Why We Don’t Use Akismet

There was a time that Akismet was the go-to weapon against comment spam on WordPress sites. Unfortunately, we don’t think it has kept up with the threats that web developers face, it makes mistakes and still leaves a bunch of garbage comments in your WordPress database. I’ve never used Akismet, can’t really explain why, just didn’t. Olaf used to use it but has since found better alternatives to Akismet.

Don't use Akismet

Reasons to avoid using Akismet

  1. It’s only free for personal use; otherwise you have to pay from $60 a year for each site up to $50 a month (“for publishing networks, agencies, hosts and universities or multiple sites”). Part of the problem with that concept is that they don’t really define what they consider a “commercial” website. Is a commercial site a mommy blogger with a few Adsense ads or is it only true commercial enterprises that sells a product or service?
  2. A lot of obvious spam gets through.
  3. Doesn’t actually block the spammers. Akismet might flag their comments as spam but it does nothing to keep them from dumping 100 spam comments a day on your site. All of that junk uses your bandwidth, disk space and clutters up your WordPress database.
  4. False positives. Akismet has a reputation for flagging good comments as spam. That means you’re still going to have to slog through all 1,248 comments in your spam folder to make sure it is all truly spam.
  5. It can ignore comments made by legitimate visitors. I’ve seen several articles about this and experienced it myself. You leave a thoughtful reply to a blog post and when you hit submit there’s no notice of the comment awaiting moderation, no posting of the comment and no outward sign that what you took the time to write was actually accepted. Akismet may have simply blocked it.

Ah, but wait, Akismet is supposed to send suspicious comments to the spam folder. Apparently, not only does it send some legitimate comments to the spam folder, it doesn’t let some comments even into the system. Through the mysteries of their algorithm and reporting system, one of my email addresses was apparently placed on a spammers list. I don’t do a lot of blog commenting and when I do, it is usually several paragraphs long and they are always on point and would contribute to the conversation. In researching this article for Olaf, I found several folks theorizing that a denial of a trackback or even a single blogger tagging a comment with a particular email address can get that email banned in Akismet. I had always just assumed something went wrong between my lousy Internet connection or the blog I was commenting on. I don’t spam. It never occurred to me that I was on some sort of blacklist.

Even allowing for some false positives and blocking of legitimate comments, Olaf and I still don’t use Akismet. If I’m still going to have to review every comment being left on my blog, manually delete them AND never even see some potentially great comments; what’s the point?

So, if we don’t use Akismet anymore, what do we use?

Alternatives to Akismet

There are a number of free alternatives to Akismet that are more effective and are simply a better way to save you time, keep garbage from getting into your database in the first place and block bad bots before they have a chance to leave comments.

First off, Olaf and I don’t think there’s a single answer for fighting comment spam. The spammers are constantly changing their approach and there just doesn’t appear to be a 100% solution available. But, that might be a good thing in the long run. Perhaps some of the reasons why Akismet is not as effective as it once was is that in trying to be a sole solution, it can’t focus enough on each issue we face from spammers.

As a rule, Olaf has been using a three-pronged approach against spammers – filtering the bad traffic, blocking bad bots and automated comment post scripts and a more traditional comment-based spam blocker.

Cloudflare

Cloudflare has become our first line of defense against comment spam. They maintain their own blacklist, use 3rd party lists like AVH and it can be configured to block known spammers by their IP addresses. Once CloudFlare has noticed a new attacker, Cloudflare starts to block the attacker for both the particular website and the entire Cloudflare community. Olaf tells me that Cloudflare has the fastest and most secure network that he has ever worked with. He’s also noticed, across dozens of sites that he owns or operates for his clients, that Cloudflare has measurably decreased site load times. Cloudflare has also been known to recognize and repel brute force attacks against a site.

AVH First Defense Against Spam Plugin

AVH is a good alternative to the protection provided by Cloudflare. This plugin uses external lists (Stop Forum Spam, Project Honey Pot and Spamhaus) to block bad bots and users from even accessing your site. With AVH, you can also create your own blocked IP list.

5G Blacklist

5G Blacklist creates something of a firewall for your WordPress installation. The folks at PerishablePress.com believe the best way to stop those who wish to harm or exploit your site is to evaluate request strings and simply block them from even accessing your site. 5G helps reduce the number of malicious URL requests and protects against evil exploits, bad requests and other garbage.

