Tutorials UPDATED: 30 June 2023

How to Deal With Spam Activity on Your WordPress Website

Tassos Antoniou

10 min read
How to Deal With Spam Activity on Your WordPress Website

Spam… we’ve all had plenty of it. Almost since the invention of email, spam email has filled people’s inboxes with various ‘special offers’, dubious investment opportunities and worse! According to Wikipedia, spam email was estimated to make up a staggering 90% of all email traffic in 2014. It’s likely this number has only increased since then. That’s a lot of spam (or junk) email! Spam email can be sent to your email account directly but a significant bulk of the spam you might receive could be coming through your WordPress website. How is this? Well, usually this is achieved through:

  • Fake account registrations on your website
  • Spam comments in the comments section
  • Spam submissions via contact forms on your website
  • At its worst as a result of your website being hacked

Spam email that comes via WordPress websites typically takes the form of an annoying number of spam comments filling up your inbox every morning. This is frustrating but unlikely to harm your business. Did you know however that in some circumstances your website (or more accurately your website server) could actually be being used to SEND spam emails? This is definitely something you don’t want and a topic we’ll cover in future articles.

Today however let’s take a look at spam submissions that get sent via your WordPress website (normally through things like contact forms).

Symptoms Of Spam Activity

Not sure if you have a spam problem on your website? Watch out for these tell-tale signs:

  • Unreasonably large number of subscribers appear on your subscription lists
  • Google blacklisted your website
  • Website performance issues (such as slow loading)
  • Your website uses an unusually high amount of bandwidth
  • You website is reported for unsolicited spamvertising

Now of course, not all of the issues listed above might be because of spam activity on your site (your website performance for example could be affected by a number of other things) but all of the above might be red flags that make you take a look at your website to ensure it’s not been targeted by spammers in one way or another.

Let’s take a look at some of the practical things you can do to protect your website from spam activity.

Stop Spam Registrations

Do you have a membership website or one that allows people to register? The way you allow people to register for your website can offer spammers the perfect way to access your website and result in you getting a ton of spammy accounts registered to your website. This could ultimately affect the performance of your website among other things.

So, how do you know if your website is being left wide open to spam registrations? It’s fairly simple actually. Head to your login page and take a look to see if you can spot a notification above the login screen that reads ‘ Register For This Site’.

If you do, it means that the registrations are open to anyone. Unfortunately, “anyone” includes spambots. Spambots are software that hunt down websites that allow them to easily register on sites like this in order to create fake users. Fortunately there are some easy ways to stop spambots in their tracks.

Changing the registration settings for new accounts

Changing the registration settings for accounts is an ‘easy win’ way to stop registrations if you don’t want anyone to register on your site. To do this go to Settings > General and then uncheck the checkbox that says ‘Anyone can register’. Click save to apply this setting.

WordPress registration settings

Now when you visit the registration URL you will get this message:  “User registration is currently not allowed.

Of course, a blanket restriction on users registering on your website isn’t practical if you DO want legitimate users to be able to register. Fortunately there are some steps you can take to allow this whilst thwarting the spambots.

Add a verification by email upon registration

An easy way to help verify if a user is human is by sending out ‘user verification’ email upon registration. Until the link that this email contains is clicked, the person registering won’t be able to complete their registration. A great plugin that adds this functionality quickly and easily is User Verification.

user verification plugin

Install and activate this and once that’s done there is nothing else you need to do. Now if someone tries to register, the following message will appear: “Registration complete. Please check your email.” This email contains a link that the user will need to click in order to activate their account.

Create a custom registration form

Another option to help ensure you’re not swamped with spam registrations is to bypass the default WordPress registration system and to use a custom one. One of the most lightweight plugins you can use to achieve this is User Registration

user registration plugin

Install and activate the plugin and then create a registration form. This form can be embedded wherever you wish via a shortcode.

Head to the plugin settings for more options including:

  • Creating a custom registration URL
  • Choose post registration action (i.e. what happens after someone registers)
  • Integrate with a captcha mechanism and many more useful options.

