Dealing with WordPress comment spam

Last updated on November 28, 2011. Tags: blog comment spam

Ah finally, after being more than a month of being unable to write anything on this blog, due to being busy with many website development projects, I'm now back on writing.

While I was not able to find time to make new posts, from time to time, I check my dashboard of any new comment or incoming links, and 99% of the time, the comments are nothing but spams. Some spams are blunt (has nothing but keywords and links) while others are discreet (you can still tell that they are spam, but you'll need to take a few second reading them).  I receive around 10 to 20 spams, sometimes even more, in a day.

WordPress comments are easy to spam because the comment form requires the same set of data before posting:  name, email, website and comment. Hence, it is easy to create a program that will automatically fill these fields up with the same set (or randomly chosen from different sets) of data.

Upon installing WordPress, it automatically comes with a plugin called Akismet that is supposed to check comments for spams. However, it requires the use of WordPress.com API key and I don't have that because I am hosting WordPress from my own server and not from WordPress.com, which is a free blog provider.

My only other option is to check the "An administrator must always approve the comment" under Discussion setting (for WordPress 2.2 and up to 2.7, not sure about others), which I thought will be enough to deal with these comment spams.

Blocking spam comments this way was a partial success. Why I say partial? It is successful because these spam comments never made it to my blog. Meaning, I can see these comments from my dashboard but my site visitors never saw them. The objective of these comment spammers is to increase the backlinks to their websites (or their client's websites) to rank higher in search engines, and they were never able to get it from me.

On the other hand, it's not entirely successful because my original plan of manually filtering genuine comments from spams is very time-consuming. As I said earlier, I sometime encounter more than 20 comments. In a week, I can have more than a hundred of comments wherein I need to weed out genuine comments from spams, like looking for a needle form a haysack.

So what I did is to let the spams come until I gather around 100 spam comments. Then, I try to look for anything in them that are common that I can exploit. I came up with two solutions. One is IP blocking and the second is blacklisting words frequently found in spam comments.

IP blocking

IP blocking refers to the method of blocking visitors coming from a certain IP address (or IP addresses) by writing certain codes in the .htaccess file. The details on how to ban IP addresses are discussed in this past article. Since WordPress dashboard allows us to check the IP addresses from where these comments come from, I look for the IP addresses that post three or more comment spam and block that site.

You need to be cautious in implementing IP ban or block. First, there is this thing called dynamic IP address. Ideally, there should be a single static IP address for each computer and internet service provider (ISP) combination. However, there are not enough possible IP address combination for everyone.

Hence, some ISPs decided to have a pool of IP addresses and let whoever is connected to the internet at a time use one of those, resulting to having different IP address whenever a computer connects to the internet. That is what we called dynamic IP address. If the spammer is using dynamic IP address, IP blocking is useless.

Moreover, some (or should I say "most") spammers are also hackers. Some spammers do not send out spams from their own computer. Instead, they install malwares (commonly known as "worms" or "viruses" although they technically refer to different things) to other people's computers and send the spams from there.

Hence, if you want to limit the use of IP blocking, or not use IP blocking at all because you do not want to ban potential client/visitor/partnet/friend/etc., you can instead determine spam comments based on the words that appear in those comments.

Comment blacklist

Comment blacklist is a feature in WordPress that will allow you to ban any comment that contains certain words. You can type the words that you wish to blacklist  in the comment blacklist under the discussion setting. The comment blacklist also blocks strings that are part of a larger word. For example, including the word "code" in the blacklist will also block any comment that contains the word "Codegrad".

Similar to what I did in IP blocking, I also allowed around 100 comment spams (a new set of 100 spams) and I try to find out what words commonly appear in these spams. Most of these spams are coming from industries like adult industry, airline tickets, medicines and pharmacies, credit cards and loans, and real estate. Below are some of the words that I included in my blacklist. I used an image to prevent this post from appearing in search results for any of these words.

