WordPress Comment Spam: What Stops It in 2026

If you run a WordPress blog with comments open, you already know the pattern: you publish a post, traffic trickles in, and within hours the moderation queue fills with "Great article, very informative!" sitting above a link to a sketchy supplements store. What changed in 2026 isn't the goal of comment spam — it's still cheap backlinks and the occasional malware payload — but the texture of it. The old signal-based filters that caught keyword-stuffed garbage now have to contend with comments written by language models that pass a casual human read. This guide walks through what actually stops it now, layer by layer, and where the old advice has quietly stopped working.

The 2026 spam landscape: three distinct threats

Treating "comment spam" as one problem is why so many sites end up with a half-dozen overlapping plugins that still let junk through. There are three separate threats, and each needs a different defense:

• High-volume bot floods. Automated scripts hammering wp-comments-post.php directly, often skipping your theme's form entirely. This is the bulk of raw volume — thousands of attempts — and it's the easiest to kill because the bots barely pretend to be human.
• LLM-generated link drops. The genuinely new category. Comments that are grammatical, vaguely on-topic, and end with a plausible-looking author URL or a link buried in the body. These defeat regex and keyword filters because there's nothing obviously spammy in the text.
• Paid manual spam. A human in a click farm pasting generic praise for pennies. Low volume, high effort to detect automatically, and the only reliable backstop is a moderation rule rather than a filter.

A good defense stack handles the first two automatically and quietly funnels the third into a queue you can clear in two minutes a day.

Stop the bots before they reach PHP

The single highest-leverage move is blocking direct POSTs to the comment endpoint. Legitimate commenters always load your post page first, so any request that hits wp-comments-post.php without a corresponding page view is a bot. If you're on Cloudflare (free tier is fine), create a WAF rule that challenges or blocks POST requests to that path lacking a same-origin referer. This alone removes a startling share of attempts before WordPress ever boots — which also saves you CPU on shared hosting.

On the host side, managed WordPress providers like Kinsta, WP Engine, and Cloudways already rate-limit comment POSTs at the edge. If you're on cheaper shared hosting (SiteGround, Hostinger), you won't get that for free, which makes the Cloudflare rule more important. A simple per-IP rate limit — no more than a handful of comments per minute from one address — catches the bots that try to dump 50 comments in a burst.

The honeypot still earns its keep

Honeypots remain one of the best effort-to-reward defenses against dumb bots. The technique: add a form field with an innocuous name (url2, contact_me_by), hide it with CSS, and reject any submission where it's filled. Bots parse the raw HTML and fill every field they find; humans never see it. Plugins like Antispam Bee and Titan Anti-Spam implement this without you touching code, and Antispam Bee is notable for being free, GDPR-friendly, and storing nothing on external servers — a real consideration if you have EU readers.

Akismet vs. the LLM problem

Akismet is still the default recommendation, and for good reason: it scores every comment against patterns seen across millions of sites, so spam posted to you has usually already been flagged elsewhere that same day. The free tier covers genuinely personal, non-commercial blogs; anything with ads, a product, or business intent needs a paid plan, which starts around a few dollars a month and is worth it for the hours saved.

But be honest about its weak spot. Akismet's network effect works brilliantly against spam templates reused across thousands of sites. A unique, LLM-written comment generated fresh for your post has no fingerprint to match. This is exactly where the new generation of spam lives, and it's why "I installed Akismet, I'm done" is no longer a complete answer. You need a second layer that judges behavior and structure, not just text reputation.

That second layer is where link-based rules do the heavy lifting. The whole economic point of LLM spam is the link, so gate on links: route any comment containing one or more URLs (including the author website field) to moderation, regardless of how clean the prose reads. You lose the convenience of auto-approving the rare legitimate commenter who links to their own work, but you catch nearly every monetized spam attempt, because there's no payday for the spammer if the link never goes live.

The CAPTCHA question: what to use and what to retire

Visible "click the traffic lights" reCAPTCHA v2 is now the wrong default. Commercial CAPTCHA-solving services and headless browsers defeat it cheaply, so the friction lands almost entirely on real humans — and on accessibility, since screen-reader users struggle with image challenges. If you want an invisible challenge, the better pick in 2026 is Cloudflare Turnstile: it runs a non-interactive browser check, adds no visible puzzle, and doesn't feed behavioral data to Google's ad ecosystem the way reCAPTCHA v3 does. It's free, integrates with most form plugins, and is the privacy-conscious choice for sites with European audiences worried about GDPR consent.

Whatever you choose, treat CAPTCHA as a supplement to honeypots and rate limiting, never the front line. A determined bot operator pays a solving service; the honeypot and edge rules are what actually thin the herd for free.

A moderation workflow that scales

Filtering reduces volume; it never hits zero. The goal of your Settings → Discussion configuration is to make the leftover queue small and trustworthy:

1. Hold first-time commenters for approval. Once you approve someone's first comment, WordPress auto-approves their later ones (matched on name + email). This one rule catches most paid manual spam, because the spammer's comment never appears and they don't return to check.
2. Hold any comment with one or more links. Lower WordPress's default link threshold to 1. This is your LLM-spam net.
3. Maintain a disallowed-comment keyword list for the handful of pharma and gambling terms that recur. Low effort, catches the laziest junk instantly.
4. Check the queue once a day, not continuously. Held comments are invisible to readers, so there's no urgency. A single daily pass keeps the cognitive load near zero.

What used to be advised but isn't anymore

Two pieces of legacy advice deserve retirement. First, auto-closing comments after 14 or 30 days "to reduce spam." That tactic dates to an era of crude scripts; today it mostly kills evergreen discussion on your best-ranking posts while barely denting a determined spammer. Fix the filtering instead of amputating the feature. Second, stacking multiple anti-spam plugins in the hope that more is safer — Akismet plus Antispam Bee plus a CAPTCHA plugin plus a security suite's comment module. Overlapping filters create conflicting rules, slow your form, and make it impossible to tell which layer caught (or missed) what. Pick one filtering plugin, one honeypot source, and one optional challenge, and you'll get cleaner results that are actually debuggable.

When to disable comments entirely

If comments don't add measurable value to a section of your site — documentation, product pages, thin affiliate roundups — turn them off and delete the attack surface. There's no virtue in defending a feature nobody uses. But if your comment section produces real discussion, that engagement is a genuine differentiator AI-generated competitor content can't fake, and it's worth protecting. The decision should come from whether the comments serve your readers, never from spam fatigue alone. With an edge rule, a honeypot, Akismet, a link-gate, and a once-a-day queue check, the fatigue is the part you can actually engineer away.