Spam comments are one of the most frustrating problems WordPress site owners face. They clutter your database,slow down your website,damage your credibility. And if you ignore them long enough, they can even hurt your Google search rankings.
The good news? You can fix this completely. This guide covers every method — manual fixes, plugin solutions, and advanced technical settings. By the end, your comment section will be clean, protected, and spam-free.
Let’s get into it.
Why Does WordPress Get So Many Spam Comments?
Most guides skip this part. That’s a mistake. Understanding why spam happens helps you choose the right fix.
WordPress powers over 43% of all websites. That popularity makes it a prime target. Spambots specifically hunt for WordPress sites because:
- WordPress comment forms follow a predictable structure
- The default
wp-comments-post.phpendpoint is publicly known - Bots submit comments without ever loading your page
- Most new WordPress sites have zero spam protection enabled
Here’s what nobody explains properly. Spambots don’t visit your website. They send HTTP POST requests directly to your comment submission endpoint. This means CAPTCHAs placed on your comment form alone won’t stop determined bots. They bypass the form entirely and hit the backend directly.
That’s why a multi-layered approach is essential — not just one plugin.
💡 Struggling with spam and other WordPress errors at the same time? Muhammad Muheet’s WordPress fix service handles spam cleanup, security hardening, and technical errors — so you don’t have to troubleshoot alone.
Step 1 — Enable WordPress Built-in Comment Moderation
Start here. It costs nothing and takes two minutes.
Go to your WordPress dashboard. Navigate to Settings → Discussion. Enable these options:
- ✅ “Comment must be manually approved” — holds every comment for review before publishing
- ✅ “Comment author must have a previously approved comment” — trusted users post freely, new users get reviewed
- ✅ “Hold a comment in the queue if it contains 2 or more links” — most spam contains multiple links
Also scroll down to Comment Blacklist. Add known spam phrases, suspicious URLs, and common bot keywords. WordPress automatically holds any comment matching your list.
Original tip: Most site owners set their blacklist once and forget it. Instead, check your spam folder weekly for the first month. Note the most common phrases spambots use on your site specifically. Build a custom blacklist based on your real spam data. Generic blacklists catch generic bots. A custom list catches the ones targeting you specifically.
Step 2 — Install Akismet Anti-Spam
Akismet is the gold standard for WordPress spam filtering. It comes pre-installed on every WordPress site. You just need to activate it and connect a free API key.
Here’s how:
- Go to Plugins → Installed Plugins
- Find Akismet and click Activate
- Click Set up your Akismet account
- Get a free API key at akismet.com
- Paste your key and save
Akismet runs every comment through its global spam database. It blocks millions of spam comments daily across WordPress sites worldwide. For most personal blogs and small business sites, Akismet alone handles 80–90% of spam.
What competitors don’t tell you: Akismet works on pattern recognition across its entire network. A spam campaign that hits one WordPress site gets flagged. Akismet then blocks that same campaign everywhere else within minutes. It is one of the best collective defense systems in web software.
Step 3 — Add a CAPTCHA to Your Comment Form
CAPTCHAs stop human spammers and less sophisticated bots. The best free option in 2026 is Cloudflare Turnstile — a privacy-friendly alternative to Google reCAPTCHA that skips annoying image puzzles.
Best plugins to add CAPTCHA to WordPress comments:
- Cloudflare Turnstile — free, fast, privacy-first
- Really Simple CAPTCHA — lightweight, no external calls
- Google reCAPTCHA by BestWebSoft — free, widely trusted
Install your chosen plugin. Go to its settings. Enable CAPTCHA on the comment form. Save and test by leaving a comment yourself.
Important note: Remember what we covered earlier. Bots can bypass your comment form entirely. CAPTCHA is one layer — not the whole solution. Always combine it with the other steps in this guide.
Step 4 — Install a Dedicated Anti-Spam Plugin
Beyond Akismet, dedicated anti-spam plugins add protection that Akismet misses. Here are the best options in 2026:
Antispam Bee — Best Free Option
Antispam Bee is completely free, GDPR-compliant, and requires no external API. It checks comments against spam databases, validates email addresses, detects fake referrers, and blocks comments in languages you don’t use. For European site owners especially, it is a strong Akismet alternative.
CleanTalk — Best Premium Option
CleanTalk runs a cloud-based spam check on every comment submission. It checks IPs, emails, and content against a constantly updated blacklist. It also stops spam registrations — not just comments. At around $9/year, it delivers exceptional value.
WPBruiser — No CAPTCHA Needed
WPBruiser blocks spam without showing any CAPTCHA to users. It uses invisible logic tests embedded in forms that bots consistently fail. Real users never notice it. Bots get blocked silently.
Step 5 — Block Spam Bots at the Server Level
This is the fix most guides completely ignore. It is also one of the most effective.
Spambots submit comments by sending POST requests directly to /wp-comments-post.php. You can block bots that skip visiting your site first. Add this code to your .htaccess file:
# Block direct access to wp-comments-post.php from bots<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} /wp-comments-post\.php
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC]
RewriteRule .* - [F,L]
</IfModule>Replace yourdomain.com with your actual domain. This rule blocks any POST request to your comment endpoint that doesn’t come from your own site. Legitimate comments always originate from a page on your domain. Bot requests usually don’t.
Original insight: This single .htaccess rule reduces spam comment attempts by 40–60% on most WordPress sites — before any plugin even runs. It filters at the server level. No PHP executes. No database gets touched. The request simply dies. This makes your site faster and more secure simultaneously.
