Managing Spam Comments – WordPress

When I started using WordPress for my own self hosted sites I had already signed up for a free blog with which I made my first posts and learned to use this amazing content management software there. You get a key to Akismet when you have a blog at

Akismet is also installed with self hosted WordPress. Akismet manages wordpress spam comments, sorting and moving spam from the comment area and deleting it, if set to. Without Akismet or something similar you can end up with hundreds of pages of spam comments in WordPress which you may have to go through page by page to delete.

You need to enter a key ( a number you are given) to make Akismet work. You can get the key when you sign up for a site. You only need the one key for any other WordPress blogs you might have using the same Akismet key in all. For many years I took Akismet for granted, as a free plugin that was part of WordPress.

Then at the end of last year I saw a message when I updated Akismet that said I may be using Akismet inappropriately.

I can only assume that most people, like myself, hit the agree on their Terms of Agreement clauses without giving it much thought. After all if you say no, it won’t install! Duh.

Like most people, so far as I am cognizant of license restrictions, I follow TOA agreements. Like most people, I don’t make a lot of money blogging and try to keep my costs to a minimum by using open source software.

So after following up on the Akismet message, I realized that as with many free rides, this one had come to an end. Times have changed and spam has increased. Its not that I don’t think Akismet is worth paying for, I do. If I had more money to spare, I’d probably happily pay for a license for convenience sake.

However spam comments from bots are now coming in droves, and WordPress is under attack from hackers. 90% of my email is notification about comments (that turn out to be spam) or about large numbers of failed login attempts sent from the cron job on my server. Two different issues but both need fixing as they are wasting my time and eating up my server space resources.

Spot Spam Comments in WordPress and only approve Genuine Comments

Go to your comment area in WordPress and read the first page. How do you know if a comment is spam?

1. The name and the email are inconsistent
eg The bold Name is Ivan and the email is

2. The name is a keyword phrase. eg buy brand name handbags, often not connected to the website listed. Many bloggers consider it bad form to leave a comment with a keyword phrase as a name. I don’t mind people using anchor text on a relevant site with a genuine comment, but I hate spam links on my website that say one thing and take you somewhere else – like nasty sites or hook sites. Leaving such links intact tarnishes your own websites reputation and just encourages more of the same. So generally speaking, if the name, comment and username are different, these comments are spam. Especially so if the topic of the comment is selling something or has a lot of links.

3. Some spam comments seem complimentary or ask questions. Until you’ve read a lot of these they look quite genuine. But genuine comments are generally about the article the comment was on. So look to the right for the post name, and then see if the comment says anything specific about this post. If not – its almost always spam. Some bots try to trick you by entering the title of the website or post in the comment, but its always a clumsy insertion and should be easy to spot, so this comment too is spam.

If you are like most bloggers you don’t have a lot of genuine commentators. 99% of your comments really are spam. If you want more genuine comments, you need to build a relationship with your readers, and this takes time and work.

Reduce and Remove Spam Comments

Start by deleting more spam in one go. At the top right of the comments page there is a button called Screen options with a drop menu arrow. Click it.

Change the amount of comments on a page in the Comments box to 100 and click apply. (NB do not increase this above 200 or your servers memory may be unable to handle deletion of so many entries at once and the request may fail.) Now instead of having a page of 10 spam comments, you have a page with 100.

Now, at the top left, above where the comments start there is a checkbox, next to Author. Tick it and it auto ticks all the boxes down the page, selecting every comment on the page.

If you really want to check each comment, you can then just untick those 1% of comments you want to keep, or approve them and then keep working from the Pending Sort Listing. If you just want to delete everything, it still first goes to trash, so do the WordPress community a favour and instead mark spam comments as spam. This sends their details to a spam register used to filter spam by anti-spam plugins.

Go through all the comment pages (paging is top right) and continue to approve non spam and mark other comments as spam.

To mark emails as spam, tick the author box ( as described above on each page of 100 comments) then drop the menu arrow under Bulk Actions (top or bottom left). Choose the option Mark as Spam and Apply. The comments are removed from pending to the Spam page.

Empty the Trash and Spam Pages

The empty trash and empty spam commands on these tab pages, delete (or empty) these spam records directly from the database. So even with thousands of spam comments this deletion happens quickly and doesn’t use much memory.

When you have finished marking as spam or approving comments, click on the Spam (Tab Menu listing at the top) to show the page with all the comments marked as Spam have gone. Click on the Empty Spam button. All gone. Do the same for trash if it shows it has emails.

Removing Thousands of Pending or Approved Spam

Removing a few pages of spam comments isn’t too bad, but what if you have thousands?

If you have pages and pages of spam comments in WordPress, there is a plugin you can use called Delete Pending Comments. It will save you a lot of time if you have thousands of built up pending spam comments. You will lose any genuine comments but you have to decide what your time is worth.

Deleting approved comments is harder as there are probably many you prefer to keep. To pick and choose you will have do this manually. To delete thousands of approved comments, please see the following thread for how you to delete comments using PHPMyAdmin on the server.

So now we’ve removed the built up piles of spam, we need to make sure spam doesn’t build up again. We need to use a plugin to make that sort process, separating spam from human comments, automatic so genuine comments are preserved and spam is deleted immediately.

