Nikola Petrov

Freelance Web Developer & Software Engineer

How to stop WordPress spam comments - closed red wooden door with "No junk mail" label on it.

One Simple Way of Stopping WordPress Spam Comments Without CAPTCHA

For WordPress blog owners, spam comments are a familiar headache. Generated by automated bots, they can vary widely, from harmless but annoying advertisements to more malicious attempts of stealing users’ passwords, credit cards, or other personal data. In this article, we will explore a simple method for reducing WordPress spam comments by ~ 99%, all without resorting to CAPTCHA or other methods that could degrade the experience of your legitimate blog commenters.

Why Am I Getting Spam Comments On My WordPress Site?

Choosing WordPress for your blog offers many advantages. It’s easy to set up, boasts a massive user community, and has a wealth of free plugins to help you realize your ideas. However, its open-source nature and popularity come with a caveat: It makes your website a spam magnet. Automated bots can easily detect and attack its potential weak spots, such as login forms, poorly written, vulnerable themes and plugins, comment forms.

How Do I Stop Spam Comments On My WordPress Blog?

To prevent WordPress spam comments from going through, we will set up a trap for unwanted bots that go around the web and post automated content. The technique, also known as honeypot, involves injecting a hidden field into the comment forms on your blog posts. While humans can’t see this field, bots will consider it part of the form. As they fill it in, we’ll be able to classify these submissions and automatically reject spam attempts.

Let’s begin!

Step 1: Connect to Your Website’s Codebase

The first step is accessing your website’s files. This can typically be done with an SFTP/FTP client such as WinSCP or FileZilla. Alternatively, many hosting providers offer a user-friendly web-based File Manager that you can use.

Once connected, navigate to your plugins folder. On a standard installation, you’ll usually find this at /wp-content/plugins, inside your public root folder (typically labelled as www or public_html).

Step 2: Create Your Plugin Directory and Main File

Here is where the fun begins. Let’s create a new directory for our plugin. In this tutorial, we will name it /simple-honeypot-protection. Within this directory, we will create our main plugin file, which we’ll call simple-honeypot-protection.php. Inside that file, let’s add the plugin headers, which will tell WordPress all it needs to know about our new plugin:

Plugin Name: Simple Honeypot Protection
Description: A simple anti-spam protection for blog comments, based on the honeypot technique.
Version: 1.0
Author: Your Name
Author URL:

After saving and uploading this file to your server, a new plugin called “Simple Honeypot Protection” will appear in your WordPress dashboard. Feel free to go to your Plugins page and activate it. It won’t do anything just yet, but don’t worry, we will add the necessary functionality in the steps below.

Step 3: Inject the Honeypot Field

Let’s add the following function to the bottom of our newly created PHP file:

function shp_add_honeypot_field( $fields )
	$fields['captcha_challenge_question_human_check'] = '<input type="text" style="display:none" name="captcha_challenge_question_human_check_my_url" />';
	return $fields;
add_filter( 'comment_form_default_fields', 'shp_add_honeypot_field' );

With this piece of code, we are hooking our custom logic to the WordPress comment_form_default_fields filter. We are accessing the array of submission $fields and adding our hidden field to serve as bait.

You can name this field according to your preference. I often use a mix of a few keywords, just in case I’m dealing with a “smarter” bot, developed to identify, target or ignore specific form fields.

Step 4: Use the Honeypot Field to Block Spam Attempts

It’s time for the final piece of the puzzle. We’ll add another function that gets called whenever a new comment is about to be added. The function will check if the form submission includes our hidden field and, if found, will block the spam comment.

function shp_detect_spam( $commentdata )
	if ( ! empty($_POST['captcha_challenge_question_human_check_my_url'] ) ) {
		wp_die( 'Spam detected!' );
	return $commentdata;
add_filter( 'preprocess_comment', 'shp_detect_spam' );

Once again, we are using a WordPress core filter (preprocess_comment), this time to validate the form data and cancel the request if classified as spam.

Voilà! Enjoy reading through your spam-free blog comments!

Does This Method Guarantee 100% Protection?

Unfortunately, no method is completely foolproof. As of the time of writing this article, there isn’t a 100% effective solution for fighting spam attempts. Though some sophisticated bots might be able to bypass this simple gatekeeper, it will still be enough to stop the majority of spam attempts. In my experience, this method is effective 99% of the time. Importantly, it will never give you a false positive. If a real user comments on your articles, their comments will always be published.

That said, if you want to harden your forms even further, combining this approach and other anti-spam methods can significantly reduce the likelihood of spam comments getting through.

Have a comment or question? Please feel free to post it in the comment form below (which is, by the way, also protected by honeypot) or contact me directly.

Photo credit: Closed red wooden door.

Leave a Reply

Your email address will not be published. Required fields are marked *