Keeping Website Spam Away in 2021

There are a lot spammers out there whom want to clog up your forms with spam. Contact forms, comment forms, forums, if you have a form on your website, you’ll get spam. They have bots that automatically fill in the forms. We’ve seen it all, advertisements, scams, backlinks, they all have different motives.

You don’t want spam on your website. It could make you miss actual important inquiries sent through your contact form. In the comment section, they fill up the area with advertisements and make it hard for acutal commenters to use. The point is, you don’t want spam on your website, and thus you want to find a way to stop it. Don’t worry, there are plenty of ways to keep spam out, and we’ll be discussing them, along with the pros, cons and how well it works.

Is spam really that big a problem?

Yes, yes it is. Billions of spam messages are sent out daily. It is possible to download a peice of software that’ll send out spam for you, or, if that isn’t your style, you can hire someone to do it for you. In fact, in this test form we created, specifically for spammers, we got quite a few advertisements from compagnies offering to sell spam messages. We also got quite a few scam messages. Scammers impersonating Costco and other major brands. We got 24 spam messages over 2 months on a site that wasn’t even indexed! So hopefully, you’re convinced, if not, well, after a few months you probably will be.

Sometimes, spammers don’t even place advertisements. Sometimes, you’ll just see some generic random comment, like “Great post, I bookmarked it”. This can be a little trickier to pick out, but you’ll probably recognize it. Most likely, they want a backlink. This doesn’t make too much sense, since WordPress, Disqus and pretty much any comment system will automatically put a "nofollow" onto any links they find in the comments section. Sometimes, they’ll be promoting a product or service, and sometimes, they’ll downright be trying to scam you. Whatever it is, you want to try and avoid it best you can, it hurts your reputation, makes you look improfessional and annoys real visitors who want to post a comment of there own.


One of the front lines in the fight against spam, reCAPTCHAs are an easy way to verify whether or not the person trying to fill in a form is human or not. How does it do this? There are a few different options. You can have a checkbox. This present users with a little checkbox. The click it and are presented with a challenge. Usually, you get a grid of grainy images and are asked to select, say, all the boats. If you answer correctly, you get to submit your form, and if not, it doesn’t go through.

reCAPTCHA in action, a great way to stop spam.

While CAPTCHAs are great and all, some people avoid them, just because of the irritation they can cause to your visitors. Those who agree with those people may want to try another version of reCAPTCHA, the reCAPTCHA v3. Instead of interacting directly with your users, reCAPTCHA v3 works in the background. It than detects what’s going on, and whether or not the visitor is human. You can identify a sites using reCAPTCHA v3 by the tiny box with the reCAPTCHA logo fixed in the bottom right of your window. If you hover it, it expadns to say “This site is protected by reCAPTCHA”. You are allowed to remove, although as Google says:

You are allowed to hide the badge as long as you include the reCAPTCHA branding visibly in the user flow. Please include the following text…


Google itself recommends putting the following text right above the “submit” button on your form.

This site is protected by reCAPTCHA and the Google <a href="">Privacy Policy</a> and<a href="">Terms of Service</a> apply.

Should you use reCAPTCHA? Yes, I think you should. While some bots can solve reCAPTCHAs, it’ll stop the grand majority of spam, and only takes a few seconds to complete. And due to it’s universability on the web, I daresay it would be extremely unlikely for a user to get annoyed and leave just because of a CAPTCHA. There are some alternatives, like hCAPTCHA, but I’d say stick with reCAPTCHA for the time being. After all, it’s the most used and the most trusted option online. And the most streamlined to.

Obviously, there is the possibility that the spammers have hired a bunch of people in a third world country to constatly fill out CAPTCHAS to send out spam, but for the most part, the reCAPTCHA is a very solid choice for those who want to stop spam.


