WordPress Comment Moderation and Comment Spam

WordPress runs a number of tests on each new comment before posting it to your blog. If a comment fails one of these tests, it is not displayed immediately on the site but is placed in a queue for moderation, the process of manual approval or deletion by the blog’s administrator.

Controlling Moderation

You can control which comments get held for moderation on your Settings Discussion SubPanel page, which is located under Settings ? Discussion.


If you would like every comment to be held for moderation, check the An administrator must approve the comment option, listed under Before a comment appears.

If you would like to send suspicious comments to the moderation queue, while letting innocent comments through, you will need to specify a set of rules for determining which comments are suspicious. These rules are specified in on the Settings ? Discussion > Comment Moderation.

The first option is to hold comments for moderation if they contain an unusually large number of hyperlinks. Most normal comments contain at most one or two links while spam comments often have a large number. Look at your own comments and set this to a value that makes sense for your audience. (Note: In version 1.5.2, and possibly others, if you do not put a number in the comment moderation links box, in other words, if this box is completely blank, all anonymous comments (and possibly others) are sent to the Manage Comments SubPanel for moderation, even if the Discussion Options Subpanel has no restrictions set.)

The second option is to specify a set of moderation keys which, if present in any part of the comment, will cause it to be held for moderation. These keys are specified one per line in the large text area, which is blank by default. Moderation keys can include Spam Words, swear words, IP addresses, and Regular Expressions.

When you add a new moderation key, it’s a good idea to test its validity by checking previous comments. Simply use the link entitled Check past comments against moderation list, which is located underneath the text box containing moderation keys. This asks WordPress to check previous comments and tell you which ones would be flagged for moderation under your new set of keys.

The box marked Comment blacklist works in exactly the same way as the comment moderation box, except that comments that match these words will be deleted immediately and without notification. So be careful! Genuine comments could be deleted without you ever knowing they were there.

What’s Comment Spam

If you’ve been on the internet for any amount of time you’re probably familiar with “spam” in your email inbox. For the uninitiated, spam is an unsolicited commercial message, or something you didn’t ask for trying to sell you something.

So what does this have to do with blogs? Well just like you can get spam messages in your inbox, people will leave spam comments on your blog. However unlike email spam where the target is you, comment spam generally targets search engines.

Comment Spam and Search Engines

Why on earth would a spammer use your blog to target a search engine? Let’s start from the beginning. Several years ago, Google pioneered a search technique called PageRank. Basically, in addition to looking at the content of the page being indexed, Google also takes into account who links to the page and what those links say. This technology meant Google was very good at returning relevant results, making it the most popular search engine today. Because their ranking system relies so heavily on PageRank, people sometimes game the system using a technique called “Google Bombing.”

A google bomb is when a large number of different websites link to a page with the same link text to influence the ranking of that page for a search term.

This brings us back to the spammers. A spammer might have a site that sells “mydrug” and wants to be at the top of search results for “mydrug” on Google. They leave comments on hundreds or thousands of weblogs linking to their site with the link text “mydrug.” They don’t really care if you see their google bomb text—in fact they’d rather you didn’t in case you decide to delete it! They just want the search engine to see it when they index your page.

Fighting Comment Spam

Comment Moderation is very effective in addressing unwanted comments. The best defense against comment spam is just watching your comments. Under Manage ? Comments it shows a listing of the latest comments on any post and you can quickly scan the comment activity on your site. The faster you respond to comment spam on your site, the less likely the spammers will return.

Stealth Spam

Spammers find new and creative ways to be sneaky all the time. You may notice that posters leave comments on your site which look perfectly normal except for the commenter’s name or URL, which likely references a product or a site selling something.

It’s good practice to visit the URLs of people who leave comments on your blog to determine whether the poster is sincere or spammy. If you see one that looks suspicious, you can choose to delete the comment entirely or leave the comment and just delete the URL.

Another way of stealth is to use a div-tag around a bundle of hundreds of links. This becomes more and more common because many software displays directly the given HTML tags and not the HTML code. To avoid this the software must “strip-out”, other word: filter the HTML tags while inserting the comment into the database.


The good news is that WordPress’ built-in tools and history of combatting comment spam mean that most WordPress blogs get very little spam, and when they do it’s easy to address. So you needn’t worry about the spam too much.

About the author: Arthur Sereno