wordpress: beyond the basics

Comments and Spam

Allowing comments on stories is a great way to continue the discussion, dig up more information from "the public mind," and increase engagement on your site. Most sites will want to enable comments on all regular Posts (stories), but probably disable comments on Pages.

However, every form on the internet is a potential and likely target for spammers, who want to get links to their sites on as many pages as possible, in the false belief that doing so will increase their Google "PageRank." Sites that accept comments but that don't have spam protections in place will soon find themselves inundated with unwanted garbage comments.

Note: Do not let spam comments get onto your site! Spammers watch carefully. If they find that your guard is down, you'll quickly become an even bigger spam target!

There are many ways to fight comment spam, and we recommend a multi-pronged approach. First, take a look at the default Discussion settings in the WordPress Dashboard - this setting in particular:


"Comment author must have a previously approved comment" means that all comments from new readers must be first approved by you, the site administrator. But after you've approved a comment from a reader once, their subsequent comments will go live on the site immediately, without moderation.

This is an excellent starter system for most sites, with one big problem: You could end up having to visually scan hundreds of spam submissions per day to find the legitimate ones. That's not necessary because, as with email spam, most spam has "fingerprints" that can be used to identify it in advance. With a good spam identification system in place, WordPress can prevent you from having to ever look at 90% of incoming spam.

The folks at Automattic, who run wordpress.com, have developed a system called Akismet, which uses public collaboration to identify most spam.


Imagine that Kwan and Shelly run separate blogs on different servers. Kwan receives a comment spam in his moderation queue and marks it as spam. The fingerprint of that comment is sent to the servers at Akismet. Now the same spammer tries to leave the same spam comment on Shelly's blog. Since Shelly has Akismet installed too, her system asks the central server at Akismet if it recognizes the comment. If Akismet responds "Yes, it's spam," the comment will go into Shelly's spam queue, not her moderation queue. As a result, the comment won't be emailed to Shelly for moderation (though she does have 30 days to scan her spam queue for possible false positives before it's permanently deleted).

Because hundreds of thousands of bloggers use Akismet, the system is extremely effective - very little spam is able to slip past the eyeballs of thousands of spam-hating administrators! Take a moment to look at the numbers on Akismet's homepage - as of this writing, Akismet has stopped more than 25 billion spam comments from ever appearing on public web sites.

Because Akismet is so necessary, it's the only plugin that's actually bundled with WordPress. To enable it, sign up for an account and they'll send you a usage key. Go to the Plugins section in your Dashboard, click Activate underneath Akismet, and enter the key when prompted. That's it! You're good to go.

Additional Protection

Once your site grows to a certain size, you may find that Akismet alone still isn't enough. That's OK - you've got more options. One is to install another spam fighting plugin such as WP-SpamFree, which approaches the spam problem through completely different techniques than what Akismet uses.

For point of reference, on one of my sites, Akismet has protected me from more than a million spam comments in the past seven or eight years, and WP-SpamFree has protected me from another quarter million.

Other options include:

  • Accepting comments only from registered users (spam will go way down, but so will legitimate comments)
  • Requiring moderation approval for all comments, even if the user has been approved before
  • Turning off comments on articles older than 14 days (highly effective but not recommended)

Managing Comments

There are lots of ways to manage and moderate comments on a WordPress site.

First, the site administrator will receive an email for each comment that comes into the moderation queue. The site administrator's email address is the one listed on the General Settings page, not the email of the author of the post the comment is on. Each email will include links to quickly Approve the comment or "Mark as Spam."

The Dashboard homepage will also provide a set of quick links to manage recent comments:


Roll your mouse over a comment and you'll see links to Approve, Reply, Edit, Spam, or Trash the current comment.

There's a full Comments manager in the Dashboard (click Comments in the sidebar) that will let you perform all of the same actions, but will also let you search for comments or perform bulk actions on them. This is a great way to delete dozens of comments at a time, should you need to.


There are two items in this interface to take note of. The first, marked "Spam" (#1 at the top) will let you quickly see all of the comments your spam filtering system has marked as spam. You might want to review this periodically to make sure there are no "false positives" getting through. If there are, simply "Approve" them and Akismet will be informed that it made a mistake. In addition, there's a big "Check for Spam" button (#2 above). Clicking this will cause your comments database to be re-run through your current spam filters. This can be useful if you're sitting on a large backlog of current spam and have just installed new filters, and you want to apply those filters to the backlog.

Finally, each Post and Page in the Dashboard will let you see a list of all comments associated with that particular item.