Simple but Effective WordPress Spam Protection without Plugins
This screenshot from one of my blogs:

All this comments have appeared on the blog within only one month! But finally I found a great solution, which completely blocks all comments, left by spambots. Some benefits:
- you don’t need antispam plugins anymore
- no more captcha
- easy to install, just three simple steps
Step 1. Fake textarea in the comment form
At first, you should find out the way, how comment form is inserting to the page. Actually, there are two ways, first – HTML of the form is in the comments.php
, the second way – the form is inserted by the comment_form()
WordPress function.
If the comment form is in comments.php
All you need to do is to add another textarea input field after default comment textarea like this:
<textarea id="comment" name="comment"></textarea><!-- default textarea (it will be fake for bots) -->
<textarea id="just_another_id" name="just_another_id"></textarea><!-- you should add something like this -->
That’s all.
If the comment form is inserted by the comment_form() function
In this case you should use this action hook:
function add_non_fake_textarea_field( $default ) {
$commenter = wp_get_current_commenter();
$default['comment_notes_after'] .=
'<p class="comment-form-just_another_id">
<label for="just_another_id">Comment:</label>
<textarea id="just_another_id" name="just_another_id" cols="45" rows="8" aria-required="true"></textarea>
</p>';
return $default;
}
add_filter('comment_form_defaults', 'add_non_fake_textarea_field');
Insert this code into your functions.php
located in the current theme directory.
Step 2. Hiding fake field via CSS
Open any post with the comment form in it. You will see two textarea fields. So, let’s hide one of them (it must be default textarea, because it will be «fake input» for spambots).
You can hide it any way you want. For example:
#comment{
position:absolute;
left:-9000px;
}
.hello{
left: auto;
}
If you are not sure where to insert it – just add this code to your current theme style.css
file.
Step 3. Blocking spam comments
Finally, the last step. This code will block any comment with filled default comment textarea. Spambots don’t know about «fake field» so they always fill default textarea with name="comment"
or id="comment"
. And humans never fill it because it is invisible for them. Pretty simple, yes?
Add the following code to the functions.php
file.
function block_spam_comments($commentdata) {
$fake_textarea = trim($_POST['comment']);
if(!empty($fake_textarea)) wp_die('Error!');
$comment_content = trim($_POST['just_another_id']);
$_POST['comment'] = $comment_content;
return $commentdata;
}
add_filter('pre_comment_on_post', 'block_spam_comments');
Why antispam stop working in WordPress 4.4 and how to fix it?
In WP 4.4 wp-comments-post.php
that lays in your site directory has been changed, after that hook pre_comment_on_post
fires too late and it can not replace fake comment field. There is another decision.
- In your site folder create a file, you can name it
stopspam.php
for example. This is the code for this file:
<?php
$fake = trim($_POST['comment']);
if(!empty($fake))
exit;
$_POST['comment'] = trim($_POST['just_another_id']);
require( dirname(__FILE__) . '/wp-comments-post.php' );
- Change form action attribute to this file (
stopspam.php
). If you are usingcomment_form()
, it will be simpler to do with JavaScript. - Block the default
wp-comments-post.php
with.htaccess
:
<Files wp-comments-post.php>
<limit GET>
satisfy any
order deny,allow
deny from all
require valid-user
</limit>
</Files>

Misha Rudrastyh
Hey guys and welcome to my website. For more than 10 years I've been doing my best to share with you some superb WordPress guides and tips for free.
Need some developer help? Contact me
nice shared
good!
This is an old post, but does show up in some search results.
Spam bots do not fill out the comment form with their spam. They don’t even access the page with the comment form.
They post directly to the wp-comments-post.php file with CURL or WGET. All that they need is a post ID (easily found with automated processes), and the proper POST values in their CURL/WGET statement.
Doing anything to the comment form, like adding fields or hidden fields or hiding with CSS, will not stop the comment spambot who uses CURL/WGET to directly post via wp-comments-post.php . Other techniques are needed.
Thank you for your comment!
Updated the tutorial!