WordPress Security and Comments (3 Mistakes Blog Owners Make)

WordPress security doesn’t stop with just using a strong password, keeping your site up to date, and using a good hosting provider. Your blog comments are part of WordPress security too.

Unwanted comments have the potential of making you lose readers, ruin your site’s reputation, get your blog attacked by a malicious hacker, or harm your site visitors computers (a rogue link can inject computer viruses).

Here’s 3 mistakes I see blog owners make with comments:

1) Approve spam comments

It’s amazing how many blogs out there have approved spam comments. I’m not sure if it’s just pure laziness, comments are un-moderated,  they have no clue what comment spam looks like, they like promoting Ugg Boots, or they just don’t care.

Comment Spam Example 3

If you’re going to have a blog you need to pay attention to what you’re feeding your readers and search engines! Check for links in comments/replies, look at the Author Name, checkout the comment author’s website, check the IP address, look for bogus email addresses, and READ what the comment says. I can’t tell you how many times I’ve clicked on the author’s URL and it was blocked by Google for malware or my Kaspersky stopped me from opening the page.

Two things I do to reduce WordPress comment spam is use the security built-in the CommentLuv Premium plugin and check the comments that get through at Stop Forum Spam.

2. Approve non-relevant comments by backlink seekers

I remember when I first starting blogging and got my first comment, “Nice blog. Thanks. I’m going to bookmark it.” I thought, Woohoo, someone likes my blog and approved it. But I failed to think, is this comment relevant or someone that’s just trying to get a backlink to their own site. Sometimes these may just be trackback comments in the hopes that I allow trackbacks. (I’ve even seen trackback comments linked to a porn site.) And sometimes they try to make the comment “look” relevant, but upon further examination you can just tell they’re not sincere.

Here’s a couple screen shots I just took today off a site today:

Comment Spam Example 1

Comment Spam Example 2

Be sure to moderate your comments for backlink seekers and don’t give your readers an option to “click” on a link to a rogue or unwanted site. You never know when one of those links could contain a virus or your reader vows never to visit your site again.

3. Lack of comment security settings

When was the last time you checked your “Discussion Settings” inside your WordPress dashboard? At the very least you should enable “Comment author must have a previously approved comment.” I always change the default of “2” to “1” for “Hold a comment in the queue if it contains…”

Please be sure to go through your comment settings and protect your site and your readers.

WordPress Security Tip: 

Use the WordFence plugin to scan your comments for suspicious URLs.

Wordfence Comment Malware Warning

Leave Your Feedback

If you’re approving spam comments please tell me why? Do you moderate your comment spam? How does it feel when you see comment spam on someone’s site? Please leave your comment below.


  1. says

    That’s a great post Regina (crap, I made the fatal spam commenter mistake – I personalized this comment to you, I guess I have to write a real comment.)
    Actually, it’s kind of funny. When I first starting accepting comments, I was just happy someone found my blog even if it was a spammer. Now, like you, if someone doesn’t say something specific about the piece and contribute in some way, I don’t approve comments.
    One of the other things I won’t approve is people looking for support by submitting comments. We have a support desk for that.
    And finally, I love CommentLUV – as do you. But too many “Luvvers” think finding other CommentLUV-vers is a license to spam. I welcome CommentLUV comments on my site too. But they better be relevant!
    Great post.
    David Perdew recently posted…Promoting MyNAMS Is A Win-Win-Win Opportunity by Teresa MillerMy Profile

    • says

      Hey David,

      Guess you and I were alike when we first started blogging. Glad we are much more selective now.

      I’ve had a few people submit comments for support as well. It’s a shame so many people don’t see the “Contact Us” link in the main navigation bar, sure would get their question answered quicker 😉

      I hear you on the CommentLUV-vers trying to spam as well. You got that right, comments better be relevant!

      BTW, I am so excited that I’m going to see everyone this weekend in Atlanta at NAMS9.

  2. says

    Personally think part of the spam problem is caused by the ease with which it (WordPress) installs, so am sure some people assume since they have Akismet or other WordPress spam filtering plug-in that any comment left has to be ok. Also many people don’t even know that moderation is possible for comments. I’ve read that is much as 20% of the computers online have been zombied as the owners don’t do one or more of the following, have anti-virus istalled,have some kind of malware removal software installed, don’t keep up with the WordPress upgrade, and so one. Bottom line is the easy button only works on TV and computer users need to take better care of there OS(Operating System) apply upgrades, etc
    Robert Nelson recently posted…Becoming HealthyMy Profile

    • says

      Hi Robert,

      I think you’re correct in many people thinking that since they have Akismet or another anti-spam plugin makes them feel it’s “okay.” Just wish they would find some common sense or compassion for their readers.

    • says

      Me too Christine! I’m still amazed that people ethically will accept $ to post spam. Guess it’s better than armed robbery.

      I Would say that my time spent moderating (since I have CommentLuv) has reduced by about 80%. I am a secure-a-phobe so I check all those that came through anyways, unless they’re from you of course 😉

      • says

        Hi Keith,

        You’re right! Spammers get sneaky and “attempt” to make their comment relevant by grabbing some words. Many times I see the title in a comment and then they “slip” up with something from left field.

        I agree! Comments without avatars grab me first, especially for my blog. 99.999% of my readers have blogs and should have avatars.

  3. Kathy Pop says

    Regina, great post. I also did the same thing when I first started. At one point one of my sites got on a list in a group and suddenly started getting several hundred spammy comments a day. Eventually I gave up and disallowed comments altogether for quite a while. Even 4 months later, I was still getting 300-400 a month.

