View my basket

Protect your WordPress site from spam

Website contact form and comment spam is a more than just a nuisance, it can harm your site’s search exposure. Learn how to protect your WordPress site with some simple techniques and good practice.

Contact form spam

Contact form spam is when the bots systematically work through millions of websites. When they find a page with a contact form on it, the bot automatically populates the form fields and submits it. The email goes to the website owner, and usually resembles a cold-call, like “we can help your website do this, that or the other”.

Comment spam

A bit like contact form spam, but because comments end up being publicly visible (against the post), they’re more likely to contain back-links to the spammers’ sites. These will usually be for pharmaceuticals, financial scams or casinos. Google will index these back-links (originating on your site) and your search exposure will take a tumble.

Configure your site

You can protect against a lot of this junk by simply configuring WordPress properly.

If you’ve got comments enabled for your posts, go to your admin dashboard, then Settings > Discussion and make sure “Comment must be manually approved” is checked. This won’t stop the bots from spamming your contact forms, but new comments will need to be approved before they become visible on your site.

Comment must be approved
Manually approve comments
An example spam comment
An example spam comment waiting for approval, or to be flagged as spam

Contact form can be a bit more difficult, because each contact form plugin does things slightly differently.

Most contact form plugins will let you install a reCaptcha with your contact form. These do work, but I find they can be a bit too aggressive and you can end up blocking legitimate enquiries. Not good if the contact form is a leads-enquiry tool.

An alternative to reCaptcha is to install an anti-spam plugin like Akismet or Spam Shield. These plugins intercept contact form messages, then run them through an external service via an API. Because these API services see vast numbers of messages every day (legitimate and spammy), they do a good job of being able to detect (and block) spammy messages.

TIP: If you use an anti-spam plugin, don’t just install it and assume it’s working. Go through the plugin’s settings and make sure they look correct for your needs.

Leave a comment