I've struggled with spam comments for years on my personal blog. When I first started blogging in 2006, I'd wake up in the morning with a ton of spam messages that had slipped through traditional spam solutions like Akismet. The useless traffic was killing my site speed, and I had to implement all kinds of complicated solutions to stay relatively free of bots.
That was over 10 years ago, and things have changed. Google got into the game!
These days, Akismet is still around and still enabled by default on WordPress blogs around the world. And it still picks up a lot of stuff. But I don't know of any large site that relies solely on Akismet. Instead, these days we have Google's reCAPTCHA which has slowly been upping its game and is now a pretty comprehensive solution to block spam on WordPress.
Here's how to go about it.
Using Google's Invisible reCAPTCHA
The Google's invisible reCAPTCHA solution was introduced by Google in 2017. It's a small script that stays in the background and monitors all kinds of stats that distinguish a human visitor from a bot. We don't know exactly what these parameters are, but we can guess it includes:
- Mouse movement
- Typing speeds
- Scroll speeds
The captcha uses machine learning to identify patterns of bot behavior and modify its algorithm in real time to respond to changing threats. It's pretty cool!
Step 1: Register a Site for Use with reCAPTCHA
To use this cool new solution, first sign up for a reCAPTCH account by visiting https://www.google.com/recaptcha/admin. Here, scroll down and fill out the form below like this:
Give your site a recognizable label and select the second radio button labeled "Invisible reCAPTCHA". In the "Domains" box below, enter the name of each domain that you want to protect using it. One on every line. Entering the name of a domain also means that it protects subdomains.
Accept the reCAPTCHA terms of service and go to the next page.
Step 2: Saving your Site Key and Secret Key
When you register your site properties in step 1, Google creates two separate string of characters:
- Site Key
- Secret Key
The site key is public knowledge. The secret key is meant to be...secret! The latter is only used between you and Google:
Make a note of these keys. We'll be using them in in the next step.
Step 3: Installing and Configuring the Invisible reCAPTCHA Plugin
You can install the invisible reCAPTCHA code manually and integrate it into your comment form, but it's too much of a hassle for me. I'd much rather use a plugin instead. Here, my choice goes to Invisible reCaptcha for WordPress by Mihai Chelaru.
After installing and activating the plugin, go to the Settings page under Settings -> Invisible reCAPTCHA. Here, enter your site key and secret key as shown here:
Save your changes. Next, select "WordPress" on the left-hand side and enable the checkbox labeled "Enable Comments Form Protection" like this:
Save your changes. Now visit your site anonymously and go to any post with a comment form. You should see this at the bottom:
This means that your site is not protected by the invisible reCAPTCHA. Bots beware!
Alternative Solution - Use Disqus Instead
Another option is to just do an end run around the entire process and use a 3rd party comment system like Disqus instead. They'll do all your spam filtering for you. But of course, it has disadvantages like:
- Can't theme Disqus to match your site
- Can't have your own login procedure
- Less of a community as users can't leave their site in the URL
- It adds a lot of extra code to your site, even though it can load asynchronously
On the other hand, it can handle an infinite number of comments and you'll never have to deal with spam load again since posting comments doesn't reload the page anyway. You'll have to decide for yourself if the tradeoffs are worth it.