All Collections
Getting Started
How To Stop From Getting Spam Comments
How To Stop From Getting Spam Comments
Jamie G. avatar
Written by Jamie G.
Updated over a week ago

I've struggled with spam comments for years on my personal blog. When I first started blogging in 2006, I'd wake up in the morning with a ton of spam messages that had slipped through traditional spam solutions like Akismet. The useless traffic was killing my site speed, and I had to implement all kinds of complicated solutions to stay relatively free of bots.

That was over 10 years ago, and things have changed. Google got into the game!

These days, Akismet is still around and still enabled by default on WordPress blogs around the world. And it still picks up a lot of stuff. But I don't know of any large site that relies solely on Akismet. Instead, these days we have Google's reCAPTCHA which has slowly been upping its game and is now a pretty comprehensive solution to block spam on WordPress.

Here's how to go about it.

Using Google's Invisible reCAPTCHA

The Google's invisible reCAPTCHA solution was introduced by Google in 2017. It's a small script that stays in the background and monitors all kinds of stats that distinguish a human visitor from a bot. We don't know exactly what these parameters are, but we can guess it includes:

  1. Mouse movement

  2. Typing speeds

  3. Scroll speeds

  4. ..

The captcha uses machine learning to identify patterns of bot behavior and modify its algorithm in real time to respond to changing threats. It's pretty cool!

Step 1: Register a Site for Use with reCAPTCHA

To use this cool new solution, first sign up for a reCAPTCH account by visiting https://www.google.com/recaptcha/admin. Here, scroll down and fill out the form below like this:

Register for reCaptcha

Give your site a recognizable label and select the second radio button labeled "Invisible reCAPTCHA". In the "Domains" box below, enter the name of each domain that you want to protect using it. One on every line. Entering the name of a domain also means that it protects subdomains.

Accept the reCAPTCHA terms of service and go to the next page.

Step 2: Saving your Site Key and Secret Key

When you register your site properties in step 1, Google creates two separate string of characters:

  1. Site Key

  2. Secret Key

The site key is public knowledge. The secret key is meant to be...secret! The latter is only used between you and Google:

Site Key and Secret Key

Make a note of these keys. We'll be using them in in the next step.

Step 3: Installing and Configuring the Invisible reCAPTCHA Plugin

You can install the invisible reCAPTCHA code manually and integrate it into your comment form, but it's too much of a hassle for me. I'd much rather use a plugin instead. Here, my choice goes to Invisible reCaptcha for WordPress by Mihai Chelaru.

After installing and activating the plugin, go to the Settings page under Settings -> Invisible reCAPTCHA. Here, enter your site key and secret key as shown here:

Insert Site key and Secret key

Save your changes. Next, select "WordPress" on the left-hand side and enable the checkbox labeled "Enable Comments Form Protection" like this:

Enable Protection on Comment Forms

Save your changes. Now visit your site anonymously and go to any post with a comment form. You should see this at the bottom:

reCAPTCHA to block spam comments

This means that your site is not protected by the invisible reCAPTCHA. Bots beware!

Alternative Solution - Use Disqus Instead

Another option is to just do an end run around the entire process and use a 3rd party comment system like Disqus instead. They'll do all your spam filtering for you. But of course, it has disadvantages like:

  1. Can't theme Disqus to match your site

  2. Can't have your own login procedure

  3. Less of a community as users can't leave their site in the URL

  4. It adds a lot of extra code to your site, even though it can load asynchronously

On the other hand, it can handle an infinite number of comments and you'll never have to deal with spam load again since posting comments doesn't reload the page anyway. You'll have to decide for yourself if the tradeoffs are worth it.

Did this answer your question?