Yes, another CAPTCHA, but don’t worry, they’re different. The challenges are mostly the same, and I’ll admit that the design isn’t as good as reCAPTCHA, but hCAPTCHA does have one major factor going for it, it pays you. Yes, that’s right, you’ll get payed to use hCAPTCHA. hCAPTCHA claims that the results from users are used to train third party’s machine number algorithms. Don’t get too excited, you won’t be making millions of dollars, hCAPTCHA claims that they’ll pay roughly $1000 dollars for one million CAPTCHAs completed, but hey, money’s money. As for design, as I’ve said, they’re not as good-looking as reCAPTCHAs, and may take a moment longer for users to fill out. Like reCAPTCHA, they offer both analytics and difficulty settings. We just so happen to be using them on our website, in case you haven’t noticed, and have been pretty happy with it’s performance. It’s free to get started with, but has premium plans avilable, which among other things, allow you to create your own custom challenges. For WordPress users, hCAPTCHA has created an all-in-one plugin which allows you to add hCAPTCHAs to, among other things, the login/registration forms, Contact Form 7, Ninja Forms, WooCommerce, Mailchimp, and so many more forms.


reCAPTCHA was created and preprogrammed by the fine folks at Google, but this one will require some work on your behalf. The honeypot method is a way of tricking spammers into fall into a trap, while humans pass on without a problem. Esentially, you add a hidden input, that you and your visitors can’t see. If it’s filled in, the form won’t go through. Since bots automatically fill in each input, they won’t understand that they aren’t supposed to touch it, so there message will get stuck. But, since humans manually fill in each input, they won’t see it, and thus not fill it in.

<form action="/submit.php" method="post">
  <input type="text" name="name" placeholder="Your Name">
  <input type="text" name="email" placeholder="Email">
  <input type="url" name="url" autocomplete="off" placeholder="Whatever you do, don't fill this in" class="not-the-honeypot">
  <textarea name="message" placeholder="Your message."></textarea>
  <input type="submit" value="Send">

We have a form, some inputs, and the honeypot input ingeniously categorized as not-the-honeypot. If you take a closer look, we’ll notice that autocomplete is switched off, to prevent browser errors. We also put a placeholder in case there’s a problem and the visitor can see it. Automatic bots will gleefuly fill each and everyone of these fields in, thinking that they’ve just earned themselves a shiny new backlink, what they won’t know, is that they just fell into a trap.

Let’s add some CSS. To prevent more intelligent robots from detecting our honeypot and not filling in the URL field, we won’t be using display: none; or similar things. Instead, we’ll use absolute positioning to position our field in a way that it can’t be seen.

  position: absolute;   
  top: -9999px;   
  left: -9999px;

Now, for the magic. We’ll write some PHP that detects whether or not the URL field is filled in. If it is, we’ll cancel the message so that it doesn’t go through. Here’s our “submit.php” page, the one that’ll be sending the data filled into the form.

if(isset($_POST['url']) && $_POST['url'] == ''){      

  // Write the PHP that'll be doing the form submitting and all that stuff.

} else {
      // If the honeypot form is filled in.
      echo "An error occured while submitting the form. Please go back and try again";    

If you have your doubts, we’ve thrown together a little demo, so that you can see exactly how it works, using some basic if-then-else PHP code. WordPress users don’t need to worry either, there are plenty of plugins available to add honeypot inputs to Contact Form 7 and comment sections.


Now here’s an option for WordPress users, Akismet. Akismet is a product by Automattic. Unlike our previous options, Akismet doesn’t present some sort of challenge to your visitors. It instead has a large database of confirmed spam messages. It scans the content of each comment or message sent, compares it to it’s database and decides whether or not to let it pass through.

Now, Akismet isn’t one hundred percent right. There are false positives, when a good comment gets marked as spam, and false negatives, when it lets a bad comment through. But, for the most part, I believe it works pretty well.

You can get Akismet for free, on the WordPress plugin store. But, to actually get Akismet up and running, you’ll need to get yourself an API key. To use Akismet’s free plan, you’ll be expected to not use your site for commercial purposes or advertisements. If you do plan on using your site for commercial purposes, you’ll be expected to cough up around 15 dollars per year, for the personal plan, or 15 dollars a month, if you choose to move up to the plus plan. Once you do get your API key, you can go to Akismet’s settings and add your API key. Now, you can sit back and relax while Akismet blocks comments on it’s own.


