How To Stop Getting Spam Comments
I've struggled with spam comments for years on my personal blog. When I first started blogging in 2006, I'd wake up in the morning with a ton of spam messages that had slipped through traditional spam solutions like Akismet. The useless traffic was killing my site speed, and I had to implement all kinds of complicated solutions to stay relatively free of bots.
These days, Akismet is still around and still enabled by default on WordPress blogs around the world. And it still picks up a lot of stuff. But I don't know of any large site that relies solely on Akismet. Instead, these days we have Google's reCAPTCHA which has slowly been upping its game and is now a pretty comprehensive solution to block spam on WordPress.
Here's how to go about it.
See related article on installing internal feature reCAPTCHA on Contact7 forms.
The Google's reCAPTCHA solution was introduced by Google in 2017. It's a small script that stays in the background and monitors all kinds of stats that distinguish a human visitor from a bot. We don't know exactly what these parameters are, but we can guess it includes:
Mouse movement
Typing speeds
Scroll speeds
Other non-human activity
The captcha uses machine learning to identify patterns of bot behavior and modify its algorithm in real time to respond to changing threats. It's pretty cool!
To use this cool solution, first sign up for a reCAPTCHA account by visiting this url. Here, scroll down and fill out the form below like this:
Give your Label a recognizable label and select the first radio button labeled "Score based (v3)". In the "Domains" box below, enter the name of each domain that you want to protect using it. (if you have multiple sites you can add them by hitting the + symbol) One on every line. Entering the name of a domain also means that it protects subdomains.
Accept the reCAPTCHA terms of service and go to the next page.
When you register your site properties in step 1, Google creates two separate string of characters:
Site Key
Secret Key
The site key is public knowledge. The secret key is meant to be...secret! The latter is only used between you and Google:
Make a note of these keys. We'll be using them in in the next step.
You can install the reCAPTCHA code manually and integrate it into your comment form, but it's too much of a hassle for me. There are LOTS of reCAPTCHA plugins you can choose from. Honestly, it's confusing! Trying to find balance between usability and cost effectiveness can be a little time consuming!
The plugin installed for this tutorial is 'free' but has options to upgrade to PRO with a LOT of additional features. You might consider it depending on your needs! That said, the free version does the job for this tutorial.
After installing and activating the plugin, go to the Settings page under Settings -> Advanced Google reCAPTCHA.
Use the drop down to select the type of Captcha you are using:
Here, enter your site key and secret key as shown here:
After you save changes you can then verify it.
Now some basic configurations for the plugin that are included with the free version. Click on 'Where To Show' and toggle all that apply to you. Save.
Click on 'Login Protection' and enable it. Save.
Click on 'Firewall' and toggle 'Block bad bots' & 'Directory Traversal'
At this point, you have all the basic options installed!
Save your changes. Now logout of your wp-admin and visit your site anonymously and go to any post with a comment form. You should see this at the bottom as well as on your login form!
This means that your site is now protected by the reCAPTCHA. Bots beware!
This particular plugin's PRO features are pretty nice! Honestly, I'd go with the 'one time' lifetime fee on the Personal License if I was going to go all in on this plugin. It's your decision and NameHero makes zero off of this. There are many plugins you can try and install yourself. This tutorial is just that, a tutorial.
These days, Akismet is still around and still enabled by default on WordPress blogs around the world. And it still picks up a lot of stuff. But I don't know of any large site that relies solely on Akismet. Instead, these days we have Google's reCAPTCHA which has slowly been upping its game and is now a pretty comprehensive solution to block spam on WordPress.
Here's how to go about it.
See related article on installing internal feature reCAPTCHA on Contact7 forms.
Using Google's reCAPTCHA
The Google's reCAPTCHA solution was introduced by Google in 2017. It's a small script that stays in the background and monitors all kinds of stats that distinguish a human visitor from a bot. We don't know exactly what these parameters are, but we can guess it includes:
Mouse movement
Typing speeds
Scroll speeds
Other non-human activity
The captcha uses machine learning to identify patterns of bot behavior and modify its algorithm in real time to respond to changing threats. It's pretty cool!
Step 1: Register a Site for Use with reCAPTCHA
To use this cool solution, first sign up for a reCAPTCHA account by visiting this url. Here, scroll down and fill out the form below like this:
Give your Label a recognizable label and select the first radio button labeled "Score based (v3)". In the "Domains" box below, enter the name of each domain that you want to protect using it. (if you have multiple sites you can add them by hitting the + symbol) One on every line. Entering the name of a domain also means that it protects subdomains.
Accept the reCAPTCHA terms of service and go to the next page.
Step 2: Saving your Site Key and Secret Key
When you register your site properties in step 1, Google creates two separate string of characters:
Site Key
Secret Key
The site key is public knowledge. The secret key is meant to be...secret! The latter is only used between you and Google:
Make a note of these keys. We'll be using them in in the next step.
Step 3: Installing and Configuring a reCAPTCHA Plugin
You can install the reCAPTCHA code manually and integrate it into your comment form, but it's too much of a hassle for me. There are LOTS of reCAPTCHA plugins you can choose from. Honestly, it's confusing! Trying to find balance between usability and cost effectiveness can be a little time consuming!
The plugin installed for this tutorial is 'free' but has options to upgrade to PRO with a LOT of additional features. You might consider it depending on your needs! That said, the free version does the job for this tutorial.
After installing and activating the plugin, go to the Settings page under Settings -> Advanced Google reCAPTCHA.
Use the drop down to select the type of Captcha you are using:
Here, enter your site key and secret key as shown here:
After you save changes you can then verify it.
Now some basic configurations for the plugin that are included with the free version. Click on 'Where To Show' and toggle all that apply to you. Save.
Click on 'Login Protection' and enable it. Save.
Click on 'Firewall' and toggle 'Block bad bots' & 'Directory Traversal'
At this point, you have all the basic options installed!
Save your changes. Now logout of your wp-admin and visit your site anonymously and go to any post with a comment form. You should see this at the bottom as well as on your login form!
This means that your site is now protected by the reCAPTCHA. Bots beware!
This particular plugin's PRO features are pretty nice! Honestly, I'd go with the 'one time' lifetime fee on the Personal License if I was going to go all in on this plugin. It's your decision and NameHero makes zero off of this. There are many plugins you can try and install yourself. This tutorial is just that, a tutorial.
Updated on: 31/01/2025
Thank you!