Step 6 — Use Cloudflare for Bot Protection
Cloudflare’s free plan offers powerful bot protection that works before traffic even reaches your server. Set up Cloudflare for your site and enable these settings:
- Bot Fight Mode — free feature that challenges known bot IPs
- Firewall Rules — block requests to
wp-comments-post.phpfrom suspicious IP ranges - Rate Limiting — limit how many comment submissions one IP can make per minute
To add a firewall rule blocking direct POST attacks:
- Log into Cloudflare Dashboard
- Go to Security → WAF
- Create a rule:
URI Path equals /wp-comments-post.php AND Request Method equals POST AND Referer does not contain yourdomain.com - Set action to Block
This mirrors the .htaccess fix — but runs at the CDN level, before requests reach your server at all.
Step 7 — Disable Comments on Old Posts
Spam bots love old posts. Older URLs get crawled repeatedly. Comment forms on posts from 2018 attract far more spam than recent posts.
WordPress lets you automatically close comments on old content. Go to Settings → Discussion and enable:
- ✅ “Automatically close comments on posts older than X days”
Set it to 180 days. Posts older than that rarely receive genuine comments anyway. Closing those forms removes a huge attack surface for bots.
To close comments on all existing old posts at once:
- Go to Posts → All Posts
- Switch to List View
- Select all posts
- Choose Edit from the Bulk Actions dropdown
- Set Comments to Do Not Allow
- Click Update
Every old post is now locked. New posts remain open.
Step 8 — Disable Comments Completely (If You Don’t Need Them)
Many WordPress sites don’t need a comment section at all. Business websites. Portfolio sites. Service pages. Landing pages. If comments don’t add value to your site, turn them off entirely.
Go to Settings → Discussion and uncheck:
- ☐ Allow people to submit comments on new posts
Then disable comments on all existing posts using the bulk edit method from Step 7.
For theme-level disabling, add this to your functions.php file:
// Disable comments sitewide
add_action('admin_init', function () {
foreach (get_post_types() as $post_type) {
if (post_type_supports($post_type, 'comments')) {
remove_post_type_support($post_type, 'comments');
remove_post_type_support($post_type, 'trackbacks');
}
}
});This removes the comment form from all post types at the code level. Bots have nothing to target.
Step 9 — Clean Up Existing Spam Comments
Fixing spam going forward is one thing. Cleaning up the existing backlog is another.
Manual method (small sites):
- Go to Comments in your dashboard
- Click the Spam tab
- Select all and click Delete Permanently
- Repeat for the Pending tab
Plugin method (large sites):
Use WP-Optimize to bulk-delete spam comments and optimize your database at the same time. Large spam backlogs bloat your wp_comments and wp_commentmeta tables significantly. Cleaning them improves site speed measurably.
Via phpMyAdmin (fastest for huge databases):
Log into phpMyAdmin through your hosting panel. Select your WordPress database. Run this SQL query:
DELETE FROM wp_comments WHERE comment_approved = 'spam';
DELETE FROM wp_commentmeta WHERE comment_id NOT IN (SELECT comment_id FROM wp_comments);This wipes all spam comments and orphaned metadata instantly. Always take a backup before running any database queries.
Step 10 — Monitor and Harden Your Site Ongoing
Spam protection is not a one-time fix. It requires ongoing monitoring.
Set up these habits:
- Check Comments → Spam weekly
- Review Wordfence or Sucuri security logs monthly
- Update all plugins monthly — outdated plugins open new spam vectors
- Monitor Google Search Console for manual actions related to spammy links
Original observation that competitors miss entirely: Spam comments are not just an annoyance. They signal something important. The same bots that post spam comments often test your login page, scan for vulnerable plugins, and attempt brute force attacks. A sudden spike in spam comments is frequently an early warning sign of a broader security threat. Treat it as a signal — not just a nuisance.
The Full Spam-Fixing Checklist
Quick reference for everything covered above:
- ✅ Enable comment moderation in Settings → Discussion
- ✅ Activate Akismet with a free API key
- ✅ Add CAPTCHA with Cloudflare Turnstile or reCAPTCHA
- ✅ Install Antispam Bee or CleanTalk
- ✅ Add
.htaccessrule to block direct POST attacks - ✅ Set up Cloudflare bot protection and WAF rules
- ✅ Auto-close comments on posts older than 180 days
- ✅ Disable comments completely if you don’t need them
- ✅ Clean up existing spam via WP-Optimize or phpMyAdmin
- ✅ Monitor Wordfence logs and Google Search Console monthly
Final Thoughts
WordPress spam comments feel overwhelming at first. But they are completely fixable. The key is using multiple layers of protection — not just one plugin. Server-level rules. CAPTCHA. A dedicated anti-spam plugin. Cloudflare. Comment moderation settings. Each layer catches what the others miss.
Follow this guide step by step. Your comment section will go from a spam nightmare to a clean, well-protected space.
If you’ve followed every step and spam is still causing problems — or if you’re dealing with broader WordPress errors, broken pages, plugin conflicts, or security issues alongside the spam — you don’t have to figure it out alone. Muhammad Muheet’s WordPress fix service specializes in diagnosing and resolving exactly these kinds of issues, from spam cleanup and database optimization to full technical error fixes. Sometimes a professional pair of eyes saves hours of frustration.Your site deserves better than a spam-filled comment section. Now go fix it.
Related reads: Best WordPress Security Plugins 2026 | Fix WordPress Issues & Errors | WordPress Maintenance Checklist
