A really stupid thing to do is brag about how you’ve beat the spammers at their game. It just encourages them to find a way and you get tons more spam than ever before. Well, here it goes: I have no SPAM on this site.

Although I’m using several tricks I want to share the easiest and most effective technique.

To understand you need to start with a bit of background. Back in the day spammers would auto-fill the online forms, so capcha plug-ins became all the rage to slow them down. Unfortunately most plug-ins are grafted onto WordPress and can be bypassed; many are client side only or can be defeated prior to the submission. So these days a major technique the spammers use is just craft a submission without ever going through the front-end form.

In the typical front end form, WordPress has a simple commenting system. By default it asks for your name and email address, an optional website, and then your comments. Spammers ultimately want you to click on their links to get to their site, and almost all WordPress spam uses that optional “website” field.

So here’s the trick: Comment out the “url” form element in the front end. If you receive any comments with the optional website then it is known spam.

How To:

In your WordPress dashboard, go to “Appearance” and then “Editor”.

  • Click on Comments (comments.php).
  • About midway down comment out (using <!– and –> ) the <p> that contains the input field with id=”url”.
  • Optionally, find the <div> with the id “respond”. Add some text saying something like “please don’t include links”.
  • Click the “Update File” button.

In your dashboard go to “Settings” / “Discussion”.

  • In the “Comment Blacklist” section add “http://”.

Congrats, that takes care of 95% of the problem!

I’m working on a technique that just flags as spam if there is a URL field and not if the URL is in the comments only, where those are still subject to moderator approval. I’ll post that when I get around to it (hence this post is tagged with the category “will never get done”).

UPDATE: In the first 24 hours this post received 8 spam attempts, all were thwarted by this method.