  4. says

    Nice blog. Thanks. I’m going to bookmark it :-)

    Regina – I love Wordfence plugin! I wrote about it yesterday :-) Someone was attempting a brute force login and Wordfence blocked him/her and sent me an email!

    You really nailed it when describing the feeling you get from comments that say things like, “Great work. I am telling my friends about this site.” This is especially true when you are starting up a new site. It is human nature to want to be accepted.

    Also, as Keith commented, I have had great success with G.A.S.P to prevent the bots from leaving automated junk from appearing.

    Any suggestions for blocking trackbacks or pingbacks (other then turning them off)? It seems that spammers are now linking to sites (so the trackbacks or pingbacks are created and therefore leaving a backlink) but then they delete the link on their site.
    Paul B. Taubman, II recently posted…Testing the Wordfence Plugin – Two Thumbs Up!My Profile

    • says

      Hey Paul,

      Glad you’re liking the Wordfence plugin. It’s amazing how many blocked “admin” login attempts I get on a daily basis.

      As far as the trackback hogs, that just drives me crazy. Not sure which is worse, having pingbacks removed or having legit ones on porn sites. Give me strength! LOL As far as tracking incoming links there are a variety of tools out there (some paid and some free) that will give you a list of who’s linking to your site. I know you can see many of them in Google Webmaster Tools and alot of people use Market Samurai.

      Here’s a video with Matt Cutts that will show you how to check your backlinks http://www.youtube.com/watch?v=f9LsbrQozik.

      It’s a time consuming process to track them. I have yet to find a plugin that helps with this.
      Regina Smola recently posted…Profitable Content Creation – What to Do When You’re Running Out of Content Ideas (3 Big Tips)My Profile

  5. says

    Awesome info Regina… some of that I already had found out the “hard” way by allowing bad links in through my seemingly admiring spammers.
    Question though… If a person has a PR2 or PR3 blog and then allows comments on that are PR2 or higher does that draw “juice” away from ones site or does it bolster the PR value up? I sometimes allow some commenters to leave their non-pertinent but not completely off topic comments just because their comment name links to a decent PR level site with the hopes that it will add to my own Google juice.
    Any thoughts on that?
    Daryl Austman recently posted…Free And Low Cost Ways To Generate Huge TrafficMy Profile

  6. JH says

    Hi Regina,

    first of all, thanks for your post. I found it the other day while digging into the dangers of allowing (spam) comments.

    I dó allow spam on my website; the other day I added a feedback button to my website, which leads to a page where people can leave comments.
    The way I set everything up, comments are shown without user’s email addresses or -url’s; also all code (including links) is stripped from replies; furthermore all comments with more than one link are put into moderation right away.

    It was a bit of a joke- I figured the spam was rather innocent this way, and the main thing: without any harmful or annoying links, only the hollow flattering (‘you’re such a great informative blogger’ etc) is left- which I found funny. Of course legit comments are welcome as well but my site (a portfolio site rather than a blog) isn’t that well visited.

    The first two days I got plenty spam and it started looking really, well, flattering :)
    I’ve seen abandoned blogs with no moderation, with well over 10000 comments under one article, all spam of course, and I was hoping for that effect, but unfortunately the well ran dry… Somehow the spambots (or the spammers) must’ve noticed something fishy.

    So my question would be an odd one- how to attract spammers back to my site … :/

  7. Zion says

    I currently use Akismet now and everything that it labels spam I automatically delete. It’s been pretty awesome that I don’t have to deal with spam so far thanks to akisment. I have had heard of Wordfence before but I just thought that there won’t be any use for it. But reading one of your comments regarding how someone blatantly tried to log in to your site, NOW, that is freaking scary. I’m definitely installing it now!
    Zion recently posted…Pluma at KwadernoMy Profile

  8. says

    I am using Better WP Security Plugin in my wordpress blog. But when I use the “Hide Back End” feature of the plugin, new user registration stops working. Is there any solution for that?
    Any help is appreciated.

  9. says

    Thanks admin for these tips. I am a newbie and do all this things i. e approving spam comments, non-relevant comments. Just thinking that Traffic is coming on my blog. But now onward i will never accept spam, non-relevant comments as you teaches in this post. And also will add comment security today. Thanks for tips once again.
    inderjit recently posted…Best Android Apps for MobilesMy Profile

  10. says

    I’ve been trying to figure out how to minimize spam comments on my blog. (Sometimes I think spammers are the only ones paying attention!) I have been considering CommentLuv for a while but I am wondering if it ends up being a distraction having all of the links to the commenters latest posts. What do you think?

  11. says

    Well hello Regina, great advice on moderating comments.

    In the early days of my blog, I made the comment moderation mistake and approved comments without fully checking them and their creators.

    Google will group you with the people you are linked to. Whilst doing a Keyword search of my site at that time using Google’s keyword tools, my site had become apparently adult orientated with many rather rude keywords! Thankfully that was a long time ago and the blog is now seen by Google for what it really is.
    igor Griffiths recently posted…Knowing Your QuestionsMy Profile

  12. says

    Hi Regina,
    I have been using commentluv on all my site. As well, I still have Akismet. Hardly any spam gets through. But I still read every comment and respond to it. If anything looks suspicious I check the link to the site and if it is a spammy site, out it goes to the trash.

    It is quite easy to recognize the spammers. Their language is different and it sounds spun. I still moderate all comments even from the people that visited my site before. I do it simply not to miss anyone who comments as I want to reply to them. But unfortunately, as I get more comments it is getting more tedious. I’ll have to figure out something to correct this.

    Thanks for sharing your article,

    Dita recently posted…How To Stop Google Analytics From Tracking My VisitsMy Profile

Leave a Reply

Your email address will not be published. Required fields are marked *

CommentLuv badge