Easiest Way to Prevent WordPress Comment Spam

As it is well known, WordPress is a free content management system. And according to one of the recently published articles on MarketingLand.com, it has being used on 25% of all world wide web (www).

“It now powers 25 percent of all sites across the web. That’s according to the newest data from W3Techs, a company that tracks the usage of different web technologies.”

Unfortunately, being successful and open-source makes WordPress a perfect target for hackers and spammers. Another article published on WpWhiteSecurity.com shows that more than 70% of WordPress websites are vulnerable.

“According to statistics From 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.”

This is mainly because, most users do not keep up with updates and use the default settings that are shipped by WordPress. Today I am going to talk about a very “annoying” yet very common problem for all WordPress bloggers: WordPress Comment Spam. And at the end of article, I am going to show you how to prevent it easily.

WordPress Comment Spam and Akismet

If you are a blogger with a decent traffic to your website. You have probably getting a lot of spam comments. And the very first thing you probably did for preventing the spam comments (most likely you did this when you first set up your blog) was installing “Akismet” very famous plugin, downloaded more than 1 million. Akismet is really great plugin, preventing spams and it works great for me (~90% accuracy). However, as a coder, there is something bothering me a lot about Akismet. Because I know, it communicates with  Akismet Web Service every time some one post comments and it creates a lot of unnecessary traffic between my server and that of Akismet. Hence, today I thought if I could develop a method to fix this problem from its root cause. What I mean by that is keeping the spammers away from my website.

Symptoms and Diagnosis of the Problem

The first question I asked was how spammers find my website? The answer is very easy: search engines and most notable one Google!. Yes Google is guilty because spammers find my website by crawling the Google results. The second question was well, how do they find my website?. The answer to this question must be a global/generic one. Because I know I am not the only target, I am a victim of many. So this must be a mass attack. So the next question is easy: how spammers can specifically “search” and “find” the URLs having the comment form?. The answer to this question is tricky and has multiple answers. One of the most obvious one would be searching a generic text that possibly many (if not all) comment system uses. Boom, I have found my answer, so what would be this mysterious “text”?. And my journey began…

I was like… well.. if Google is guilty, maybe I should start from there…

I logged in my Google Analytics account and started my inspection…

Soon after, I found that some of the search queries (users made) looked very weird…

And then I searched those keywords in WordPress Github repository and found that “Your email address will not be published.” exact sentence hooked in comment section of WordPress.

This is it!

That’s how spammers find my website

Luckily WP developers (respect!) are smart enough, they wrapped the defaults messages in a filter so we can easily change without touching the WordPress core. I have just did this adjustment which I am going to show you how in a minute. And as soon as I did it, I decided to publish this article for the community. I will update this as soon as I see my comment spam drops (may be not lol).

Easy Fix Potion

Simply add the following code (snippet) in functions.php of your active theme.

function fix_comment_notes($defaults){
$defaults['comment_notes_before'] = 'E-mail address is required for commenting. However, it won\'t be visible to other users.';
return $defaults;
}
add_filter('comment_form_defaults','fix_comment_notes');

Good job! Let me know if it works for you!