How to Fix WordPress Comment Spam When Plugins Don’t Work
If you’re a blogger or website owner dealing with comment spam on WordPress, you know how annoying and time-consuming it can be. Even the most popular anti-spam plugins like Akismet or reCAPTCHA sometimes fail, leaving you frustrated with hundreds of spammy comments.
As an expert blogger, I’ve faced this issue and tested various solutions. In this guide, I’ll show you simple, effective, and beginner-friendly ways to stop comment spam for good. Let’s dive in!
Why Do Plugins Fail to Stop Comment Spam?
Plugins are great, but they’re not perfect. Here are some common reasons they may not work:
- Advanced bots: Some bots are designed to bypass standard filters and behave like real users.
- Human spammers: Real people can post spam manually, making it harder for plugins to detect.
- Generic settings: Many plugins use default settings that don’t address specific spam issues.
Don’t worry! You can go beyond plugins with a few simple steps to protect your WordPress site.
Disable Comments Where You Don’t Need Them
Not every page or post needs a comment section. For instance, your landing pages, about pages, or old blog posts likely don’t need comments.
How to Turn Off Comments Globally:
- Log in to your WordPress dashboard.
- Go to Settings > Discussion.
- Uncheck “Allow people to submit comments on new posts.”
- Click Save Changes.
If you want more control, install the Disable Comments plugin. This lets you remove comments entirely from specific pages, posts, or even your whole site.
Add a Honeypot to Your Comment Form
A honeypot is a hidden field in your comment form that’s invisible to real users but visible to bots. When bots fill out this field, they’re instantly flagged as spam.
How to Use a Honeypot Without Coding:
- Install the WP Armour plugin.
- Activate it, and it automatically adds a honeypot field to your comment form.
This simple trick can block most automated spam without affecting real users.
Use an Alternative CAPTCHA
If reCAPTCHA isn’t effective, consider switching to something different. Many spammers target reCAPTCHA because it’s widely used.
Recommended Alternatives:
- hCaptcha: Similar to reCAPTCHA but less targeted by bots.
- Math CAPTCHA: Adds simple math questions like “What’s 3 + 5?” to your comment form.
How to Add hCaptcha:
- Install the hCaptcha for WordPress plugin.
- Sign up at hCaptcha to get your site key.
- Add your key to the plugin settings, and you’re done!
Limit Links in Comments
Spam comments often include links to shady websites. Limiting the number of links allowed in comments can help block these.
How to Restrict Links in Comments:
- Go to Settings > Discussion.
- Find the option “Hold a comment in the queue if it contains [X] or more links.”
- Set this to 1 or 2 links.
- Click Save Changes.
This stops spam comments containing excessive links from being published automatically.
Block Spammy IP Addresses
If you notice spam coming from specific IP addresses, block them manually.
Steps to Block IPs in WordPress:
- Install the Wordfence Security plugin.
- Go to Tools > Live Traffic to identify spammy IPs.
- Block suspicious IPs directly from Wordfence settings.
Alternatively, you can block IPs through your hosting provider or by editing your .htaccess
file.
⚠️ Alerts to Keep Your Site Safe:
- Always create a full site backup before editing files like .htaccess or wp-config.php. One mistake can break your site.
- Verify plugin and theme compatibility before installing updates to avoid conflicts or crashes.
- Never share your WordPress admin credentials. Use strong passwords and enable two-factor authentication for added security.
Add a Custom Question to the Comment Form
Custom questions confuse bots while being easy for humans to answer. For example, ask a simple question like, “What color is the sky?”
How to Add a Custom Question Without Coding:
- Install the Simple Comment Editing plugin.
- Add a custom question to your comment form, such as:
- “What is 2 + 3?”
- “Type the word ‘hello’ below.”
Only comments with the correct answer will be allowed.
Disable Trackbacks and Pingbacks
Trackbacks and pingbacks are outdated features often exploited by spammers. You can safely turn them off.
How to Disable Trackbacks:
- Go to Settings > Discussion.
- Uncheck “Allow link notifications from other blogs (pingbacks and trackbacks).”
- Save your changes.
This will prevent spammers from using pingbacks to send fake notifications.
Moderate Comments Manually
If spam still gets through, enable manual moderation to review every comment before it’s published.
How to Enable Comment Moderation:
- Go to Settings > Discussion.
- Check “Comment must be manually approved.”
- Save your changes.
Additionally, add spammy words or phrases like “click here” or “free money” to the Comment Blacklist section. This automatically flags suspicious comments.
Use Cloudflare for Bot Protection
Cloudflare offers advanced tools to block spam and bad bots at the server level.
How to Set Up Cloudflare:
- Sign up at Cloudflare.
- Connect your WordPress site by updating your DNS settings.
- Enable Bot Fight Mode or CAPTCHA challenges for suspicious traffic.
Cloudflare works alongside WordPress to filter out bad traffic before it even reaches your site.
Keep Your WordPress Site Updated
Outdated themes, plugins, or WordPress versions can leave your site vulnerable to spam attacks. Always:
- Update WordPress to the latest version.
- Regularly update plugins and themes.
- Delete unused plugins and themes to reduce security risks.
Frequently Asked Questions
Q1: How can I stop bots from submitting spam comments on my WordPress site?
A: You can use a honeypot technique to detect bots. Honeypots add invisible fields to your comment form that bots will fill in but real users won’t. Tools like WP Armour automatically add honeypots to WordPress comment forms, blocking most automated spam.
Q2: What’s the best alternative to reCAPTCHA for stopping comment spam?
A: If reCAPTCHA isn’t effective, alternatives like hCaptcha and Math CAPTCHA work well. hCaptcha is similar to reCAPTCHA but less targeted by bots, while Math CAPTCHA adds easy arithmetic challenges like “What is 3 + 5?” to verify real users.
Q3: Can I block spam comments by limiting links in WordPress?
A: Yes. In WordPress, you can limit the number of links allowed in a comment. Go to Settings > Discussion and set “Hold a comment in the queue if it contains [X] or more links” to 1 or 2. This prevents excessive spammy links.
Q4: Is manual comment moderation an effective way to stop spam?
A: Absolutely. Enabling manual moderation ensures no comment gets published without approval. Go to Settings > Discussion and check “Comment must be manually approved”. You can also add common spam words to the Comment Blacklist to filter suspicious comments.
Conclusion
WordPress comment spam can be persistent, but it’s not unbeatable. By combining strategies like honeypots, alternative CAPTCHA, IP blocking, and manual moderation, you can take back control of your comment section.
Start with the simplest methods, like disabling unnecessary comments or adding a honeypot. Then layer in more advanced tools like Cloudflare or custom questions if needed.
With these tips, you’ll finally enjoy a spam-free WordPress site. Happy blogging!

Shahab Ali leads the content team at Codixes as Content Chief, bringing a wealth of experience in writing technical and growth-focused content. Known for his ability to make technical topics relatable and actionable. His mission? To ensure every piece of content not only educates but drives measurable results.