This is something that Akismet can do. This plugin comes installed with WordPress but needs to be activated with a key.

If you want to use Akismet, find its plugin settings and check the box to auto-empty spam perhaps every 7 days or so. Maybe every 30 days if you don’t want to check the website too often but you do want to check for genuine comments.

But if you have what Akismet considers to be a commercial website then you may have to pay to use this plugin. (Thanks Spammers!)

As an alternative you can try several other free plugins, however I now use and can therefore recommend for use, AntiSpam Bee. (see below)

If you have settings that auto approve all comments, its now time to check those settings under Settings>Discussion in the WordPress Left Side Menu. If your spam is so bad you don’t want comments you can just untick the checkbox “Allow people to post comments on new articles” and turn comments off all together.

If you are sick of emails piling up in your inbox advising that you have spam comments, and you don’t want to be notified of every spam comment you can untick the two boxes next to E-mail me whenever – Anyone posts a comment and A comment is held for moderation.

Cool, no more inbox full of useless notifications. Another useful spam tool here is the blacklist at the bottom of the page. In comments, it lists the IP address of the commentator. Copy and save IP addresses (listed next to spam emails) into the blacklist box and it will stop all but proxy enabled spam bots. Although I used to do this, I have now found it too time intensive.

If you had WordPress Settings that said “you must be subscribed to comment”, also check your Users > All Users listing. If you find you have lots of spammy looking emails, maybe you should also delete any the spammy looking users.


If you delete your own entry here, and you are the only administrator, you will be unable to login to your website with your browser. Then you will need to learn how to go to your server and use PHP MyAdmin to enter a new administrator in order to log in.

( I know because I’ve done it once! – oops 🙁 …sigh )

AntiSpam Bee – Alternative to Akismet

Install AntiSpam Bee and activate it.
Yes its in German on the Repository, but it is English inside your WordPress Interface

Use the WordPress Plugin Installer and search for Antispam bee and install it.

Go to its Settings > AntiSpam Bee and check the plugin defaults and adjust them to perform as you wish. Here, like with Akismet, you can check a box to auto delete spam after 30 days if you wish. Personally, on blogs that get few real comments, I uncheck the box right side box to keep spam at all. The plugin then just deletes it all without me even having to look at it.

Now you are spam protected again, and will find it not less hard to stay on top things. Constantly deleting spam comments in wordpress is a time consuming endless pointless task – automate it.

Stump Spam Bots – Limit Login Attempts

While you install antispam bee also download and install Limit Login Attempts

For WordPress security, we enter another realm here, beyond SEO comment bot spammers, to malicious hackers who are using Brute Force bot attacks to log in to WordPress in order to plant data. There are many articles that weigh up the pros and cons of how many security plugins or strategies you need versus the time and inconvenience you’ll spend implementing them.

There are many security plugins available to consider, something for another article. Anyone who has been hacked will say they are worth it, but they can be complex and sometimes it depends on what you are defending. However…

Meanwhile this awesome plugin does one thing really well. When hackers attempt to login using a piece of software, it gives them 5 chances. Each time after that, it delays their next attempt in increasing time periods from 5 minutes to 20 minutes and then to 24 hours. Soon they give up and go away and try a website that doesn’t have this safety measure.

Think of it like a barking dog. It won’t stop a dedicated hacker, but it will deter most hackers who are just testing things, and they will move on to an easier target.

Here are 7 Simple Tips To Make Your WordPress Website More Secure

1. No longer use “admin” as the login name, this is the first attempt bots use to hack your website. The second is variations of your name combined with your domain name as an email address, so use a contact form and don’t display your email on the website in a naked form if its the email you use to login with.

If you already have admin as a user name from a few years ago, create a new user, (under Users) preferably with a two part name, and enable the user as an administrator. Ensure you can use and have saved the new login details for this user by logging out and logging in again, then delete the old admin user record and update any password software you use.

2. Use a strong password with at least 3 different components not just a dictionary word and a number. Pick something along the lines of “I like#3”, this uses capitols, lower case, number, space and symbol.

3. Update WordPress at least every three months. Sooner if notified to.

4. Install an automated Backup plugin and schedule it to make a backup every three months or more. Do a manual backup before you update WordPress, theme or plugins. Do a manual backup after making any post or page changes. If you are hacked, a backup saves you from a lot of headaches.

5. Store a minimum of 4 backups of your site per year off site, set the backup program to email it to you (Do NOT store backups on the server which may potentially hand your wordpress config details to a hacker).

6. Install Limit Login Attempts and just use its defaults, so your server doesn’t continue to get hammered by Brute Force attacks.

7. If possible check on your site every week even if you haven’t changed anything. Take a look at the stats the Limit Login Attempts gives you. Maybe you’ll think it is time to look at more advanced security measures. It is worth asking your host if they have security measures they can implement server side, like mod_security and spam-assassin.

Tagged with:

Filed under: 29 Steps29 Steps-3

Like this post? Tell someone about it! Share the link with social communities like Facebook by clicking on the orange SHARE icon above. look for the envelope icon to email the article to a friend. When you click MORE scroll down the list to PRINT or PDF to save the article for future reading.