How To Stop WordPress SPAM

Is your WordPress website being flooded with SPAM? Here's how you stop it.

WordPress now powers a third of the web, so if you’re running a website, there’s a good chance your using WordPress. Since it’s such a popular platform, it’s also a huge bulls eye for spammers looking to promote their bullshit.

There are two types of WordPress SPAM; automated and manual. Automated SPAM is created by computer programs, or bots, that try to post SPAM to every WordPress site they can find. Manual SPAM is created by people who enter SPAM manually on WordPress sites.

CAPTCHA

A common way to stop automated SPAM bots is to use CAPTCHA. This is a type of challenge-response test used to determine whether or not a user is human. The first CAPTCHA implementations were very basic. You just had to recognize a few numbers and letters in a picture, and enter them in a form to prove you were not a pesky SPAM bot. This was a trivial task for humans, but very hard for computers.

But the spammers soon caught up with the early CAPTCHA technology, and taught their bots to solve the simple CAPTCHAs. In the inevitable game of cat-and-mouse, the CAPTCHAs then had to become more advanced to stop the bots. The result was that, more often than not, a CAPTCHA was too hard for humans to solve as well. This made the technology a less desirable way to stop SPAM since they also stopped legitimate users.

reCAPTCHA

Google’s reCAPTCHA leveled the playing field. At it’s core, it’s a ingenious CAPTCHA implementation. Instead of the usual letters and numbers, the user is asked to identify objects in a photo, or a series of photos. This is another task that is trivial for humans, but very hard for computers. But even Google’s reCAPTCHA can be cracked, and this has happened several times.

Another aspect you should take into consideration if you want to use reCAPTCHA to stop SPAM bots, is what Google is potentially using the technology for. By identifying objects in a photo, you might ultimately be training Pentagon’s killer drones. For a while, Google was partnered with Pentagon on Project Maven, a machine learning effort. reCAPTCHA is not only a great CAPTCHA implementation, it’s also a very efficient way to train a neural network to identify objects. Such a neural network can be used in armed drones so that they can automatically identify bombing targets.

In my personal opinion, you should avoid using CAPTCHA - or at the very least avoid reCAPTCHA - to stop WordPress SPAM. There are better ways.

Akismet

While using CAPTCHA can be an efficient way to stop automated SPAM bots, it’s no match for the human spammers - and they are plenty.

Akismet is a free anti-SPAM service hosted by Automattic, the creators of WordPress. It checks comments and contact form submissions against a global database of spam to prevent a site from publishing SPAM. Since it checks the content of a submission, it’s very good at identifying manual SPAM - in addition to the SPAM generated by annoying SPAM bots.

If Akismet identifies the comment as SPAM, it’s moved to WordPress’ SPAM queue. An administrator or moderator can then check the comment if it’s really SPAM, and manually publish it if Akismet has mistakenly flagged it as a false positive. The technology is both efficient and accurate. In my case, Akismet has blocked 202,274 SPAM since I started using it in 2008, with a 99.96% accuracy rate.

But every now and then, Akismet flags legitimate, non-SPAM comments as SPAM. This means that you have to constantly check the SPAM queue to see if there’s anything in there that isn’t actually SPAM. Akismet also sporadically flags SPAM as legitimate comments. If you’re running a popular, high-volume site, cleaning up after Akismet can be a lot of manual work.

Screenshot of the WordPress administration menu with the Comments section selected.
With the right WordPress configuration, you’ll never have to click this button again. Image by Werner Moser from Pixabay.

STOP SPAMMERS Plugin

Akismet is SPAM protection for the masses. It’s easy to set up, and It Just Works. But that means it’s stripped to the bone of options and ways to tweak how it handles various types of SPAM.

If you want to take more control of how your site is protected from SPAM attacks, the Stop Spammers plugin might be a good option. I just recently started using it, but so far it works great. During the last couple of days, Stop Spammers has blocked spammers from registering or leaving comments. The plugin is quite aggressive, and performs more than 20 different checks for SPAM and malicious events.

Stop Spammers works with Akismet, and anything reported by Akismet is automatically purged by Stop Spammers. So far, I’ve not seen that Stop Spammers have blocked any legitimate users. But if you try to post a comment, and the plugin suspects you’re a spammer, you’ll be asked to solve a CAPTCHA. I think this approach is better than to ask every single user to solve a CAPTCHA.

Final Thoughts

SPAM is a big problem, not just on WordPress, but on the internet in general. If you’re hosting a WordPress site, you should at least have Akismet running to stop WordPress SPAM. This makes it harder for spammers to post their comments, and the harder it is, the less appealing WordPress will be for these morons.

If a lot of manual work is not your cup of tea, then Stop Spammers might be a better choice. But keep in mind that the plugin is very aggressive, meaning that there’s a chance it’ll block legitimate users.

Happy SPAM blocking!


Feedback

This post has no feedback yet.

Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.


Caution

It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.