I first wrote this post in 2020 after battling a relentless wave of comment spam on one of my sites. I tried everything: Akismet, CleanTalk, hCaptcha, blacklist plugins, even removing the URL field from the comment form. Some helped a bit. Most didn’t.
Six years later, the spam problem hasn’t gone away, but the solutions have improved. Here’s what actually works in 2026.
Start with Akismet
Akismet is still the baseline. It comes pre-installed with WordPress and catches the bulk of automated spam. Install it, connect your API key, and let it run.
On its own it won’t catch everything, but it handles the high-volume, low-effort spam bots well. Think of it as your first line of defence.
Add Cloudflare Turnstile
Back in 2020 I reluctantly installed hCaptcha. I hated it then and I still hate CAPTCHAs now. The good news is you no longer need them.
Cloudflare Turnstile is a free, privacy-friendly alternative that verifies visitors without puzzles or image grids. It runs invisibly in most cases. Users don’t have to do anything.
You can add it to your comment forms (and login/registration forms) using a plugin like Simple Cloudflare Turnstile. Set it up once and forget about it. This is the single biggest improvement since I originally wrote this post.
AntiSpam Bee for extra filtering
AntiSpam Bee is a solid free plugin that works alongside Akismet. It checks comments against public spam databases, blocks comments from specific countries, and validates the commenter’s IP and behaviour.
It’s lightweight, GDPR-compliant, and doesn’t require an API key. Worth having as a second layer.
Close comments on older posts
Most spam targets old posts. WordPress has a built-in setting to automatically close comments after a set number of days.
Go to Settings > Discussion and tick “Automatically close comments on posts older than X days.” I use 90 days, but pick whatever makes sense for your site. This alone cuts out a huge chunk of spam because bots tend to target posts that have been indexed for a long time.
Consider turning off comments entirely
Here’s the honest take: most WordPress sites don’t need comments in 2026.
If you’re not actively getting valuable discussion on your posts, turning off comments entirely is the simplest and most effective anti-spam measure there is. No comments means no comment spam. Real conversations have moved to social media, email newsletters, and community platforms.
You can disable comments globally under Settings > Discussion by unticking “Allow people to submit comments on new posts.” For existing posts, you can bulk-edit them to close comments.
I’ve done this on several of my sites and haven’t looked back.
What I no longer recommend
A few things I mentioned in the original 2020 version of this post that I’d skip now:
- hCaptcha or reCAPTCHA – Turnstile is better in every way. No user friction, no accessibility issues, free.
- Comment Blacklist Manager – Manually maintaining blocklists is tedious and doesn’t scale. Akismet + Turnstile handle this automatically.
- Removing the URL field – This never actually stopped spam. Bots don’t care whether the URL field exists or not.
The simple setup
If I were starting fresh today, here’s the stack I’d use:
- Akismet (baseline spam filtering)
- Cloudflare Turnstile (invisible bot protection)
- Close comments after 90 days
That’s it. Three steps, minimal maintenance, and it handles 99% of comment spam. If you’re still getting hit after that, just turn off comments altogether.
Related
Leave a Reply