Use a captcha for added security

WPForms is a popular WordPress form plugin that includes the ability to create a User Registration form for your website. As well as providing a pre-build user registration template (which makes setting up the form a breeze) it also allows you to add a Google Captcha (reCAPTCHA) to your form which further minimizes the risk of spam submissions.

To enable this you’ll need to head to the reCAPTCHA settings menu in WPForms and fill in your Google reCAPTCHA site key and secret key.

google reCaptcha

Stop WordPress Comments Spam

The WordPress comments section that appears at the bottom of blog posts is a favorite feature of many. It allows a two way conversation to be had between the blog author and their readers which can lead to lively debate and a health exchange of ideas. Unfortunately though, the comments section is also a prime target for spam bots that can leave hundreds of comments that bear no relation to the article and often include links to malware infested websites.

Try our Award-Winning WordPress Hosting today!

Worse, these comments may be of a highly offensive nature and be posted in such volume that your database may get overloaded. They may even harm your page rankings and lead to your website being blocked by search engines.

Clearly none of this is desirable so let’s take a look at how they can be effectively dealt with.

Moderate Comments

WordPress provides a built-in feature that allows you to approve comments before they get published. You can find this under Settings >Discussion.

Once this box is checked only comments you have reviewed will be displayed. This solution works well if you only get a handful of comments per article but if you have hundreds of comments then manually approving each one can quickly turn into a full time job! So, what other solutions are there?

Disable Comments

If you don’t want comments on any of your blog posts then the simplest solution to avoiding Spam comments is simply to turn them off. To do this go to Settings > Discussion and uncheck this option:

Another option is to disable comments for older posts only.

Just enable it and change the number of days as you see fit. Posts that are older than the number of days you’ve specified will no longer accept comments.

Restrict comment privileges to registered users

Under the same settings you can find an option to allow comments only to registered users:

If none of these options look like they’ll work for your particular website then not to worry. There are several more options available to you. Read on!

Use reCAPTCHA on the comments form

Captchas are widely used to prevent spam submissions to websites and the comments form are no exception. To enable a captcha you’ll need to add a plugin such reCaptcha by BestWebSoft to your website.

After you activate the plugin and enter your Google reCAPTCHA keys you’ll see the familiar ‘I’m not a robot’ checkbox appear under your comment forms.

reCaptcha front view

Use Askimet

Askimet is described as the ‘most trusted solution for spam protection’. It’s a WordPress product and as such you can be confident it works reliably. Askimet monitors all comments that head through your comments (and contact) forms and will filter out any incoming spam automatically.

It’s free for personal site usage (although they perhaps a little cheekily ask you to suggest a price you’re willing to pay!) but if you’re a commercial user (defined as ‘If your site has advertising or affiliate links, sells products or services, solicits donations or sponsorships, or is in any way related to a business, non-profit, or educational organization — your site is considered commercial.’) then you’ll need to purchase a subscription which start at $10/month.

Host your website with Pressidium



Protect Contact Forms from spam

Contact forms are another favorite target for spambots. Fortunately they are one of the easier forms to protect by (yet again!) deploying a captcha. In reality, any contact form that doesn’t have a captcha enabled on it it likely to get hit with spam submissions within days (if not hours) of going live. Because of such a high likelihood of these forms being hit with spam submissions, almost all WordPress forms now include an easy way to add a captcha (normally Google’s reCAPTCHA).

For example the ever popular Contact Form 7 (currently with 5+ million downloads) has a dedicated settings menu that allows you to add a Google reCAPTCHA by simply pasting in your site and secret key.

Contact form 7 recaptcha


Spam email can vary from being an annoyance to something that can threaten your business (either because Google blacklists your site as it contains too many spammy backlinks, or more directly, customers lose trust when they view a website riddled with spam comments). As such it’s vital to take appropriate steps to protect your website from it.

Simple things like adding a captcha can make all the difference and should be done at the outset NOT just when you suddenly have a problem. As a rule of thumb, any form on your website, whether it’s a registration form, comment form or contact form should have some sort of protection put in place to defend against spam submissions.

Start Your 14 Day Free Trial

Try our award winning WordPress Hosting!


See how Pressidium can help you scale
your business with ease.