Have you recently launched a new website and started seeing comments come in that feel… a little like off? Are you wondering if they might be spam comments? Maybe they’re overly flattering (did this person really think my post about church website domain names was the most inspirational thing they’ve read all year?) or maybe it looked a bit too self-serving (okay, great, I love that you read my article, but why did you drop seven links to unrelated articles from other websites?).
Well, I’m sorry to have to be the one to tell you this, but you’re in the early stages of a spambot attack.
What is a Spambot Attack?
The blog post comments are probably being submitted by spambots. These are bots built to scan WordPress websites to find comment boxes even when those boxes are hidden from real people. Even when comments aren’t displayed on your website, WordPress can still have comments activated through some underlying settings, and these bots are great about finding those vulnerabilities.
The good news is that the comments themselves don’t really cause any harm. The end-goal for the spambots is to get people to click on their links, so as long as you (and any other website admins) don’t click the links and the comments themselves don’t get published to the website, there’s not a ton of immediate damage.
The damage begins when you start to see more and more of these spambots hitting your site. Usually it starts with just a handful of spam comments a day, but over several weeks they will grow as more bots find the vulnerability. I’ve seen the number of comments grow to become hundreds of submissions a day, which is not only annoying, but can harm the server that hosts the website by choking its resources.
Preventing Spam Comments
1) Don’t Display Comments to the Public
The first thing you should do is confirm that you’re not displaying comments on your website. While there are some sites that need/want to allow comments, the vast majority of websites these days has absolutely no need for them. And if you do need comments, it usually works best to use a third-party discussion platform like Disqus to manage them. WordPress’s built-in comment system is awful.
The exact approach to remove the display of comments from your website will depend on the theme you’re using, but in most builders it’s as simple as editing the template view for single posts and then deleting the section on the page that contains comments.
This doesn’t prevent these bots from submitting comments, but it does prevent the public from seeing their dangerous links.
2) Disallow the Submission of Comments
But the heart of the issue is to prevent these comments from being submitted in the first place. I almost always follow a three-step process:
- There is a WordPress Discussion setting to “Allow people to submit comments on new posts.” Uncheck that box to disallow comments on new posts. This setting doesn’t affect anything that’s already published, though, though, and it can also be accidentally overwritten for each individual post that gets published, so changing this setting alone won’t solve the problem.
- In that same settings screen, there is an option that “Users must be registered and logged in to comment” that I almost always turn on. This prevents a lot of bots from submitting new comments, but the most intelligent bots can find a way around this by registering as a “subscribed” user. This is an archaic type of WordPress user that doesn’t allow them any administrative access, but it is technically still a user, so registering this way would allow them to leave a comment.
- Finally, to prevent bots from register as one of those subscribed users, I disable all new user registrations by going into the General settings page and unchecking the box for the “Anyone can register” option. Of course, if you want or need people to be able to register, such as if you have an ecommerce store on the site, this step won’t work for you, so you’ll just have to be extra attentive to keeping comments closed on every post.
With those three settings combined, I’ve had pretty good luck eliminating spam comment submissions, and I think it will work for you, too!