Block Comment Spam Bots


Comments are processed by the wp-post-comments.php file. Automated spammers (‘spam bots’) can provide (‘post’) data directly to that page, bypassing any comment processing, by using CURL/WGET commands.

The result is comment spam – and not always caught by common comment spam checkers. Even if it is, processing that spam takes some server resources, including writing to the database.

This plugin adds a simple and changing hidden field value to the comment form. The processing of the comment form is changed to check for that hidden field. If not found, then the normal comment form entry was bypassed by the spam bot, so the comment is discarded. Otherwise, the comment is processed normally.

This is the best solution to block comment spam. We’ve tested it on a site that had 20-40 spam comments a day. With this plugin enabled, there have been none. Not one. Zero. No comment spam during a week of testing, and it continues to block comment spam on our sites.

The Admin, Comments page is modified to show a column with a green checkmark icon if the comment was entered by a real person and not a bot. This is an assurance that the comment was not entered via an automated CURL/WGET to the wp-comments-post.php file. A comment that is on the list that does not show the hidden field value was entered manually, and other comment spam blocking techniques might be needed for your site. But you won’t see those blocked comments with this plugin enabled. You can hover over the checkmark icon to see the GUID value indicating a person entered the comment.

An information screen provides a CURL command you can use to test the effectiveness of blocking (or not blocking) direct access to the wp-comments-post.php file.

The plugin also adds the hidden GUID field to the comment form after a delay to help block bots that are using the comment form to submit. If the hidden field is not submitted then a bot tried to bypass the comment form. And a short delay happens before the comment submit button is displayed – another bot protection.

This provides a total solution to comment spam.


This section describes how to install the plugin and get it working.

  1. Upload the plugin files to the /wp-content/plugins/plugin-name directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress
  3. Use the Settings->Plugin Name screen to configure the plugin
  4. (Make your instructions match the desired user flow for activating and installing your plugin. Include any steps that might be needed for explanatory purposes)

Preguntas frecuentes

Does it really work?

Yep. We’ve tested it on a site that was getting 20-40 spam comments a day. With this latest version, there have been no spam comments. And the protection continued for a full week during our testing. Just like that battery rabbit, it’s still going strong, blocking comment spam.

Does this modify the comment form?

The comment form will look as it always did.

Are there any settings?

Nope. Just an information screen about how it works, including an easy way to test blocking automated comment spam.

What about customized comment forms?

No changes to the visual or operational comment form is made. It just adds a hidden field with a unique value, then checks for that field on submit. Plus it blocks direct posting to the comment processing code.

What about Contact forms?

This plugin doesn’t affect Contact forms; it just works on comments.

But we have a solution for Contact forms – see our site. It works on WordPress and other sites. Takes a small bit of customization for your WP theme, but full instructions are included.

And, like this plugin, it’s entirely free.

So a full solution for comment and contact spam is …?

This plugin, plus the FormSpammerTrap code you can easily add to your site.

You’re welcome!


19 de enero de 2022
It does the job of killing automated spambots that use the cURL command. Spammers use cURL to bypass your website's post/ page and contact your server directly to access WordPress. It seems that cURL is how the 'big boys' of spam can flood the internet with their trash. So far this plugin has been flawless in its killing ability. I always moderated all my comments (because spam is out of control) along with Akismet. The annoyance I had was seeing all that spam in the queue! None of it was ever real. Akismet dumps all that dross in my spam queue for me to look at and fill up my database with trash. A complete waste of time, and there is no way to automatically delete this type of spam before it gets into the database. Which irks me. I looked at every type of plugin, but this is the only one that actually works in the way I want it to: nips spam in the bud. Never touches my database, and that makes me happy. Hence my over-enthusiastic 5 stars for this plugin... Nonetheless, it has a couple of issues on the admin side; Issue 1 If you reply to a comment from the admin home page it will come up with an error (well it did for me, it thought I was a spammer in my own Admin LOL, you have to see the funny side), the workaround is to go client-side and post a reply on the post/ page. I can live with that for the time being. Issue 2 The other issue I noticed it a reported change in IDs for comments. I use a plugin to show the IDs of pages, posts and comments, and after installing this plugin the ID came up as a long string of numbers and letters instead of the usual neat number. I checked my WordPress install's database, and it seems to have not altered anything (a nice neat number in the database as always despite being processed by this plugin), and the ID of the comment is correct on the actual post/ page (viewed source in browser). Both issues seem to be a bug. As there is no damage in the database I suspect it's a display issue. I posted the first in the support and I'll add that second. Rick answered and suspects it's a filter issue. 5 stars Still, for me 5 stars. That's how much I hate seeing all that spam. No real person is going to use a cURL command to post to your website so I can sleep at night knowing that no legitimate user is getting binned. I hope Rick continues to support this plugin as it's the best for blitzing the hell out of automated spam. Philip
Leer todas las 0 reseñas

Colaboradores y desarrolladores

Este software es de código abierto. Las siguientes personas han contribuido a este plugin.