Comments that contain any of the words that are in the blacklist are not outright blocked. They can still reach your dashboard but WordPress immediately classify them as spams. Hence, you can delete all of them in just one click.

One tricky part in using this feature is when some of the frequently spammed words are related to the topic of your blog. For example, I also comment spams about search engine optimization (SEO) and online marketing. I cannot blacklist these words because they are discussed in my posts, and legitimate post comments usually contain them.

Well, in the end there's no way to block all the spam comments. However, using the blacklist can reduce the comments that goes into your pending list (or those that appear immediately on your post if you disabled the comment moderation option) into something you can manage. There's also a separate comment moderation list just right above the comment blacklist if you want all but potentially spam comments to appear immediately on your posts.

The word of thumb is that if the comment is totally unrelated to your post, it must be a spam.

Posted by Greten on July 19, 2009 under WordPress

Related Posts

• Listing ip addresses of WordPress comment spammers easier and faster
• IP ban using htaccess file
• Removing nofollow from WordPress comments
• How to permanently disable WordPress comment?
• Off-page black hat SEO techniques

You might also be interested (randomly generated):

• Putting external link icon in WordPress
• Centering a fixed-width webpage using auto margin
• Generating random numbers using Javascript
• Search engine optimization (SEO) of WordPress theme title tags
• Javascript-based random web banner

Read Comments

1. Posted by Chronos 9 on 01.01.11 3:00 pm

   I did not give you my website/blog address on purpose as I know how annoying it is to receive all these comments with a ‘link’ back to a website )

   I use the ‘comment blacklist’ and Akismet.
   I didn’t know that Akismet is only available with wordpress.com. - Which I learnt from you today, thanks for the information . I am certainly not a professional when it comes to blogs and websites and managed ‘just’ to build my own blog which I successfully update once a week (except for one week delay over x-mass and another in the summer holiday-season). I am more than happy with Akismet as ‘EVERY’ comment that has a back link gets stuck in it and waits for my approval (sadly-it seems to be that 100% are spams !!). But I keep the good and blog-theme-related comments and delete the website address, resulting in a nice clean comment-without a link in it any longer.
   I came to your blog as I am quite new to blogs and as I wasn’t sure if I should keep the backlinks in my comments or not.
   You have answered that question for me-Thank you and happy blogging )!
   And a happy and successful Year 2011!!
   Regards,

   K.

2. Posted by Greten on 01.12.11 5:00 pm

   Hi Chronos! Your comment has substance; I’m much willing to give you that backlink. God bless!

Post Comments

Comment Rules and Reminders

• The links to the commentator's e-mail do not have nofollow tag. However, I will be very strict in approving comments.
• When you comment, please say something that indicates that you indeed read my post. If your comment is a general statement that can fit to any blog post about any topic, it will be regarded as spam.
• What you write in the name field may include keywords to your website provided that (1) it's only up to four words long and (2) at least one of these four words is your first name or nickname. I rather reply to Bob or to Joe Smith than to Online Marketing Tips.
• Please double check your comment before clicking the "Post" button. Once you clicked it, there will be no way for you to edit your comment.
• Fields marked with asterisks (*) are required. Your email will never be displayed in public.

• Recent Blog Entries

  • Displaying e-mail address while avoiding spammers
  • Javascript random text
  • Javascript-based random web banner
  • Displaying random image with Javascript
  • Generating random numbers using Javascript
  • Animated images using Javascript
  • Reducing image file size without reducing quality using Yahoo! Smush.it
  • Detecting mobile devices for your WordPress website

• Categories

  • Adsense / Ads Embedding Tips
  • Cascading Stylesheet
  • Designing for Mobile Devices
  • Hypertext Mark-up Language
  • JavaScript
  • Search Engine Optimization
  • Server Configuration
  • Webmasters' Tools
  • WordPress
  • Definitions

• RSS Feed

  • New content
  • New comments