Stop WordPress Spam Cover thumbnail hero image Stop WordPress Spam Cover
January 19, 2020

How To Obliterate WordPress Comment Spam Without a Plugin

I started this blog in March 2019 and quickly began getting comments on my blog. I was so excited! The problem was every single comment was from a spambot like the one below.

example spam comment.

To make matters worse, my site was getting 0 traffic and already getting spammed. These spam comments only increase as your site increases in popularity.

Something had to be done. There must be a simple solution to this problem. One that doesn’t involve using an untrustworthy 3rd party commenting system. And one that didn’t require 3rd party plugins that slow down my site.

Fortunately, there’s an easy way to do that with a few lines of code.

Use Spambots Weaknesses Against Them.

Spambots have a pretty glaring weakness; let’s see if you can spot it.

example spam comment for wordpress.

Did you catch that? That’s right, 99% of spambots are spamming you in an attempt to spread their dirty hyperlinks all over the Internet. That’s the only reason they do this madness (although a few stragglers will try to convince you Hillary Clinton is a space alien).

So, all we have to do is filter all of the comments with filthy links in them, and BAM! Problem solved.

Easy enough, let’s knock this out in 3 simple steps.

Step 1: Set a Few Basic WordPress Settings (Very Easy)

This part’s easy. You want to your WordPress settings to hold any comments with links in them for moderation. I also get WordPress to stop emailing me here as well, but that’s up to you.

To do this, go to your WordPress admin page => then go to Settings => then click Discussion on the left-hand menu. Scroll down a bit, and you should see all of the settings I’m describing in a block that looks like this.

wordpress settings hold comments for moderation.

Step 2: Disable Author URL in Your Comments Form

Does having an Author URL displaying in the comments section add anything to your blog? Even if you wanted links in your comments section, do you really give a crap about that person’s URL?

Of course not. Neither does anybody else. Well, except for spambots who almost always put their filthy links into this field. Because of this, we’re going to write a few lines of code that will prevent your site from having the Author URL field.

To do this, you’ll want to place the following line of code in your site’s functions.php file. (This blog post should teach you how to edit your functions.php file if you’re not already familiar.)

add_filter('comment_form_default_fields', 'unset_url_field');
function unset_url_field($fields){
    return $fields;

Once this code is in your blog it will remove the author URL input from your comments section.

Step 3: Don’t Save Comments Containing Disabled URL Field

Unfortunately, the previous step only prevents legitimate users from submitting the Author URL in a comment. Spammers don’t use your comment form. Instead, they send their filth directly to your web-server. Meaning, they send this URL to your web server regardless.

You’ll use this information to crush them.

We now know with 100% certainty that every comment containing an Author URL field is spam. No legitimate users can enter the Author URL into a comment anymore. So back to your functions.php as this beautiful chunk of code will refuse to save any comment containing the author URL. This code should obliterate the spam comments you receive.

function preprocess_comment_remove_url( $commentdata ) {
    // If the user submitted the URL disallow comment..
    if ((!isset($commentdata['comment_author_url']) || trim($commentdata['comment_author_url']) === '')) {
        wp_die('Please do not comment with the author URL.   Thanks!');
    return $commentdata;
add_filter( 'preprocess_comment' , 'preprocess_comment_remove_url' );

Optional Step: Add a Nonce to Your Comments Section

What on earth is a nonce?

A nonce is a random number generated by your server each time you send you a request. It’s used to prevent cross-site scripting attacks. Without one, if you’re logged into WordPress and visited an evil site, that malicious site could theoretically write some Javascript to communicate with your WordPress server. (And your server might do what the malicious JavaScript tells it to do because you’re logged in. )

You may be thinking, “How does a nonce prevent comment spam? Couldn’t a spambot visit your blog post, grab the nonce, and continue spamming away?”

Yep, they absolutely could do that. But, they probably won’t. Spammers don’t take the time out of their day to write spam that will work specifically for your little website. They’re trying to hack WordPress’s solutions; the software used to power nearly half a BILLION blogs. They don’t care enough about your little site’s customized solution to beat it.

Even something as simple as setting up your comments section to use a nonce should eliminate most of the spam comments.

To create a nonce for your comments section, add the following code to your functions.php file and then verify that your comments section still works. If it does, great, you did it! No more spam ever again!

// Create Nonce
function add_nonce_to_comment() {
// Check Nonce 
function check_nonce_field() {
    if (!wp_verify_nonce($_REQUEST['_wpnonce'], 'comment_nonce')) {
        die('Invalid Nonce');
// Add Nonce Check To Comment Form
add_action('pre_comment_on_post', 'check_nonce_field');
// Include Nonce To Comment Form
add_action('comment_form', 'add_nonce_to_comment');

Very Optional Step: Disallow ALL Comments Containing Hyperlinks

I personally wouldn’t implement this step because it’ll prevent your legitimate commenters from adding links. You’ll want to include some more complex UI code in your theme to avoid annoying your users when they do this.

But, maybe you don’t want anybody posting a link to your blog for any reason. Fair enough, let’s stop that from happening automatically.

The code below alters the function you wrote when you disabled author URL’s to check if some common URL formats exist in the comments. If they do, it refuses to save the comment off to the database. Now your readers (and spambots) can no longer post links on your blog.

function preprocess_comment_remove_url( $commentdata ) {
    // If the user submitted the URL disallow comment..
    if ((!isset($commentdata['comment_author_url']) || trim($commentdata['comment_author_url']) === '')) {
        wp_die('Please do not comment with the author URL.   Thanks!');
        $commentdata['comment_content'], $matches);
    if(!empty( $matches ))
        wp_die('Please Do not post URLs in the comments section! ' . $commentdata['comment_content']);

    return $commentdata;
add_filter( 'preprocess_comment' , 'preprocess_comment_remove_url' );

Shaun Poore opened up his WordPress comments and was amazed by how fast he was blasted by spam. The spam comments are 1000:1 (which led to Shaun turning off comments on his blog). Since Shaun's a developer he wrote this guide for cutting down spam without a plugin. But, even with a plugin enough spammers were getting through that Shaun ultimately shut down comments on his blog.