Traduce "Block Comment Spam Bots" a tu idioma.

¿Interesado en el desarrollo?

Revisa el código, echa un vistazo al repositorio SVN o suscríbete al registro de desarrollo por RSS.

Registro de cambios

** Version 2.2 (23 Jan 2022)**
– Fixed bug where replying to a comment in the comment admin area would give you a ‘go away spammer’ message on submitting the reply. This required a more complex check if you were in the admin area; the GUID value is forced into the $_POST if in admin area. (Thanks to phillip-s for the alert.)

(Geeky explanation) The enhancement uses the role of the current user to check their ‘moderate comments’ capability. Admin, editors, and author roles have that capability. Since those roles allow them access to the admin/comments screen (and editor/authors only see the comments for their level, as opposed to the admin role that can see everything), then those roles can see the ‘reply’ link for each comment, and we don’t need to add any special fields to the comment drop-down form. We just add the GUID for that instance, because a valid user is replying to (which is creating a new comment) via the admin/comments screen.
– Fixed bug where the GUID value is displayed on added columns from other plugins, rather than the date from those other plugins. (Thanks to phillip-s for the alert.)
– Changed the heading for indicating that the comment was done by a human from “Bot Blocked?” to “Comment Verified”. The old heading could indicate that the comment was from a bot, rather than from a human.
– Changed the display of the “Comment Verified” column to show a green check mark, rather than the GUID value. If you hover over the checkmark icon, you will see the GUID value in a tooltip. Done to show less clutter on comment list screen.
– Added constant for the checkmark icon for a slight performance increase. so we don’t call the plugin_dir_url function for each checkmark icon display.
– Fixed minor warning-type error in the function that checks if the GUID value is in the POST on comment submit.
– Changed the BCSB_VERSION_NUMBER from a global variable to a constant (used on the plugin info pages).
– Added additional text to the settings screen reminding you to refresh that screen if you are trying the CURL command again. This changes the random value in the sample CURL command, so you don’t get a ‘duplicate comment’ message.
– Minor text changes to the Settings screen.
– Minor code formatting.

Version 2.1 (24 July 2020)
– added a delay to showing the ‘submit’ button. It will display after a short delay. This will prevent an inadvertent ‘spammer catch’ of a person that creates a comment offline, then pastes the comment text into the comment box and then submits before the timeout. (The timeout is there to prevent a bot submission of the comment.)
Initially, the person will not see the submit button. After the short delay, the submit button will appear as normal.

Version 2.0 (23 July 2020)
– fixed bug where hidden field wasn’t being inserted into the comment form if the user was not logged in. Bug didn’t happen when user was logged in.
– set the extra hidden field to not be visible on the form.
– note that this plugin uses the wp_generate_uuid4() function to create a (mostly) random value used in the hidden field after the delay. This value is not truly random; there is the possibility of duplicates. But we don’t care if there are duplicates, just that it’s a WP-verifiable UUID, and that it was changed after the delay. (The delay in changing that hidden fields, and verifying it is a WP-valid UUID, is one of the layers of spambot protection.)
– Changed heading/text of the hidden meta value shown on the Admin Comment Editing screen, and made the field read-only.
– Added single-click of the CURL command on the Settings page to get it into your clipboard.
– removed some unused/testing code.

Version 1.5 (1 Jan 2020)
– Changed the styling of the box that shows the CURL command for the site.
– Added an additional image showing a possible result from the CURL command.
– Minor CSS changes.
– Some minor changes to the information on the settings/information screen.

Version 1.4 (29 Dec 2019)
– Added more info to the FAQ area.
– Some more info on the Settings/Info screen.

Version 1.3 (24 Dec 2019)
– Added the storage and display of the hidden field on the Admin, Comments screen. That field can be edited, although not sure why you would want to.
– The addition of a column for the hidden field value will allow you to see if a spammy comment was entered manually. A blank value indicates that the comment was entered manually.
– Added a timed delay to change the value of the hidden field, to prevent automated entry of the actual comment form.
– Added additional information on the ‘Info/Settings’ screen, including the CURL command you can use to try to automated a comment.
– All function and variable names now have a prefix to ensure that there are no conflicts with other core/theme/plugin functions or values.
– Added CSS files, and images in the assets folder.
– Some minor changes to this readme file for additional information.

Version 1.2 (23 Dec 2019)
– Not released/testing version

Version 1.1 (18 Dec 2019)
– Initial Release (prior versions used in development only)