Preventing spam on Wordpress

From ULYSSIS documentation

Restricting comments

By default, WordPress allows anyone to comment freely on any post you make on your website. While this makes sense when you maintain a blog, it makes less sense when you're using WordPress as the basis for your student organization's website or for something with little to no reader interaction. We therefore advise those with a WordPress installation to consider restricting comments by following these instructions:

  • Navigate to the WordPress admin dashboard and login
  • Go to Settings and then Discussion
  • In almost all cases, you will want to disable link notifications, pingbacks and trackbacks, as these are almost exclusively used for spam nowadays
  • Consider disabling comments altogether as well
    • If you wish to enable some form of comments, consider restricting to logged in users, or require your approval. You may in that case also want to automate spam detection (see below).
  • It's possible in WordPress to disable comments as a general setting, but still have it enabled on individual posts or pages. Make sure to delete the default test post and page, as well as to look at the discussion setting on every existing post and page. If you can't find this setting, it may be hidden, but available under the "Screen Options" button at the top of the page.

Detecting spam

As mentioned above, it's better in most cases to simply not allow comments or to restrict them very heavily than having to deal with spam. If you have no other choice, there are some options available to help you out. It's important to keep in mind that both options below rely on external service providers for some aspects of their spam detection.


Akismet is a plugin by the main company behind WordPress, Automattic. The plugin sends every comment that is posted to an Akismet server, which uses pattern matching, URL detection and other techniques to evaluate whether it's spam or not. Because of its focus on WordPress comments, it is very accurate and can also block spam that was composed and posted by an actual human, as opposed to CAPTCHA which aims to block automated posting only. Keep in mind that Akismet is only free for non-commercial purposes.

To use Akismet follow these instructions:

  • Navigate to the Wordpress admin dashboard and login
  • Go to Plugins and select Add New
  • If Akismet Anti-Spam isn't already on the "Featured" page, then search for "akismet"
  • Install and activate the plugin
  • You will then be redirected to a settings page, where you can setup an Akismet account and configure your settings.

Google's reCAPTCHA

CAPTCHA, originally from a complicated acronym, is a term used for different kinds of challenges to prevent automated scripts from trying to comment, register or login on websites. reCAPTCHA is a project owned by Google that is quite successful at designing these challenges. You probably know reCAPTCHA as the "I'm not a robot" checkbox you often have to press. More details are available on

There are several different plugins that make it possible to add reCAPTCHA to WordPress. You can follow these instructions to get started:

  • Navigate to the WordPress admin dashboard and login
  • Go to Plugins and select Add New
  • Search for "recaptcha"
  • Many of the plugins you will get are well-suited for this task. At the time of writing, ULYSSIS has been using "ReCaptcha Integration for WordPress" for a while. There is however no reason why other plugins won't be suitable.
  • Install and activate the plugin of your choice
  • You will then usually be redirected to a settings page, where you will need to enter the keys to use reCAPTCHA. You can register these on
  • Make sure to also check other configuration options, not all plugins will necessarily protect comment forms by default
  • Usually, you can find settings for your different plugins under the settings menu, if you wish to make changes in the future