how to block spam comments and trackback spam in wordpress?

Comment Spam and Referrer spam on websites, blogs and forums have always been a nuisance if not anything. When left unchecked, it takes up a whole lot of time in cleaning up and maintenance. The more popular your site, the bigger the threat of spam.

If you have a blog with comments enabled then it is quite likely that you have already seen comment spams. Comment Spams are an abuse of web-based forms in order to post links and advertisements on your page. These are random comments often with no relation or connection with the content on the page and with the sole purpose of generating clicks or diverting traffic to another website.

Trackback or Pingback spams work the same way as comment spams. Many WordPress sites have enabled support for trackbacks by default. Trackbacks are links that are (auto) generated on your webpages to another webpage when that webpage notifies you that they have linked to your content. This is an excellent feature for social networking and content marketing when used as intended. This however causes a lot of spamming as well when your blog post are notified from fake, non-relevant and often nefarious URLs.

The Referrer spam again works along the same lines as Comment spam. Repeated web requests are made to your webpages with fake referrer URLs, which causes the referrer URLs to be logged in access logs. These access logs then links back to the spam websites and is crawled and indexed by search engines.

Who Posts these Spam?

There are mostly two types of spammers: human and automated.

Automated spamming is done by software programs that crawl the internet looking for web pages that has web forms or an API to post comments. Once they find something they identify, they automatically post pre-written generic comments with random names. It goes without saying that it is usually ads with links back to some shady websites. Oddly enough, it works the same way as search engine bots and/or crawlers work except for the last part where it posts spam comments. They are also known as spam bots.

A more recent trend has been to hire low-wage workers whose sole job is to troll websites and post comments with link backs. This has the added advantage that these being actual humans, can work around various automated spam filters. They are usually located in countries where the labor is cheap and plentiful. And these type of spam are usually harder to block.

Why Spam at all?

So, why would some one want to spam at all when the apparent rate of success is so low?

Most well maintained websites and blog have some kind of spam filter. Those sites are also moderated pretty regularly and spam comments removed on a regular basis. On top it Google will penalize you if they suspect that your website is spammy. So given all that why would anybody want to spend time and money on spam?

The answer is complex. The simple answer is: It is easy and still works to an extent. Many of the blogs is not very actively maintained, which means some links will get through and stay on for days or months before it gets removed. The devil is in the numbers: it is easy to propagate spam in very large numbers and in a small amount of time especially if it is automated. Even if only a small percentage is successful, it is still a large number of links in absolute count. It might bring in only low-quality traffic worth pennies but it adds up if you are a “successful spammer“.

Let us look at various ways you can block spam in your blog or website.

How to Block Spam?

Disable Comments and Trackbacks

If you are on a CMS such as WordPress or Drupal then you should be able disable the ability to comment altogether in your pages and posts. Even though this is probably far from optimum, it still is certainly an option. You need to have the comment section only on pages where you want to foster active discussion on the page.

I understand that this is not a viable option in most cases, which brings to the next option

Moderate Comments and Trackbacks

You can moderate the comments and trackbacks actively, that is if you have the time to do it. You basically have three different options here :

1) Set a strict moderation rule so that all comments will need to be moderated before being published. This will require you to actively moderate at all times of the day so that comments appear with in a reasonable time frame. If you have a very active user base, then it might not be a very good idea.

2) Specify some reasonable rules for moderation. They can be such that comments that contain hyperlinks or from a new user will need to be moderated before it is published. This can drastically cut down on the comments you will need to actively moderate.

3) Allow all comments to be published, but routinely go through the comments and delete spam as needed. Depending on how often you can spare the time and effort to do it, it could work.

These options may not always be workable depending on the user base and traffic on your blog. That leads us to other options that can actively detect and block spam…

Blocking by IP address

Most spam comments come from known IP addresses. There has been an effort to identify and list these known spam IP addresses and block them. You can search and download IP address list of known spammers and choose to block them individually.

You can use the .htaccess file (if you are using Apache web-server) on the root folder of you blog. The following snippet of code shows you how to block access from these IP addresses.

<limit GET POST>
order allow,deny
allow from all
deny from
deny from

Unfortunately this is still not good solution. Your address list could grow into thousands over time and become quite un-maintainable. It eventually ends up being a game of whack-a-mole. Spammers routinely change their IP addresses, and hacked computers are used for spamming as well. That could potentially result in you blocking some “innocent” IP addresses that might have been hacked.

If you are on WordPress, then you have several good plugins that allow you block and actively manage spam comments. Some of these plugins add spam blocking functionality to the default WordPress commenting system. There are others that are entire commenting system/service on their own and are meant to replace the default commenting system.


There are hundreds of WordPress plugins that you can try out for free as well. A search on WordPress will show you several, try them out first before applying on site. Akismet is probably the most popular and widely used comment spam filter in WordPress. It is a paid service but probably well worth the cost if you get plenty of spam.

As I mentioned, there are several different commenting services that aim to replace the default WordPress system. They usually have many other desirable features in addition to some powerful spam filters. The two popular ones are Disqus and CommentLuv.

Even a very simple captcha or any kind of authentication can reduce spams several folds. They are currently considered to be outdated technology and are not considered very user friendly.  Also it is not that it is very hard to break or hacks these simple solutions, but it is usually not worth the time for spammers to do that as they will get easier fish elsewhere. Still, it can be a viable option for you depending on your requirements.