25 Top-Rated Plugins for Winning the Fight Against WordPress Spam
There’s been a huge explosion in hacking attempts involving spam in recent months, including everything from exploiting XSS, brute force, XML-RPC, CSRF, and DDoS.
Unfortunately, spam is a fact of life when you have a WordPress website. Since the CMS is so popular, it naturally attracts an increased number of hacking attempts since there are more sites to infect than any other platforms.
If you haven’t set up some kind of spam fighting solution on your site, it’s only a matter of time before you get hacked. Fortunately, there are many quality plugins available, both free and premium, to help you stop spam in its tracks.
So take your pick from the collection below. You might want to use just one or combine them as part of a full-proof spam protection strategy.
Akismet filters through the comments on your blog and marks the suspicious-looking ones as spam. When comments are caught, they are sent to the spam section of the comments page in the WordPress admin.
This plugin is the most popular when it comes to spam comment filtering and is free for personal blogs (it even comes pre-installed on all WordPress site). There’s also a subscription for commercial sites. In both cases, you need to enter an API key in order for it to work.
Anti-splog prevents spam blogs and sites (splogs) from being registered on Multisite networks in case you need to keep registrations enabled. It lets you choose between methods of detecting spam so you don’t have to choose reCAPTCHA if you would prefer a different method. It also protects you in a lot more ways than one.
On top of adjusting the registration form, your sign-up page also changes locations every 24 hours to prevent spammers from finding it, but your regular users won’t notice that anything has changed.
Site signups are also checked via an API with a growing list of offenders so you can squash as many splogs as possible before they can cause problems. Anti-splog also scans your site so if spam happens to slip through the cracks and appears in your network, it can be detected and shut down immediately – even if it’s well-disguised.
The icing on the cake is that not only are bots detected, but manual spam registrations are also caught by Anti-splog. If you have a WPMU DEV membership, then you already have this plugin as part of your security arsenal and you can install it now.
WP-SpamShield checks for spam in your site’s comments, trackbacks, registrations and the most popular kinds of contact forms including Gravity Forms and Contact Form 7. It doesn’t use CAPTCHA to filter through spam so it’s a lot more user-friendly that many other options out there. Instead, it can block spam before it has a chance to make it through to your spam list.
It doesn’t use CAPTCHA to filter through spam so it’s a lot more user-friendly that many other options out there. Instead, it can block spam before it has a chance to make it through to your spam queue.
It works in the background, doesn’t typically slow down your site and works to block both bots and manually submitted spam.
This plugin was designed to delete spam comments for you and on a schedule of your choosing. Instead of having to manually clean out your spam queue on a regular basis, you can install this plugin.
You can set spam to be deleted immediately or in regular intervals from once an hour to once a month. It’s a convenient way to automatically keep up-to-date with part of your site’s regular maintenance.
Instead of relying on visitors to prove they’re genuine users with CAPTCHA, the WordPress Zero Spam plugin makes spam bots jump through hoops so your users can enjoy a better user experience.
Since bots would fill out the extra field in order to pass all the requirements to submit a form, the plugin would be able to tell right away that it’s a spam submission and block it while normal users wouldn’t notice a difference.
WordPress Zero Spam has been confirmed to work with many of the most popular contact form plugins as well, though, at the time this was written, it’s not compatible with Jetpack comments.
SpamPot works similarly to the WordPress Zero Spam plugin above, except it’s designed for the registration and login pages.
A honeypot field is created when this plugin is installed that only bots can read. Since bots are programmed to fill in all fields in order to comply with forms that have required fields, they fill out the hidden field and are immediately blocked.
This means your users won’t be inconvenienced with having to fill out a CAPTCHA field making it easier for them to use your site. Plus, you can install this plugin for free without needing to fiddle with additional settings since it works right away.
NoSpamNX blocks comment spam by creating a field that only bots can see. Once bots fill it out, the comment is not published and can either be blocked completely or moved into the spam queue.
It’s a great alternative if the other plugins don’t work well for your site. The only requirement this plugin needs to work is that your comments.php file loads
Even though one of the benefits is an increase in compatibility, you should still fully test this plugin before adding it to your live site since no plugin can be 100% immune to compatibility issues.
This is another plugin you can try to reduce the amount of comment spam you get. It adds a hidden field to your comment form for bots to fill out. When the bot fills out the honeypot field assuming it’s supposed to in order for the comment to be published, it’s blocked instead.
The Simplest Comment Spam Catcher is, well, simple so it may not be exactly what you need, but it can be a great alternative that works if other options aren’t a good fit.
If you’re searching for a plugin that blocks many forms of spam so you can use fewer plugins on your site, Stop Spammers Spam Protection is a good option to consider. It helps block comment and registration spam while also monitoring your login attempts.
It has a feature that’s not common in other plugins. Users get a second chance to submit a comment or register in cases where the plugin detects spam. This is when CAPTCHA is presented in the secondary form but doesn’t otherwise make an appearance.
FV Antispam is an excellent companion to Akismet. This plugin automatically moves all bot-generated comment spam to the trash so all you’re left with is the few manual comments that could have been false positives that Akismet marked as spam.
With all the obvious spam deleted from your site, it becomes a lot easier to sort through your spam queue for genuine comments, especially when the number of comments you need to get through is dramatically reduced. Plus, it’s easy to use since no configuration is necessary. All you need to do is install it and you’re good to go.
This plugin blocks all bots from the forms on your site. This includes comment and registration spam as well as spam that comes through other forms on your site such as bookings, shopping carts, widgets and other forms.
