Spam is a persistent problem for WordPress users. With a large number of bots and spammers targeting WordPress sites, it’s no surprise that many site owners are continually searching for the best way to protect their sites. While there are many plugins available that can help with spam protection, they can also slow down your site and come with potential security risks. In this post, we’ll explore simple but effective ways to protect your WordPress site from spam without the use of plugins.

1. Disable comments globally or selectively

One of the primary sources of spam on WordPress sites comes from the comments section. If you don’t need comments on your site, you can simply disable them globally. To do this, follow these steps:

  1. Log in to your WordPress dashboard.
  2. Go to Settings > Discussion.
  3. Under Default post settings, uncheck the box next to Allow people to submit comments on new posts.
  4. Click Save Changes at the bottom of the page.

If you only want to disable comments on specific posts or pages, you can do so by following these steps:

  1. Go to the Edit page for the post or page where you want to disable comments.
  2. In the right sidebar, find the Discussion panel. If it’s not visible, click the three-dot menu in the top right corner and select Options to enable the Discussion panel.
  3. Uncheck the box next to Allow comments.
  4. Click Update or Publish to save your changes.

2. Implement a honeypot technique

A honeypot is a method used to catch spambots by adding a hidden field to your comment form that only bots can see. When a bot fills out the hidden field, it reveals itself as a spammer, and the comment can be blocked. To implement a honeypot on your WordPress site, add the following code to your theme’s functions.php file:

function add_honeypot_field($fields) {
$fields['honeypot'] = '';
return $fields;
add_filter('comment_form_default_fields', 'add_honeypot_field');

function check_honeypot_field($commentdata) {
if (!empty($_POST['honeypot'])) {
wp_die('Spam detected.');
return $commentdata;

add_filter(‘preprocess_comment’, ‘check_honeypot_field’);

3. Use .htaccess to block spam bots

Another way to protect your WordPress site from spam is to modify your .htaccess file. By adding a few lines of code, you can block known spam bots from accessing your site. Add the following code to your .htaccess file:

Block spam bots
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.(SpamBot|BadBot|FakeBot|AnnoyingBot).$ [NC]
RewriteRule .* - [F,L]

Replace SpamBot|BadBot|FakeBot|AnnoyingBot with the user agents of the specific bots you want to block.

4. Add a custom CAPTCHA

CAPTCHAs can be an effective way to prevent spam by requiring users to complete a simple task before submitting a comment. You can add a custom CAPTCHA to your WordPress site without a plugin by following these steps:

  1. Create a new plugin: First, create a new plugin by creating a new folder in the WordPress plugins directory wp-content/plugins/. Name the folder something descriptive, such as custom-captcha.
  2. Create a new PHP file: Create a new PHP file in the plugin folder and name it something like custom-captcha.php. This file will contain the code for your custom CAPTCHA.
  3. Add the CAPTCHA code: Add the code for your custom CAPTCHA to the custom-captcha.php file. There are many different types of CAPTCHAs you can use, such as image-based, math-based, or question-based. Choose the type of CAPTCHA that is appropriate for your website and add the code accordingly.
  4. Add the CAPTCHA to the comment form: To add the CAPTCHA to the comment form, you will need to modify your theme’s comment form template. Locate the comments.php file in your theme and add the following code where you want the CAPTCHA to appear:
    <?php if (function_exists('custom_captcha_display')) custom_captcha_display(); ?>
  5. Save and activate the plugin: Save the custom-captcha.php file and activate the plugin in the WordPress admin panel.Your custom CAPTCHA should now be working on your WordPress website. Note that this is a basic implementation and can be improved upon with additional features, such as customizable settings or support for multiple languages.

5. How Changes in WordPress 4.4 Broke Antispam Plugins and What You Can Do About It

The reason why antispam plugins stopped working in WordPress 4.4 is due to a change in the way WordPress handles comments. In previous versions of WordPress, comments were loaded on every page, even if the page didn’t have any comments. This allowed antispam plugins to check and filter out spam comments before they were displayed.

However, in WordPress 4.4, a new feature was introduced called “partial loading” which loads only the necessary parts of a page to improve performance. This means that comments are no longer loaded on every page, making it difficult for antispam plugins to filter out spam comments before they are displayed.

To fix this issue, you can try one of the following solutions:

  1. Upgrade your antispam plugin to a newer version that is compatible with WordPress 4.4 and above. Many antispam plugins have been updated to work with the partial loading feature introduced in WordPress 4.4.
  2. Disable partial loading by adding the following code to your functions.php file:
add_filter( 'wp_comment_query', function( $query ) {
    if ( ! is_admin() && ! empty( $query['query_vars']['type'] ) && 'comment' === $query['query_vars']['type'] ) {
        $query['query_vars']['type'] = '';
    return $query;
} );

This will disable partial loading for comments, allowing antispam plugins to filter out spam comments before they are displayed.

  1. Use the built-in Akismet antispam service provided by WordPress. Akismet is a powerful antispam service that comes bundled with WordPress. You will need to sign up for an API key, but once activated, Akismet will automatically filter out spam comments.

It’s important to note that while antispam plugins can help filter out spam comments, they are not 100% effective. It’s always a good idea to monitor your comments and manually approve or reject any that are questionable. By using a combination of antispam plugins and manual moderation, you can keep your WordPress website free from spam.

Was this article helpful?

Leave a Reply

Your email address will not be published. Required fields are marked *

Close Search Window