I’ve spent many years prodding and poking WordPress into behaving itself, and know how tricky it can be to find simple and reliable information for some of the most common problems. WP Wednesdays is a new series of irregular articles looking at some of these topics and looking at how best to tackle them. Today it’s everyone’s favourite blight, Spam…

Anyone running a self-hosted WordPress site for any length of time will have encountered spam at some point. It might be through your contact forms or, most commonly, through the comments on your blog. On the one hand, there’s something a bit rites-of-passage-y about it – the internet knows you exist! Yay, you’ve been spotted! On the other (significantly larger) hand its a royal pain in the proverbial and can sometimes seem like a relentless tide.

Pretty much all of the sites I’ve taken on have had an existing spam problem, with some of the larger ones groaning under the weight of hundreds of spam post comments on posts in a single day. It’s been possible to get things totally under control in every case, in most cases getting the spam count down to pretty much zero, and all using simple (and free) techniques already out there.

First let’s look at some of the basics.

The Settings > Discussion menu is where you’ll find the built-in WordPress settings for comments. Mostly these can be left on their default settings. Pingbacks and trackbacks however should be turned off for sure.

There’s few things more disappointing to a blogger than getting a comment on a hitherto unloved post, only to discover its a trackback. Lose them! Off!

Pingbacks, trackbacks and post notifications are a throwback to a previous era, where they were the only way to let other blogs know that they’d referenced your post and vice versa. Nowadays of course, we’re all good web citizens and give plentiful credits on Twitter, Facebook and the like, so this is increasingly less useful. Not only that, but it’s a perfect mechanism for spambots (automated spamming code) to send a few tentative probes out to your site. Once “approved”, you’ve opened the door for that spambot to comment elsewhere. So lose them. Your discussion settings should look like this:


Next we need to look at a few plugins. The granddaddy of these is Akismet, which is made by the WordPress team, and bundled along with it when you set your blog up. It needs activating the first time, which means registering for an account over on their site, with a “name your price” monthly fee for individual blogs. And yes, “free” is technically a price. But its pretty straightforward to set up after that.

Akismet is a pretty good gatekeeper, and in many cases can be all you need. It isn’t without its problems though. Out of the box it will block anything that looks like trouble, but still sometimes lets things through. You can train it by highlighting missed comments as spam, and it will learn from that, but even then it isn’t perfect.

Akismet is a bit like a nightclub bouncer. Tell it “no trainers” and it will stop everyone wearing trainers, even the most on-trend pair of Phoebe Philo sneakers.

Perfectly legitimate comments or emails can wind up finding their way into the spam folder, just because they looked a bit like something you’d previously told Akismet was spam. Plus Akismet can be tricked into learning the wrong thing. We’ve all fallen foul of those ego-tweaking “Great blog post. You have some amazing content!” sweeteners at some point. Yet one look at the email address of the commenter shows these to be just as spammy as any number of Rolex links. The difference here is that it plays on our need for positive feedback, and once we’ve approved it Akismet will happily let anything else from that commenter through the door, opening the floodgates for a spam tsunami.

The other problem with Akismet is that it still needs the comment to be posted before it can review it. This takes up server resources – especially if you’ve found yourself on the receiving end of a particularly enthusiastic spam bot – and can really slow your site down as it tries to investigate each and every comment. This is particularly problematic on Shared Hosting packages from the likes of Bluehost and their many guises, which only allow a certain number of things to happen on their servers at a time.

What we need then is something to prevent the spam from even getting into the system. Step forward WordPress Zero Spam, still fairly unknown, put together by a developer who loves what they do and isn’t out for profit (the best sort!) and kind of mind-blowing in how well it works. You can find it by searching under Plugins > Add New in your WordPress dashboard.


It’s hard to explain how WP Zero Spam works without getting too technical, but it’s kind of like a Javascript call-and-response thing. The comment form asks another part of the page for a response, and only lets the comment through if that response is forthcoming. The clever bit is that this all happens on the page using Javascript, which – crucially – spambots don’t know how to use. So the spam doesn’t even get beyond the front door. WordPress happily goes about its business unaware that this is even happening. It really can zero your spam in one swoop 👏

Sure, there may still be the odd spam that sneaks through – the sort where some poor soul is sat there with a conveyor belt of browser tabs manually copy+pasting for a few cents a comment – but these are easily mopped up with a well trained Akismet running in the background.

So there you have it. Two tick-boxes, two plugins, next to no set-up time, and zero spam. Easy!

Plugins used

Akismet: Download from WordPress (although automatically added with all new WP installations)
WordPress Zero Spam: Download from WordPress

Was this post useful to you? Do you have any topics you’d like to see covered? Let me know in the comments!