There was a time that Akismet was the go-to weapon against comment spam on WordPress sites. Unfortunately, we don’t think it has kept up with the threats that web developers face, it makes mistakes and still leaves a bunch of garbage comments in your WordPress database. I’ve never used Akismet, can’t really explain why, just didn’t. Olaf used to use it but has since found better alternatives to Akismet.
Reasons to avoid using Akismet
- It’s only free for personal use; otherwise you have to pay from $60 a year for each site up to $50 a month (“for publishing networks, agencies, hosts and universities or multiple sites”). Part of the problem with that concept is that they don’t really define what they consider a “commercial” website. Is a commercial site a mommy blogger with a few Adsense ads or is it only true commercial enterprises that sells a product or service?
- A lot of obvious spam gets through.
- Doesn’t actually block the spammers. Akismet might flag their comments as spam but it does nothing to keep them from dumping 100 spam comments a day on your site. All of that junk uses your bandwidth, disk space and clutters up your WordPress database.
- False positives. Akismet has a reputation for flagging good comments as spam. That means you’re still going to have to slog through all 1,248 comments in your spam folder to make sure it is all truly spam.
- It can ignore comments made by legitimate visitors. I’ve seen several articles about this and experienced it myself. You leave a thoughtful reply to a blog post and when you hit submit there’s no notice of the comment awaiting moderation, no posting of the comment and no outward sign that what you took the time to write was actually accepted. Akismet may have simply blocked it.
Ah, but wait, Akismet is supposed to send suspicious comments to the spam folder. Apparently, not only does it send some legitimate comments to the spam folder, it doesn’t let some comments even into the system. Through the mysteries of their algorithm and reporting system, one of my email addresses was apparently placed on a spammers list. I don’t do a lot of blog commenting and when I do, it is usually several paragraphs long and they are always on point and would contribute to the conversation. In researching this article for Olaf, I found several folks theorizing that a denial of a trackback or even a single blogger tagging a comment with a particular email address can get that email banned in Akismet. I had always just assumed something went wrong between my lousy Internet connection or the blog I was commenting on. I don’t spam. It never occurred to me that I was on some sort of blacklist.
Even allowing for some false positives and blocking of legitimate comments, Olaf and I still don’t use Akismet. If I’m still going to have to review every comment being left on my blog, manually delete them AND never even see some potentially great comments; what’s the point?
So, if we don’t use Akismet anymore, what do we use?
Alternatives to Akismet
There are a number of free alternatives to Akismet that are more effective and are simply a better way to save you time, keep garbage from getting into your database in the first place and block bad bots before they have a chance to leave comments.
First off, Olaf and I don’t think there’s a single answer for fighting comment spam. The spammers are constantly changing their approach and there just doesn’t appear to be a 100% solution available. But, that might be a good thing in the long run. Perhaps some of the reasons why Akismet is not as effective as it once was is that in trying to be a sole solution, it can’t focus enough on each issue we face from spammers.
As a rule, Olaf has been using a three-pronged approach against spammers – filtering the bad traffic, blocking bad bots and automated comment post scripts and a more traditional comment-based spam blocker.
Cloudflare has become our first line of defense against comment spam. They maintain their own blacklist, use 3rd party lists like AVH and it can be configured to block known spammers by their IP addresses. Once CloudFlare has noticed a new attacker, Cloudflare starts to block the attacker for both the particular website and the entire Cloudflare community. Olaf tells me that Cloudflare has the fastest and most secure network that he has ever worked with. He’s also noticed, across dozens of sites that he owns or operates for his clients, that Cloudflare has measurably decreased site load times. Cloudflare has also been known to recognize and repel brute force attacks against a site.
This WordPress plugin offers both options of Google reCAPTCHA: the version where the visitor has to check a checkbox (v2) and the “invisible” version (v3). We think that the invisible version of Google reCAPTCHA is a great option to protect your comment forms. Real visitors are already “checked by Google” and suspicious visitors or bots need solve an image challenge.
5G Blacklist creates something of a firewall for your WordPress installation. The folks at PerishablePress.com believe the best way to stop those who wish to harm or exploit your site is to evaluate request strings and simply block them from even accessing your site. 5G helps reduce the number of malicious URL requests and protects against evil exploits, bad requests and other garbage.
5G isn’t a plugin. It is a bit of code that you add to your .htaccess file. If you don’t have direct access to your .htaccess file, you should consider changing hosts.
This is a gem of a plugin that has not received the attention it deserves. It is the closest thing to a free version of Akismet except it doesn’t have the problems with false positives and saving all of the spammy comments for review. Antispam Bee blocks virtually all of the garbage from getting into your database in the first place. It doesn’t stop the spammer from leaving the comment; it just deletes it before you ever see it. Of course, you can change the settings to allow the comments into your Spam queue for individual review.
This plugin has a strong and loyal following. When the original developer had to beg off the project, members of the WordPress community have rallied behind him to keep this powerful plugin alive.
Other ways to avoid comment spam
- Remove the URL field from your comment form – This way you make your posts less attractive for spammers. You can do that by placing this snippet into the functions.php file from your child theme.
- If you get a lot of comments from your own small community, it might be an idea to ask comment authors to register first. Be aware this is risky, not everyone likes to make an account for every website. Consider a social login feature instead, these plugins offer this kind of login feature.
Stop Spam, Stop Wasting Time
All in all, the best defense against spam is to utilize a system that begins with preventing access from your WordPress site and then properly handling anyone who manages to get past that first line of defense. We don’t use Akismet anymore because it lets the spammers gain access to the site and may delete legitimate comments. Flagging comments as spam lets the spammers leave their garbage and the blog owner still has to review each comment – a total waste of time.
Deploying an approach that begins at the server level and denies known spammers and hackers from accessing your site in the first place is far more effective. Add to that a plugin like Antispam Bee and you will see your spammy comments virtually disappear – we did.
Published in: WordPress Development