Dealing with WordPress spam: comments, forms and registrations

Spam is one of the most persistent annoyances of running a WordPress site. Bots and manual spammers target every input they can find, including comment forms, contact forms, registration pages and login screens.

Beyond being a nuisance, spam can cause real problems. Comment spam often contains phishing links or malware URLs that can harm your visitors and damage your site's reputation with search engines. High volumes of bot traffic consume server resources, and fake user registrations clutter your database. Dealing with it early and methodically saves a lot of cleanup later.

The approaches below cover each area where spam typically appears.

Comment spam

WordPress has built-in moderation tools that are worth configuring before reaching for anything else.

Under Settings → Discussion, enable Comment must be manually approved. This stops spam from appearing publicly on your site, though you'll still need to clear it from the moderation queue. Consider closing comments on posts older than a set number of days. Most legitimate discussion happens shortly after publication, while spam targets old posts indefinitely.

Disable trackbacks and pingbacks in the same settings panel. These were designed to notify you when another site links to your content, but in practice they're overwhelmingly used as a spam vector.

Requiring a name and email address for comments adds a small barrier, but won't stop determined bots on its own. For stronger automated filtering, consider an anti-spam plugin that analyses content patterns, known spam signatures and IP reputation. Use one anti-spam tool at a time. Running multiple filters can cause conflicts where legitimate comments get caught or spam slips through both.

Contact form spam

If your site has a contact form, it's almost certainly receiving spam submissions. Most form plugins include a honeypot field option. This adds a hidden field to the form that's invisible to human visitors but gets filled in by bots, letting the form silently reject those submissions.

Honeypot fields catch simple bots, but more sophisticated scripts can bypass them. For stronger protection, add CAPTCHA (such as Cloudflare Turnstile or Google reCAPTCHA) to your forms. Most well-maintained form plugins support these either natively or through add-ons.

If you notice patterned spam from the same IP addresses (repeated submissions with similar content or timing), blocking those addresses at the server level or through your security settings can help. Reviewing your form submissions periodically helps you identify these patterns early.

Registration and login abuse

If your site allows user registration for membership features, WooCommerce stores or community areas, take extra precautions to prevent fake accounts and brute-force login attempts.

Add CAPTCHA to both registration and login forms. Require email verification before new accounts become active, which filters out throwaway email addresses and automated sign-ups. Look into login rate limiting, which temporarily blocks IP addresses after a set number of failed login attempts.

For WooCommerce stores, requiring account creation at checkout rather than allowing guest orders can help trace and block repeat offenders, though this does add friction for legitimate customers. See our WooCommerce fraud prevention guide for more on balancing security with user experience.

General hardening

Keeping your software updated is one of the simplest and most effective defences. Outdated plugins, themes and WordPress core are frequently exploited to inject spam content or create backdoors for future abuse. Enable auto-updates for security releases where your hosting environment supports it, and test major updates on a staging environment first.

If you don't use XML-RPC (and most modern sites don't), consider disabling it. XML-RPC is an older interface that allows external applications to communicate with WordPress, but bots commonly abuse it for brute-force login attacks and spam injection. You can disable it by adding a rule to your .htaccess file or through your security settings.

A web application firewall (WAF) adds another layer of protection by filtering malicious traffic before it reaches your server. WAF services analyse incoming requests and block known attack patterns, bot signatures and suspicious IP ranges. Many hosting providers offer basic WAF features, or you can use a dedicated service.

Finally, audit your user accounts periodically. Remove inactive or suspicious accounts, enforce strong password requirements and review user roles to make sure nobody has more access than they need.

Need help dealing with spam?

If spam volume is overwhelming and these measures aren't bringing it under control, my emergency WordPress support service can help with a full configuration audit and cleanup.