How to Deal With Spam Comments in WordPress

One of the first lessons a new blogger learns is how to deal with spam comments. It’s an unfortunate fact of blogging life that if you allow comments on your posts and/or pages, you’re going to be deluged with spam comments. Typically, the spammers are only interested in getting backlinks to their own sites on which they sell (or hope to sell) some product for which they will receive a commission. In rarer cases, the spammer is deliberately linking to a site which contains malware. More on that in a bit.

The Blog Comment Backlinking Strategy

Leaving comments on blogs has become a hugely popular method of creating backlinks to one’s own site. It’s so popular that there is software that will automate the process. Many would-be Internet marketers buy these scripts and use them to spew comments to any blog that accepts them. The theory is that all those backlinks will increase the linked site’s rankings in search engine results. Google’s recent algorithm changes have considerably reduced the value of these backlinks, but people continue to sell the software to eager buyers looking for a way to make money with little or no effort.

As this software becomes increasingly more sophisticated, it can be a challenge to recognize spam comments from real ones. It’s no wonder that many bloggers new to the arena are taken in by these bogus comments and approve them.

So What Does a Spam Comment Look Like?

The typical spam comment has several distinguishing characteristics. The first is the name used is often something like “Buy Ugg Boots” or “How To Get Rid of a Double Chin”. In short, it contains keywords that people might be searching for in Google. The second giveaway is the website link. This is very often a domain name with keywords such as http://cheapprescriptiondrugs.com. These are obvious examples and very easy to spot.

The body of the comment may also contain one or more links similar to the above. Often, these links are shortened by a link shortening service such as bit.ly or tinyurl.com which makes them less obvious, but none the less suspicious. Some comments contain many links which is another dead giveaway.

Finally, the comment itself will usually be something generic that is designed to flatter or trigger our human tendency to respond to questions or complaints. Phrases like “Awesome post!” or “I’ll be bookmarking this blog!” or “What theme are you using on this blog?” are red flags. After you’ve seen a number of spam comments you’ll start to see the same phrases used over and over making them easier to spot as spam.

Knowing how to recognize spam comments is helpful, but having your blog do it for you is even better. That’s why there are plugins that detect and flag spam so that you don’t have to deal with the vast majority of it.

Akismet To The Rescue

Back in the early days of WordPress, Matt Mullenweg, the author of the original version of WordPress, wrote an anti-spam plugin for WordPress called Akismet. He engineered it to be able to learn what was spam and what wasn’t based on what bloggers designated as spam. In the beginning, of course, a greater burden was put on the author to tell Akismet what was spam and to correct it when it flagged something that wasn’t really spam.

Now, years later, Akismet is able to recognize spam in a very large percentage of cases and rarely gets one wrong. Personally, when I check my spam folder, I’m not real careful about it because Akismet is so good at spotting spam and leaving the good stuff alone that it’s not worth my time to verify it. If the first one or two items in the spam folder are clearly spam, I click the “Empty Spam” button and move on to other things.

No Longer Free

Akismet comes with WordPress as part of the standard package. In order to use it, however, you must obtain an API key which identifies your blog and authenticates Akismet to the WordPress.com servers which store its “intelligence”. You can get an API key for Akismet at http://akismet.com. Akismet API keys used to be free back in the day. When you signed up for a WordPress.com account, you got an Akismet API key as part of the deal. You can still get an Akismet API key free, but a donation is now requested. When you consider the sheer number of WordPress blogs (in the millions!) that have Akismet installed, and then realize that Akismet utilizes a number of huge servers to do its thing, it’s easy to see why it’s no longer given away free. All that computing power is expensive to keep running. It’s well worth supporting for what little it costs.

Alternatives to Akismet

There are alternatives to Akismet and some bloggers use additional plugins alongside Akismet. Some examples are:

• Growmap Anti-Spambot Plugin (G.A.S.P.) – G.A.S.P. is available in the WordPress plugin repository. It does something Akismet does not, which is to require the comment author to provide some proof that they are human and not an automated script. This is accomplished by putting a checkbox under the comment form that you must check to show that you’re a human being. This pretty well eliminates automated comment spam altogether, so it at least makes the human spammers work a bit
• Bad Behavior – also available in the WordPress plugin repository, Bad Behavior is designed to work alongside other anti-spam services. It tries to prevent spam comments before they can be posted by analyzing the delivery method and other key factors
• FV Antispam – this is another that I’ve used on some sites. It is designed to work in conjunction with Akismet to increase its effectiveness. FV Antispam is also available in the WordPress plugin repository

If you search the WordPress plugin repository with the term “antispam” you’ll find many more. The above are ones I’ve used and am familiar with.

Why Spam Comments Are More Than Just Annoying

I mentioned malware earlier. Spam comments can be a problem in that the links they point to can often contain malicious software, or malware. Sometimes this is deliberate, but most often it’s a site that was put up by someone who left it on autopilot and has never updated it. There are tens of thousands of such sites just waiting for a security flaw to be exploited which turns the site into a malware distribution point. Over time, more and more of these sites become infected and any links back to them can cause your site to be flagged as potentially containing malware.

This happened to a client of mine just recently. A site monitoring service which shall remain nameless offered her a special deal some time ago so she signed up. She had a large quantity of comments on her site many of which harkened back to her beginning days as a blogger. The vast majority of those comments were spam. The site monitor found a link in one of those comments that pointed to an infected site. They called her and told her she had a critical situation, that her site contained malware and that they’d be happy to rid her site of said malware. They quoted a price of $400 and told her it would take 5 days to clean up and “harden” the site.

This client happens to be one of my Website Management Program clients so she contacted me. I quickly determined that there was no malware on her site. We have measures in place to prevent malware which work quite well, so I was confident that the site monitor service’s assessment was incorrect. I found the comment with the bad link and deleted it. Problem solved in 5 minutes saving her $400 and nearly a week’s time!

To Comment or Not To Comment?

Some bloggers avoid this issue by turning off comments altogether. While I recommend turning off pingbacks and trackbacks (more on those another time), leaving comments on allows legitimate visitors to get involved with your blog, which is a big factor in search engine rankings, among other positive aspects. Using the right tools can keep the spam to a minimum and let your visitors interact with you making their experience a lot more valuable.

John Sawyer