It doesn’t block manual spam, but since most spam is created with bots, you should still see a large reduction in the amount of spam you receive. CleanTalk also scans your site for pre-existing spam as well.
A firewall is also included which helps prevent your site from DDoS and XML-RPC attacks. This is certainly a good plugin to consider if you need a solution that includes more than one feature to reduce the amount of plugins you use and save on hosting resources.
Instead of deleting all the comments in your spam queue at once, this plugin modifies the Empty Spam button on the Comments > Spam page so comments are deleted in batches. This helps reduce the chance that your site becomes overloaded and goes down, especially if you have thousands of comments to delete.
Be sure to fully test this plugin before using it on a production site since it hasn’t been updated in one year at the time this was written. This plugin was made by a reputable developer and all the tests I ran were successful so you shouldn’t run into problems, but it’s still important to exercise caution before installing the Batch Comment Spam Deletion plugin.
Antispam Bee is one of the most popular options for reducing comment and trackback spam. It also doesn’t use CAPTCHA for a more user-friendly experience.
You can also schedule spam to be deleted as well as view statistics on the spam that was blocked and deleted. It’s a solid plugin that works well and is worth considering.
Simple Comments is a premium plugin that helps protect you from most types of spam-related attacks including brute force, XML-RPC, DDoS, XSS and CSRF attacks. It also helps prevent hijacking scripts and SEO hacking. It also monitors all forms on your site from your login and registration pages to your comments and contact forms.
It also monitors all forms on your site from your login and registration pages to your comments and contact forms. Spam comments created by bots are immediately blocked so you don’t have to worry about cluttering up your database.
It’s a great option, especially if you require a plugin that handles most of the anti-spam features you need.
This plugin blocks bots that try to submit comment, trackback and pingback spam on your site. WP-SpamFree Anti-Spam also includes a contact form to further prevent spam on your site while still letting you offer a method for communication.
Your users also won’t have to fiddle with CAPTCHA or similar methods that require user interaction. It’s a simple plugin to use that you can install to start seeing the benefits right away.
If you would like to protect your site from manually entered spam as well while also increasing your spam protection, you can check out the premium Anti-spam Pro plugin.
Spam Destroyer blocks automated spam from bots that are sent to your default WordPress comment form. It’s a free alternative to Akismet that does work.
Contact form plugins aren’t currently supported, though, are planned for future releases. It’s also an easy plugin to use since all you need to do is install it in order to block spam.
The Bot Block plugin help eliminate referral spam and blocks bots before they’re able to actually get to your site. Not only does this help reduce the spam on your site, but it also keeps spammers from displaying as traffic in your site’s analytics.
It’s specifically designed for Google Analytics and blocks bots based on a database of known offenders that is updated as new spammers are caught.
WPBruiser (formerly GoodBye Captcha) blocks spam bots without the use of CAPTCHA and works for comments, registrations, logins as well as the password recovery form. It also doesn’t require the use of an API or other external services.
Regular users won’t notice a difference and the only difference you should see is the fact that there are few to no comments in your spam queue or spam registrations. WPBruiser also helps secure your site against brute force attacks since it blocks bots before they are able to try logging in.
This plugin checks all the trackbacks you receive and compares them to the IP addresses of known spam in their database. The check also verifies that it’s a legitimate trackback that actually includes a link to your site in the blog post in question.
If you prefer to keep trackbacks enabled on your site, this can be a great plugin to install to help drastically reduce the amount of spam you receive.
This plugin redirects traffic that’s sent to your site by Semalt – a company that’s notorious for sending referral spam – so your site’s analytics can stay accurate and free from spam traffic showing up in your statistics.
This plugin is unique because you can choose where the traffic is redirected to by entering any URL. The trick is figuring out where to direct that traffic. May I suggest sending it straight back to Semalt?
WangGuard protects your site from splogs and spam registration as well as black hat SEO. It also scans and cleans your database of any spam you already have on your site.
Currently, this plugin is free for personal use as long as you site generates less than $200 per month and requires less than 5,000 API queries per month. If you don’t think that’s enough for your site, check out Anti-Splog and Defender.
Stop Spam Comments is a simple, lightweight plugin that blocks spam bots from submitting comments without adding extra steps for genuine users. It’s easy to use because all you have to do is install it. There are no settings you need to worry about configuring or any additional steps.
The Analytics Spam Blocker plugin stops spam bots from reaching your site so the traffic isn’t accounted for in your Google Analytics data. Once installed, you should only see genuine traffic reflected in your analytics.
Most (if not all) of the major sources of spam bots are blocked with this plugin including Semalt, Darodar, buttons-for-website.com and so many more.
The Bad Behavior plugin blocks all incoming traffic from spam bots so they can’t access your site, let alone submit spam. It also scans the program that’s used as well as the delivery method the spammer uses so it can block the maximum amount of spammers possible, even ones that haven’t be placed on lists of known spam bots.
It’s also trusted by many major companies and institutions including SourceForge, GNOME and the U.S. Department of Education.
Any of these plugins should help reduce or eliminate spam on your site. Don’t forget that you can also try using more than one to really give your site a boost in spam protection.
This list is just the tip of the iceberg, though. You can try many more spam fighting plugins that are new to the WordPress Plugin Directory if you’re searching for something more.
There’s also more you can do to protect your site. For more details on how you can help increase the overall security of your site, check out some of our other posts: Give Hackers the Smack-Down with Defender, How to Scan Your WordPress Site and Patch Security Vulnerabilities, A Comprehensive Guide to Editing .htaccess for WordPress Security and How to Tweak wp-config.php to Protect Your WordPress Site.