Akismet is an incredible spam preventer for WordPress sites. I’d say it does 95% of the work for us. A few issues though make me want to augment it with other tools:
- Some spam still slips through
- It doesn’t prevent spam that seems easy to block
- There are false-positives, so spam still needs to be checked
#1 is no big deal, we can nuke the slips pretty easily. We even have WordPress comment settings such that all comments need to be manually approved these days, so those that slip through need to be moderated anyway, so never see the light of day.
Here’s an example of #2:
We get enough of that that it’s pretty obnoxious. A few hundred per week. And because of #3, that means sifting through loads of crap to make sure no real comment is lost in the junk.
I used the Pro version of the Anti-spam plugin. That plugin page doesn’t inspire a ton of confidence, but I used it for years and it worked pretty well. Again, it’s weird to run two spam plugins, but Akismet and Anti-spam seemed to work together well. Anti-spam added a bit of extra protection:
The blocking algorithm is based on 2 methods: ‘invisible js-captcha’ and ‘invisible input trap’ (aka honeypot technique).
But unfortunately, I had to disable it. We flipped on Jetpack comments because I liked the idea of having a comment form that allows for social login. The idea of typing in your name and email and all that is so old school that it’s a turn off for a new generation of blog commenters. The fact that Jetpack offers that seems like an easy win. When Anti-spam was enabled, it must send some extra data or something bizarre that freaks out Jetpack, and it makes all comments throw an error when submitted.
With Anti-spam off, now we’re flooded with the “easily blocked” style spam. Not the end of the world, but not ideal.
I wonder if other folks have had this issue and have what they consider a pretty sweet WordPress spam prevention system? Maybe some kind of honeypot technique that somehow doesn’t screw up Jetpack Comments?
One that’s worked well for me in both huge, busy sites and little ones is a postback timeout. If a user tries to post the form (with AJAX) before the timeout finishes, it’ll behave as if it worked, but never post to the server. I’ve found this looks after a lot of bots on the busier sites I worked with.
So, honeypots and timeouts for the win I suppose.
I want to second this, also, I add specially hidden fields to the mix that “appear” to be a part of the form for a bot only, but not for a human. Since bots tend to fill in most or all of a form, if this field is filled in, it get’s an “error” message of sorts.
Between a configurable timeout and the hidden field, no automated bots have posted anything on any sites for years. Manually entered spam will always get through, can’t stop that. :(
Recently integrated google recaptcha for a client in the comment section on her website.
If you have the possibility you can block comments from ‘spam bot countries’ in your firewall settings.
Weirdly, I’ve found that putting sites behind Cloudflare is a very effective filter on most spam, since they blacklist so many malicious addresses. Probably not really an option here considering the partnership with Media Temple, but it’s worked well for me.
Hi Chris,
Thanks for the kind words on Akimset. If you want to get in touch at https://akismet.com/contact/, we’ll be happy to pass on a few tricks that’ll help consistently increase Akismet’s performance on your site(s), and this under your control. None of them are trade secrets, or special favours, but since they revolve around your personal spam handling habits, I figure it’s better suited for a ticket-like thread. You can feel entirely free to report to your readers upon them afterwards. :)
I’d be happy to reach out!
But I think it would be even better to share these personal spam handling habits publicly if possible. Is there a blog post or video or something to watch?
There’s been tons written over the years, but I’m aiming to write something new, and more in line with the times, to do just that. :)
Ultimately, Akismet is a learning/adaptive system, so reporting missed spam and false positives is a very powerful ally in fighting spam on your site, and the substantial portion of the web Akismet protects. In your case, I suspect that running the 2nd plugin is leading to Akismet getting less data for it to learn from. It’s also important to only mark true spam as so. It’s very tempting to flag some commenters as spammers because you want their messages off your site, but if they’re not actual spammers (bots, human mass-marketers, etc), Akismet ultimately figures it out, and can’t take your reports in with as much confidence as it would otherwise.
All in all, there’s a lot that looks obvious to us on our side of the API, but that we could clearly do a better job of communicating to our users, so they can be empowered. Which I’m looking forward to improve on.
Have you considered the WordPress plugin “wp-spamshield-anti-spam” from Red Sand Marketing? It costs a few bucks, though.
As someone who has been fighting spam on WordPress sites for ages, I really like leaning on the Comment Blacklist feature built into WordPress. Andrew Norcross and Grant Hutchinson have made a plugin that adds a massive, openly maintained list of spammy keywords to a site’s Comment Blacklist and then makes sure the list stays up to date.
That, plus Akismet, is normally enough on most of the sites that I’ve worked with.
This is a personal favorite of mine: https://wordpress.org/plugins/antispam-bee/
Cookies for Comments. That’s the plugin I’ve used before switching to Disqus a few years ago. No false positives, still a few slipping comments (a few out of 1000, maybe), and combining it with WordPress’ own “moderate comments with (1) links in it” option worked wonders for me.
Hey Chris. Thank you very much for mentioning Anti-Spam plugin. I am glad that plugin helped you to block spam in comments section.
I was not able to hook into the Jetpack form because it uses iframe and regular WP form hooks does not work there.
Okay, I will update the header image if it does not show a lot of confidence to users :)
I thought 4.8/5 rating and more than 5 years of maintenance and bugfixing was enough to convince users that this plugin is doing its job well. ;)
What about trying a completely different approach. Try Shield Security for anti spam. Most spam is by bots, so that’s what it blocks first and foremost. 100% of bot spam. It can’t be used in conjunction with Akismet or results are unpredictable…
Hey Chris. 95% is actually pretty weak for a spam plugin…no reason to miss that last 5%, when there are better and cheaper alternatives that can handle 100% of spam. WP-SpamShield is what you’re looking for. It beats Akismet hands down, and handles JetPack Comments like a champ.