5G isn’t a plugin. It is a bit of code that you add to your .htaccess file. If you don’t have direct access to your .htaccess file, you should consider changing hosts. But, in the meantime, you can make changes to your .htaccess file via one of the tools in the WordPress SEO plugin from Yoast.

Antispam Bee

This is a gem of a plugin that has not received the attention it deserves. It is the closest thing to a free version of Akismet except it doesn’t have the problems with false positives and saving all of the spammy comments for review. Antispam Bee blocks virtually all of the garbage from getting into your database in the first place. It doesn’t stop the spammer from leaving the comment; it just deletes it before you ever see it. Of course, you can change the settings to allow the comments into your Spam queue for individual review.

This plugin has a strong and loyal following. When the original developer had to beg off the project, members of the WordPress community have rallied behind him to keep this powerful plugin alive.

Stop Spam, Stop Wasting Time

All in all, the best defense against spam is to utilize a system that begins with preventing access from your WordPress site and then properly handling anyone who manages to get past that first line of defense. We don’t use Akismet anymore because it lets the spammers gain access to the site and may delete legitimate comments. Flagging comments as spam lets the spammers leave their garbage and the blog owner still has to review each comment – a total waste of time.

Deploying an approach that begins at the server level and denies known spammers and hackers from accessing your site in the first place is far more effective. Add to that a plugin like Antispam Bee and you will see your spammy comments virtually disappear – we did.

12 thoughts on “Why We Don’t Use Akismet

    • Hello Pete,
      Thanks for sharing, actually this plugin doesn’t help to block the bot or spammer who is trying to post a comment. Using nonces will help to keep your comment waiting list clean, but the file wp-comments-post.php is still executed and the load on your server is still high if many posts are done. Our approach is not just about filtering spam, but more to use less resources while offering a comment function.

  1. I like Google reCAPTCHA. Seems to stop everything!

    • Hi Ryan,
      CAPTCHA challenges are an option, but they are also an challenger for the visitor who will post a comment for real.

  2. (Akismet developer here.) When you say that Akismet leaves “garbage comments” in the database, what do you mean?

    Part of the problem with that concept is that they don’t really define what they consider a “commercial” website.

    “Commercial” is any site that is used for commercial purposes. Selling products, promoting a business, or driving ad revenue are all examples of commercial purposes.

    Doesn’t actually block the spammers. Akismet might flag their comments as spam but it does nothing to keep them from dumping 100 spam comments a day on your site. All of that junk uses your bandwidth, disk space and clutters up your WordPress database.

    The strictness setting that we added last year allows you to have Akismet auto-delete the most obvious spam, which is usually about 80% of spam comments.

    Hope this helps.

    • Hi Chris, thank you for clarifying that unless a site is 100% revenue free, it’s commercial in your eyes. My first, and somewhat abandoned blog, apparently still has Akismet installed; more on that in a moment. I will take the appropriate action but, I’ll leave it installed for a few days in case you would want more details about my comments below.

      While this post is a bit of an attack on Akismet, our point was primarily that folks should not rely on a single tool to defend against spam. Your plugin comes installed on WordPress. It seems a natural place to begin any discussion on spam. Unfortunately, there simply doesn’t appear to be a single plugin or script that can filter the bad traffic, block bad bots and automated comment post scripts and provide a more traditional comment-based spam blocker.

      I know Olaf has been working on my blog security for several years. He has tried a number of plugins and combinations of things. His efforts did include utilizing Akismet. However, since installing the configuration suggested in this post, my comment spam has virtually disappeared. YAY!

      As to the accuracy of Akismet…

      It’s funny sometimes how things on the web work. Around the time I handed over this article to Olaf, that old and low-traffic blog started getting hit. When I logged in to see what was going on, I found that somehow this blog missed getting Olaf’s security treatment and only had Akismet running. All of the spam comments, that were getting through, were obvious attempts at garnering backlinks to a number of different Facebook profiles. Granted, it’s running version 3.1.1 from back in March. However, your reply said the major changes were made a year ago.

      I realize how hard it must be to program to beat these folks, it is such a continually moving target. Most of the Facebook spams have cut/pasted/scraped content from somewhere and they would probably pass a lot of spam filters – after all they look like comments, it would most likely take a human to recognize that they don’t make sense in context with the post they were attached to. But, there are several where it seems they should have been easily flagged but were let through as ham:

      About a screen’s full worth of letters and number with strings like “d0bed0b” repeated over and over again.

      A shorter one with a different string of letters and numbers ending with a three word keyword phrase.

