Simple but Effective WordPress Spam Protection without Plugins

This screenshot from one of my blogs:

Spam comments by spambots

All this comments have appeared on the blog within only one month! But finally I found a great solution, which completely blocks all comments, left by spambots. Some benefits:

Step 1. Fake textarea in the comment form

At first, you should find out the way, how comment form is inserting to the page. Actually, there are two ways, first – HTML of the form is in the comments.php, the second way – the form is inserted by the comment_form() WordPress function.

If the comment form is in comments.php

All you need to do is to add another textarea input field after default comment textarea like this:

<textarea id="comment" name="comment"></textarea><!-- default textarea (it will be fake for bots) -->
<textarea id="just_another_id" name="just_another_id"></textarea><!-- you should add something like this -->

That’s all.

If the comment form is inserted by the comment_form() function

In this case you should use this action hook:

function add_non_fake_textarea_field( $default ) {
	$commenter = wp_get_current_commenter();
	$default['comment_notes_after'] .= 
	'<p class="comment-form-just_another_id">
	<label for="just_another_id">Comment:</label>
	<textarea id="just_another_id" name="just_another_id" cols="45" rows="8" aria-required="true"></textarea>
	return $default;
add_filter('comment_form_defaults', 'add_non_fake_textarea_field');

Insert this code into your functions.php located in the current theme directory.

Step 2. Hiding fake field via CSS

Open any post with the comment form in it. You will see two textarea fields. So, let’s hide one of them (it must be default textarea, because it will be «fake input» for spambots).

You can hide it any way you want. For example:

   left: auto;

If you are not sure where to insert it – just add this code to your current theme style.css file.

Step 3. Blocking spam comments

Finally, the last step. This code will block any comment with filled default comment textarea. Spambots don’t know about «fake field» so they always fill default textarea with name="comment" or id="comment". And humans never fill it because it is invisible for them. Pretty simple, yes?

Add the following code to the functions.php file.

function block_spam_comments($commentdata) {
	$fake_textarea = trim($_POST['comment']);
	if(!empty($fake_textarea)) wp_die('Error!');
	$comment_content = trim($_POST['just_another_id']);
	$_POST['comment'] = $comment_content;	
	return $commentdata;
add_filter('pre_comment_on_post', 'block_spam_comments');

Why antispam stop working in WordPress 4.4 and how to fix it?

In WP 4.4 wp-comments-post.php that lays in your site directory has been changed, after that hook pre_comment_on_post fires too late and it can not replace fake comment field. There is another decision.

  1. In your site folder create a file, you can name it stopspam.php for example. This is the code for this file:
$fake = trim($_POST['comment']);
$_POST['comment'] = trim($_POST['just_another_id']);
require( dirname(__FILE__) . '/wp-comments-post.php' );
  1. Change form action attribute to this file (stopspam.php). If you are using comment_form(), it will be simpler to do with JavaScript.
  2. Block the default wp-comments-post.php with .htaccess:
<Files wp-comments-post.php>
<limit GET>
satisfy any
order deny,allow
deny from all
require valid-user
Misha Rudrastyh

Misha Rudrastyh

Hey guys and welcome to my website. For more than 10 years I've been doing my best to share with you some superb WordPress guides and tips for free.

Need some developer help? Contact me

Follow me on X