New Anti-Spam Strategy

August 30th, 2011
Spam, WordPress

If you’re a WordPress user, you probably noticed an option at Settings -> Discussion, which states “Before a comment appears, comment author must have a previously approved comment.” This was pretty much the bulk of our anti-spam measures here, and while not a single bit of spam made it through, the sheer volume of pending comments (almost all spam) were driving us nuts. A few days ago, we shifted gears with tremendous results, and I though you folks might be interested.

We decided to do away with the above setting and rely entirely on Akismet, Cookies for Comments, and the built-in moderation list and blacklist at Settings -> Discussion for any that snuck through. Prior to this change, we had an average of 5 pending comments each hour, and an average of 4.8 of those were spam. Now, we don’t have to monitor pending comments, and we only see an average of 2 comments an hour making it through. Of course, an average of 1.5 of these are spam, but that’s still one heck of an improvement, and we should eventually knock that down with the moderation list and blacklist. So far, the advantages outweigh the few that are making it through.

  • As mentioned, we have much less posted comments to deal with now than there were pending comments before.
  • Checking each comment as it comes in forces us to accept more comments that really ride the line between legitimate and spam comments. In the past, we would have probably bulk-spammed these when checking the pending comments.
  • Legitimate commenters can see their comments immediately without waiting for us to get to them.

A word of warning about the moderation list and blacklist. They will both block anything that matches the string of letters you enter. So, be mindful of collateral damage when blocking a word. For example, one of the most commonly blocked words is “cialis,” but this will also block “socialist.” The blacklist will automatically mark any matching comment as spam, so use the moderation list for any words that could be used legitimately.

If you find yourself interacting too much with spam on a daily basis, it might be time to consider a new strategy.




  1. Christine Blythe (17 comments.) says:

    I like this! I have been using Akismet and love it, but I had no idea about the others. I must start because I’ve been dealing with upwards of 200 comments a day in the spam queue between my four blogs.

  2. Ipstenu (31 comments.) says:

    This has been my strategy for a long time as well. It’s just less work for me. And other than one (or two) users who consistently get flagged as spam by CfC (it’s their weird browsers), I have no issues.

    I also use Bad Behavior on my site, to keep bots out, and that seems to help a lot.

  3. Brad (1 comments.) says:

    This is perfect! I was going though the queue of comments on my site and it’s just overwhelming sometimes. I always want to let legitimate discussion through but there’s a ton of overhead in that.

    Thanks for the tips!

  4. Otto (215 comments.) says:

    Also install Simple Trackback Validation if you want to cut that 1.5 down to zero.

  5. Joshua Parker (5 comments.) says:

    I was thinking about a new strategy today happen to come across this. Awesome!

  6. redwall_hp (40 comments.) says:

    I’ve been using Akismet for awhile, as well as the blacklist. I don’t have a lot of words in my blacklist, but I have a bunch of Cyrillic characters. (A lot of spam I used to get was non-English, and it’s an English-language blog…)

    I opted to not use the moderation queue for new users, as a lot of commenters are first-timers who don’t necessarily come back, but I do have it hold comments if they have two links or more in them.

    Also, I disabled trackbacks/pingbacks a year or two ago. This removed a large portion of the spam. It’s becoming less common for blogs to accept pingbacks these days for just that reason. (Besides, you could argue that most people casually browsing a blog don’t really care about them, and see the pingbacks as annoying clutter.)

  7. Rhett Soveran (9 comments.) says:

    I use CloudFlare, Bad Behaviour and Akismet and I haven’t seen a spam comment get through in months. Plus, I also added Disqus commenting. I’d really recommend trying CloudFlare as it’s helpful in a variety of ways.

    • Brad says:

      has bad behavior improved in in the last few years? It used to be buggy as hell denying the majority of comments legitimate or not.

      • Rhett Soveran (9 comments.) says:

        It’s run fine for me. It’s really just a back-up for CloudFlare because CF is really the first wall as it’s monitoring traffic from the domain level (which gives you such cool stats).

  8. Miroslav Glavic (7 comments.) says:

    I gave up on Akismet, I went to get the api key due to my site being hacked and I decided to redo it all over again. Such a pain in the you know where.

    I am looking for a replacement. I never liked when someone tells me: THIS IS THE ONE YOU NEED TO USE. why don’t you just give me some reasons why I should use xxaq111 plugin over rg432, r34432 and/or gufdg99 plugins. Give me choice.

  9. Brad (6 comments.) says:

    Another good strategy I have seen work in dealing with auto spam comments (if you are theme savvy) is to change the name of comments.php and/or some of the internal naming schema. I’ve never done it myself as I’m too lazy, but I have friends who have and say it works wonders.

  10. Rev. Voodoo (5 comments.) says:

    I’ve always relied on Akismet. It was good. But still had a fair bit to deal with. A while back (and I believe it was on @Ipstenu’s recommendation) I added in Cookies for Comments. The results were amazing. I won’t run a site without that combination.

    I run bad behaviour on my personal site, I’m not so concerned about the false positives there. But I had to kill it on my VoodooPress site, it was blocking people from registering for bbPress, and a bunch of other issues. No problem right now, my sites aren’t popular enough yet!

  11. Tom Coburn (67 comments.) says:

    no comment spam technique is good enough until moderation of comments on a daily or weekly basis has been eliminated! I don’t have time to sit and go thru comments each day, that takes away time from what I should be doing, blogging! designing the site layout, and other such things I should be doing with my time! I shouldn’t have to go thru comment spam I shouldn’t have to read every single comment to make sure if its spam or not. until that is eliminated, no spam tactict is good enough!

    I still say the best spam tactict is to turn off annonymous commenting, and using facebook and twitter comments instead! least if I can get it working thats what I’d do. 99.99999% of people on the internet already have a twitter and facebook account, there’s no reason we should have to reinvent the wheel. Now if they would just implement facebook and twitter commenting into the wordpress core, I would be very happy, and comment spam would be a thing of the past. To cover all the bases, they should offer in the wordpress core, facebook, and twitter commenting. that would pretty much cover everybody and comment spam would be a thing of the past for all us wordpress bloggers

  12. Florian (1 comments.) says:

    I’ve struggled a lot with the commenting-function in wordpress the last view years. And – of course – with the massive spam I got.
    I set up Akismet – as you mentioned – and used it for a long time. But then, a new law came out here in Germany which forced us to not longer use Akismet (because all data will be sent to the US)…
    Okay.. but that’s not the topic.

    I now use the Growlmap Anti Spam Plugin which you can find in the wordpress plugins directory. Since then I don’t get any spam comments… that is awesome! :-)

    It’s just adds a little Javascript which robots cannot see. And that’s it! :-)

  13. Tivar (1 comments.) says:

    First I have use reCAPTCHA + moderate all but now reCAPTCHA + moderate first comment with the same e-mail is enough. To avoid spam from users I already moderated, I just set the number of “allowed” links in comments to 0. Ok, reCAPTCHA is not rly user-friendly but… it works :)

  14. Travis Walters (1 comments.) says:

    It is always nice to have strategies that reduce spam. I was just reading about the can-spam act of 2003. I think reporting spam has become to easy to do though. It causes good marketers to get easily reported for spam especially when the marketer has a first contact option in the can-spam act.

  15. Chris Quinn (2 comments.) says:

    It just seems like I am getting more and more s-pa-m comments lately! I hope this helps, i already have akismet, but I am adding the cookie plugin now! thanx

Obviously Powered by WordPress. © 2003-2013

page counter