On the other end of the spectrum, reCAPTCHAs can be hard for people to solve, and some people just hate math and won’t solve the equation-based form offered by CAPTCHA. In this case, blocking spam isn’t worth frustrating your readers.

Obviously, stay away from plugins in the red zone, where plugins make it easy for spammers and hard for readers. Though I’ve never come across a plugin that would be categorized in this area.

Finally, plugins in the green zone are the Holy Grail—they make it a pain for spammers without your readers giving a second thought about completing the task. Two such plugins are Growmap, and Conditional CAPTCHA.

When I was getting slammed with spam earlier this year, Growmap is the one I decided to use.

Growmap Anti Spambot Plugin (aka G.A.S.P)

Growmap is a free WordPress plugin by Andy Bailey, the developer of CommentLuv, which adds a checkbox to your comment form. Readers have to click on the checkbox before they can submit a comment. Just scroll down to the comment form on this post to see it in action. In fact, try it out and leave a comment!

It’s a simple plugin with several useful features:

  • You can change the name of the checkbox – If spammers somehow figure out the name of your checkbox and spam starts getting through, all you have to do is go to Growmap’s settings panel, change the name, and the spammers are back to square one. I haven’t had to change the name of my checkbox once so far.
  • You can edit the label – Feel free to change the “Confirm you are NOT a spammer” label to suit your blog.
  • Reader friendly – If a reader forgets to check the box, a nice little reminder message pops up. The message is customizable.
  • Basic heuristics – If the bot does get past the checkbox, Growmap lets you set simple logic to detect possible spam based on the number of words in the comment name field or based on how many web URLs are in the comment text.

How well does Growmap stop spam?

To see how awesome Growmap works, check out the graph below.

Number of Daily Spam Comments on The Hobby Blogger

Late last year, my comment spam slowly began to increase. Then at the beginning of this year, it really took off. At one point, I was getting well over 200 spam comments a day. And since I get emailed every time someone posts a comment, it was a big hassle to wading through tons of email and trashing all the comment spam.

You can see from the graph that once I installed Growmap, the comment spam virtually stopped. I’ve had only four spammy comments, and those were submitted by people who actually visited the my blog, not bots.

So I’ve made it pretty hard for spammers to leave comments, but what about burdening my readers? Did Growmap make it too much of a pain for readers to leave comments?

Not at all.

The graph below shows the number of legitimate comments submitted to The Hobby Blogger per month.

Number of Comments on The Hobby Blogger

Growmap didn’t affect legit comments.

My comment rate stayed consistent after I installed Growmap even though I posted only twice during that time span.

What About Akismet?

Yes, Akismet seems to be the de facto standard for dealing with comment spam. After all, it comes pre-installed with WordPress. But I have a few qualms with Akismet.

First, if you monetize you blog in any way, then it costs $5 per month to use it. Second, you still have to moderate spammy comments. Akismet is not perfect and there’s still a chance that legitimate comments will get flagged as spam. If you care about your readers, you will still have to take time to sift through the comments in the spam bin to make sure genuine comments didn’t lost.

On the slightly more technical side of things, Growmap prevents spammers from submitting comments. Akismet allows spam to be submitted, then it just moves the comments to the spam bin. So Akismet makes your server work harder by accepting the spam, bloats your WordPress database by storing the spam, and makes you work harder by having to review and empty the spam bin.

However, if your blog gets huge amounts of traffic, spammers might take the time to figure out the name of Growmap’s checkbox and bypass it. In that case, Akismet makes more sense.

For the average blog, Growmap is the clear choice.

One Alternative – Conditional CAPTCHA

If you really want to use Akismet, then check out Conditional CAPTCHA. The Conditional CAPTCHA plus Akismet combination is probably the best of both worlds. When used together, Conditional CAPTCHA will require the reader to solve a CAPTCHA only if Akismet thinks the comment is spam.

Most readers will never have to solve a CAPTCHA, and your spam bin won’t fill up. The cool thing is that you can choose to serve a simple CAPTCHA, or the more difficult reCAPTCHA if you think it’s necessary.

I haven’t tried Conditional CAPTCHA. I can’t confirm that it’s all it’s cracked up to be. It does have a 4.9 out of 5 rating in the WordPress Plugin Directory, though, so it’s worth checking out.

What do you use?

Well, that’s what works for me. How about you? Tell us of your battles (victories and losses) with spam in comments.

Article by Bryan Kerr

I love breaking down the techie side of blogging into easy-to-understand tutorials. That's mostly what you'll find here on The Hobby Blogger.

Comments

  1. Hey Bryan,

    Awesome tips on limiting the spam comments. Of course, this doesn’t stop real spammers (as opposed to those using scripts or software) but it is super helpful. G.A.S.P. is one of the first things I install on any blog.

    I also install the Simple Trackback Validation plugin to reduce trackback spam, which can be just as annoying. Maybe not to the reader, but for the publisher at least.

    Thanks a bunch,
    -Gabe

  2. Great post Bryan!

    I uses Akismet and its great for me at the moment but maybe in the future i will explore other options as my blog grows.

    BTW what plugin are you using for your author box?

  3. Thanks for introducing Conditional Captcha. Your Spammer Burder vs Reader Burden on leaving comment looks simple but great!

    There are two modes on the Conditional Captcha plugin, and the Akismet-enhanced mode is really awesome – it only appears when Akismet detects a comment to be spam.

    • Bryan Kerr says:

      Thanks Rudd. You’re right, the Akisment-enhanced mode of Conditional Captcha is definitely the best of both worlds, especially if you’re already paying for Akismet anyway.

  4. Thanks for those options Bryan. I’m all for anything that slows down spammers – not just because it wastes my time but hindering their behaviour can only be a good thing!

    Now I just have to decide which option I should try first! I really like the idea of captcha only for suspected spam so my readers don’t have to do anything but I also like anything by Andy Bailey, lol!

    • Bryan Kerr says:

      You’re welcome Tash. Yeah, Andy rocks. If you’re already committed to paying for Akismet, then Conditional Captcha is the way to go. I’m just trying to avoid paying for anything I don’t absolutely need.

  5. Hi Brian,

    Excellent write up. I had GASP too and with certain settings, it looks great. However, I received some funny spams which got through GASPs and my settings.

    Guess I got to do like what you said earlier, changing the spam box words etc :)

    Thanks for sharing this mate.

  6. There are two modes on the Conditional Captcha plugin, and the Akismet-enhanced mode is really awesome – it only appears when Akismet detects a comment to be spam..

Speak Your Mind

*