WordPress Logo

HOW TO: Stop (most) Automated Comment Spam

Comments  Spam  WordPress

It is easy to stop most WordPress comment spam instantly with one small change to your theme’s functions.php. This is one of my favourite WordPress functions and I use it on all my setups.

This code snippet works by blocking comments from being added offsite or indirectly and not from the comment box on your webpage. Most spammers try to automate their ‘workload’ and try to exploit WordPress functions that allow you to manage comments or add posts via the WordPress API’s.

Just to prove this works … take a look at your spam comments now and mentally calculate your daily average of new spam comments. Then after adding this code to your functions.php file wait for 24 hours … if your spam comments are not down or close to zero you’ve done something wrong.

The role of WordPress Functions.php

Your functions.php file is the place to add snippets of code just like this. It’s found inside your theme folder and the code here runs before your site starts to load. Remember to keep a copy incase you update or replace your theme, this is because the functions.php file is unique to the active theme.

Stop WordPress Comment Spam

Go to your theme folder and open functions.php and insert this code

//Block Referal URL exploit for Comments
function verify_comment_referer() {
if (!wp_get_referer()) {
wp_die( __(‘You cannot post comment at this time, may be you need to enable referrers in your browser.’) );
add_action(‘check_comment_flood’, ‘verify_comment_referer’);


Do you like this? Did this work for you?

, , ,

2 Responses to HOW TO: Stop (most) Automated Comment Spam

  1. John April 5, 2013 at 9:05 am #

    Thanks a ton for this snippet. Just implemented it. On average I get around 10 – 15 automated spam comments. I do make use of Akismet and recaptcha but somehow these automated bots seem to get around it. Of course the spam comments are caught by akismet but having to manually delete them is a pain.

    Thanks for sharing. Will report back in a week to see how things go.

    • Damien Saunders April 5, 2013 at 3:27 pm #

      Hi John

      Thanks for giving this a go — you’ll find the same snippet mentioned on CatsWhoCode and other sites — FWIW 🙂

      By the way … I can honestly say it does work, but unless you turn off the XML-RPC remote protocol under Admin > Settings > Discussion then spammers like the infamous lista de email will still get through.

      Let me know if you think the code helps?



Leave a Reply

Read previous post:
I’m on WordPress Stack Exchange … are you?

You can join in the conversation with me and many others on WordPress Stack Exchange