Common Reasons Why WordPress Websites Get Spam And What To Do About It

Apr 28, 2020

Spam isn’t only a nuisance, as it causes domains/websites to land on email blacklists, uses server resources (disk space in your WordPress database, and bandwidth), skews data that we have for our online businesses, and so on. In addition to that, most of the spam process is entirely automated via coded so-called “spambots.” This means that the spambot automatically scrapes the web to find websites that allow them to submit spam posts, spam emails, and so on. 

Most of these bots aren’t very sophisticated, but it’s enough for them to fill a name and email field and send the submission. There are also quite advanced bots that can fight anti-spam mechanisms such as captcha, so we need to be aware at all times and keep up with the times.

WordPress has some essential anti-spam capability that we can take advantage of. Here are some out-of-box tips on how to improve your security:

Security Tips

Head to Settings > Discussion options and perform the following steps:

  • Attempt to notify any blogs linked to from the post – Disable this option to stop your blog from reporting to other blogs about linkbacks.
  • Allow link notifications from other blogs (pingbacks and trackbacks) on new posts – Disable this option as well. Pingbacks & trackbacks were essential in the old days for SEO but are no longer that relevant, and we recommend not using them as it helps to combat spam.
  • Comment author must fill out name and email – Enable this option.
  • Users must be registered and logged in to comment – Enable this option.
  • Comment must be manually approved – Enable this option to remove spam comments that slip through other measures manually.
  • Comment author must have a previously approved comment – Enable this option.

You can also consider closing comments automatically after a certain amount of days to further cut back on spam by using Automatically close comments on posts older than option.

Additionally, if you often see the same words in spam comments, you can use the Comment Blacklist field to ban those permanently:


Next, let’s activate one of the anti-spam that comes installed with WordPress by default – Akismet (developed by the same company that owns WordPress). Head to Plugins > Installed Plugins, and click the Activate button under the Akismet plugin.

Click the Set up your Akismet account button:

You will be taken to the Akismet’s website, where you need to click the Set up your Akismet account button again.

Note that Akismet is free for personal use, but you’ll need to pay for the license if you want to use it on commercial sites and blogs.

Next, you’ll need to sign up for a free WordPress account. If you have one already, log in with your login details. If you’re unclear how these are connected, you can read more about it here.

Once you’re logged in, click the Get Personal button under Personal plan, move the slider on the right to $0, input your name and surname, and check all the boxes, then click on the Continue with personal subscription button.

On the next screen, click the Automatically save your Akismet API key button, and it will be automatically configured on your website.

Excellent, we’re done!


The last step is to configure CAPTCHA protection on our website. We’re going to use Google’s reCAPTCHA as it’s the most advanced system currently available. Previously, reCAPTCHA required users to perform vision-based tasks to complete the verification, but it was figured out by spammers and also – it annoyed users. A new version of reCAPTCHA is called Invisible reCAPTCHA, and it uses AI to detect the difference between humans and bots.

Head to Plugins > Add New, input Invisible reCaptcha in the search field in the top-right search field, and click the Install now button:

Then, click the Activate button to activate the plugin.

Head to Settings > Invisible reCaptcha and under Settings section input your Site and Secret keys. You can learn more about how to obtain those in this article.

Next, click the WordPress section, and enable all forms of protection:

If you use WooCommerce, UltraCommunity, BuddyPress, or custom contact forms – The Invisible reCaptcha plugin supports those as well, and you can configure protection for those in their own sections.


If you don’t plan to disable comments outright – comment spam is something you should take seriously. Taking care of the security of your website is essential for its performance and health. Removing spam comments and posts helps keep your database clear, improve visitor engagement, and boost your website performance.