      Another with some text and then this: “Posted on May 11, 2012 by” followed by a bunch of code that looks like it was trying to pull data from somewhere on Twitter.

      What really has me confused is that my Akismet Stats for August are 167 spam, 51 ham, 0 missed spam and 0 false positives.

      I have no idea of the true number of spam comments from August. Am I right in guessing that it would require me to flag “Pending” posts as spam to get them counted as “missed”? And, “false positives” would be things in my Spam folder that I marked as not being spam?

      3 obvious misses out of 218 is obviously a great result – 98%. 21 missed still offers an 90% catch rate. Unfortunately, I suspect those numbers would have gotten worse, since someone has obviously found a hole to exploit.

      What seems more worrisome is that there are only 20 comments sitting in pending and 1 in spam from this month – most of which came in yesterday and the day before. If Akismet is right and there were 51 “ham” comments, it would seem there are 30 ham comments missing.

      I left the install of Akismet as it was in case you would like more info on the stuff that was getting through. Perhaps updating to the latest version would have flagged the spam that I received. Based on the changes identified in the Changelog on the WP Repository, I’m not sure it would have changed things though. I did, however, install AVH and AntiSpam Bee and they stopped the attack completely.

      • I have no idea of the true number of spam comments from August. Am I right in guessing that it would require me to flag “Pending” posts as spam to get them counted as “missed”? And, “false positives” would be things in my Spam folder that I marked as not being spam?

        That’s right.

        What seems more worrisome is that there are only 20 comments sitting in pending and 1 in spam from this month – most of which came in yesterday and the day before. If Akismet is right and there were 51 “ham” comments, it would seem there are 30 ham comments missing.

        It’s possible/probably that the other 166 spam were auto-deleted due to being super-obvious.

        Can you send me the key and blog that these stats are from (either at [email protected] or [email protected])? The ham stat being off by that much is strange, and the spam that got through sounds like stuff that is being caught on other sites.

  3. Thank you for the information about how Akismet was actually storing too much on your site and affecting its usability. I am just starting a blog and I’m trying to choose an anti-spam product. While many articles complain about the cost of Aksimet, your article is giving me another more serious issue to consider: am I capable of debugging problems created by Akismet.

  4. I actually have the same issues with Akismet. I just think it has been letting way to much obvious spam through over the last 6 months or so. I didn’t use to need to go through approved comments and spam-mark anything (or very few) before but these days I know that of the approved comments 90% will be obvious spam-comments.

    I also do not think the ham-number is correct. It says that in July 2016 so far I’ve gotten 52 ham-comments … but I only have 5 approved comments. Unless it counts all it incorrectly marked as “approved” and ignores that I’ve spam marked basically every one of them?

    I’m getting Akismet via Vaultpress but am seriously considering testing something else …

    • Hi Bjorn,
      thanks for sharing your experience with Akismet.
      I don’t check the HAM, but you’re right there are many false positives. Even stupid comments with typos and spammy links. The funny thing is that if you wait a few days and hit the “Check for spam” button, Akismet will filter most of them afterwards. This doesn’t help because the admin/moderator still gets notifications on the first place. Try these plugins too (and let us know how it works for you)
      https://wordpress.org/plugins/wp-spamshield/
      https://wordpress.org/plugins/zero-spam/ (note it doesn’t work with Jetpack comments)
      https://wordpress.org/plugins/cleantalk-spam-protect/ (maybe one of the best, $8 / year and website is much cheaper then moderating spam)

  5. Interesting post in regards to stopping spam. I honestly have never needed anything better than akismet but its nice to know that there’s a lot of alternatives out there just in case if I ever get to the point where askimet is no longer doing what I need it to do.

    • Hi Robin,
      In my opinion Akismet is an easy way to fight comment spam on your personal site. For a commercial site your need to pay for using the Akismet service. Right now avoid using Akismet for commercial site, because this blog is still getting false positives every week. Even some weeks later Akismet doesn’t know it’s spam if click the re-check button. On the other site Akismet has filtered 1000+ spam comments as well :)

Comment Rules

Don’t post your code here, post your code block or snippet to pastebin and include the pastebin URL in your comment.

I delete all comments with non related links inside the comment text. Don't use keywords for the field of your real name (most people like to use your name for their answer). Keep your comment related to the topic, if your question is off-topic, please use the contact form instead.

Leave a Reply to Michele Cancel reply

Your email address will not be published. Required fields are marked *

*
*
Website