Comment spam is one of the most persistent WordPress nuisances. Left unchecked, it wastes moderation time, bloats your database, and can result in your site hosting links to malicious or spam domains that damage your SEO. Several effective approaches exist, from built-in WordPress settings to dedicated plugins and complete comment disabling. The right approach depends on how much value your comments section actually provides.
Spam comments that make it through moderation and publish on your site create outbound links to spam or malicious domains. Search engines crawl and follow those links, which can associate your domain with spam content and damage your rankings. If the linked domains are on Google's Safe Browsing list, your site can be flagged as hosting harmful content. Some spam comment payloads also include JavaScript intended to execute in moderators' browsers when viewed in wp-admin.
Comment spam also fills your database with junk. Thousands of spam comments in the wp_comments table slow down database queries, increase backup sizes, and make the wp-admin comments screen slow to load. Regular cleanup is part of basic site maintenance.
Go to Settings > Discussion. The most impactful settings:
Akismet ships with WordPress and is free for personal and non-commercial sites (commercial sites require a paid subscription starting at around $10/month). It filters incoming comments through Automattic's spam database, a network trained on billions of spam comments across millions of WordPress sites.
To configure Akismet: go to Plugins > Akismet Anti-Spam > Set up your Akismet account. Get a free API key from akismet.com and enter it. Once active, Akismet intercepts every comment submission, scores it, and automatically marks clear spam as spam without requiring manual intervention.
Akismet catches the vast majority of spam for most sites. Check the Akismet Stats page periodically to see how many comments it's blocking, this gives you a realistic picture of the spam volume your site faces. If Akismet is blocking thousands of comments per month, that's a reason to consider additional measures.
Antispam Bee is a free plugin with a strong approach: it adds an invisible honeypot field to comment forms. Bots that automatically fill all form fields will fill in the hidden honeypot field, which humans never see or interact with. Antispam Bee uses this and other signals to identify and reject bot submissions without any CAPTCHA friction for real users.
Antispam Bee also checks the commenter's IP against spam databases, validates the HTTP referrer (ensuring the comment was submitted from your site's own form and not via a direct POST), and can check whether a comment was submitted too quickly after the page loaded (bots don't read). These heuristics together catch a large proportion of spam that Akismet misses.
Configure Antispam Bee under Settings > Antispam Bee. Enable "Use honeypot," "Consider the time of comment submission," "Discard spam comments," and "Trust approved commenters." The "Discard spam comments" option skips the spam queue entirely for high-confidence spam, keeping your wp_comments table clean.
In Settings > Discussion, check "Users must be registered and logged in to comment." This eliminates anonymous comment spam entirely, bots submitting comments as anonymous visitors can no longer reach the comment endpoint. The tradeoff is that anonymous legitimate comments are also eliminated; visitors must create an account to comment.
This is appropriate for community sites, forums, and membership platforms where a user account is already expected. For general blogs where casual reader comments are valued, requiring registration creates friction that may reduce legitimate engagement significantly. Evaluate whether your comments section's quality justifies the barrier.
Google reCAPTCHA v3 (invisible, score-based) or hCaptcha can be added to WordPress comment forms via plugins. reCAPTCHA v3 scores each submission based on behaviour signals and flags suspicious ones without any user interaction, no "select all traffic lights" challenges. For most sites, a honeypot plus Akismet is less invasive and equally effective. Reserve CAPTCHAs for comment sections that continue to receive high spam volumes even with other measures in place.
Avoid reCAPTCHA v2 (the "I'm not a robot" checkbox version) on comment forms, the friction reduces legitimate comment submissions meaningfully and the protection it provides over a well-configured honeypot is marginal.
Disable them entirely. Go to Settings > Discussion and uncheck "Allow people to post comments on new articles." For existing posts, go to wp-admin and use bulk actions to close comments on all existing posts, or add this to your theme's functions.php to remove comment support globally:
add_action( 'init', function () {
remove_post_type_support( 'post', 'comments' );
remove_post_type_support( 'page', 'comments' );
} );Many business sites, portfolio sites, and service-focused blogs don't need comments and derive no value from them. Removing the feature entirely removes the attack surface, the moderation overhead, and the database bloat simultaneously. If you want engagement, redirect the call-to-action to social media, a contact form, or email instead.
If you have a backlog of spam comments already in your database, clean them out via wp-admin > Comments. Filter by "Spam," select all, and use bulk actions to delete permanently. If you have thousands, use WP-CLI: wp comment delete $(wp comment list --status=spam --format=ids) deletes all spam comments in one command. Always take a database backup before bulk-deleting database content.
Daily backups on all HostBible plans mean you can periodically clean out comment tables and perform maintenance without risking permanent data loss.
View Hosting Plans