How about, instead of allowing anyone to post a comment, you have your comments sent to a database, but not have them be shown. Than, you can manually choose which comments you’ll let through and which ones you won’t. WordPress has the option to do this automatically. Go to Settings → Discussion and than under “Before Comment Appears” tick the “Comment must be manually approved” box. Comments will now not appear immediatly, so to check, go to the “Comments” tab and find the “Pending moderation” section. These are the comments that have been submitted and are waiting to be reviewed and approved.

Now, the main problem with this option is that you have to manually go through and find the real comments. In the event of an avalanche of spam on your website, this operation will be quite tricky. On the bright side, the spam comments appearing on your website should be roughly zero. But, no matter what type of genius you are, it’ll be impossible to instantly approve comments, meaning that those who like instant gratification on the web are out of luck. The delay could be hours, days, weeks. And if you sort of abandon your website, but keep the content online discussion will sreech to a halt.

So, overall, I’d recommend opting for another option, but still going through the comments just in case a spam comment somehow slipped through.

More Moderation

WordPress has some features which allow you to, amongst other things, hold comments with a certain amount of links for moderation, block IP addresses and hold comments with certain words in them for moderation. The max URLs is 2 by default, although you can lower it to 1, or even zero, if you find that spam is a big problem on your website. The last feature is especially useful, since spammers generally use certain words, and advertise certain things. The words on our blocklist won’t be appearing in this article, since they aren’t all family-friendly, but you can find a complete list of things to blocklist on Github. The comment blacklist should be used as a final line of defense, in case a spam messages somehow manages to slip through everything else you’ve piled in it’s way, as you can never be too sure as to what spammers will be advertising.

Require Users To Log In

Most, if not all, of the spam posts on your website are guest posts, so requring users to sign up or log in before being allowed to comment could be an attractive idea. Now, keep in mind that requring to sign up and cough up an email and password can deter some potential commenters, and if you don’t have an SSL certificate installed on your site, just forget about it. But, if you’re a trustworthy publisher, and think that it’s worth it, requring users to have an account could just be the perfect option.

Now, before you can actually get this done, we’ll need to change up a few settings. First, you must allow people to create an account with your site, whicih is essential to this operation but disabled by default.

Go to Settings, than General and find the membership zone. Check the box that says “Anyone can register”. You can also choose what role your users will have, by default, it’s Subscriber, and I’d recommend you leave it like that. Subscribers can access a wp-admin page, but with nothing special. They can’t add plugins, change themes, add posts or do anything, really. Now that it’s possible to register, you have to switch the settings to require users to register before they may comment. Go to Settings, than Discussion and tick the “Users must be registered and logged in to comment” checkbox. Now, if someone goes to your website and goes to comment, they’ll see that the comment form has disappeared, and is replaced with a message informing the user that they’ll need to sign up.

If you previously allowed anyone to comment, the ones that have already been posted will not be removed.

Switch To A Third-Party Commenting System

If you don’t like WordPress’s default commenting system, don’t want to code your own, or simply want to try something new, you can switch to a third-party hosting provider like Disqus or GraphComment. They both require users to register, although GraphComment does enable sending as a guest. But, it’s kind of has a complex structure, so bots will struggle to figure out how to use it. We have a list of the top third-party commenting systems, if you’re interested, but keep in mind that you’ll find the data loads to be limited with GraphComment, and advertisements if you use Disqus.

So, we’re hoping you’ve found what you’ve looked for. Spam can be a problem, and is very annoying. Whatever option you try to use, we hope it works for you. My personal favorite is the honeypot method, since it’s easy to use (as you’ve seen from the source code we showed earlier), doesn’t interfere with the UX and catches most of the spam, although I do use hCAPTCHA as well. If there’s anything we missed, or you have used one of these options and have something to say, we’d be absolutely thrilled to hear from you.

3 thoughts on “Keeping Website Spam Away in 2021”

    • Well, Antispam Bee is a good plugin, although certainly not on the same level as Akismet. If you plan on using Antispam Bee, don’t use as your only method of defense, put some other obstacles in the way, like a honeypot form or a CAPTCHA.


Leave a Comment