5 tips to protect your WordPress site against spam

“Roughly 90% of emails that are sent from websites are spam, and most of those come from sites running on WordPress.”

Despite the measures we have put in place to detect and counter spam, emails still get through, clogging up your mailbox and giving your domain a bad reputation.

You can reduce spam sent from your WordPress site by implementing a few easy measures.

Create the email account wordpress@ on your domain

By default, WordPress uses wordpress@yourdomain.com as the “from” address when sending notifications. By creating the account in your mail administration, you will be notified when WordPress has tried to send a message but was unable to deliver it. To make it easier for you to manage you can forward the mails to your the primary email account on your domain, and create a filter to move messages to a specific folder.

If you suddenly get a large number of undelivered messages, this is an indication that your site is being used to send spam. If this occurs, look at what is generating the emails, for example, your contact form, and disable or protect that function.

Limit who can leave comments

On popular websites with a lot of visitors, most comments by far are spam. That’s why we recommend that you limit who can leave comments on your site.

In WordPress Admin under Settings > Discussion, you can change who can leave comments and when comments are being published. We recommend disabling comments from anonymous users.

Alternatively, you can disable comments completely and replace it with a discussion plugin like Disqus. Disqus has built-in anti-spam measures, so you don’t need to worry about it.

Activate the Akismet plugin

If you decide to allow comments from anonymous users, a good anti-spam plugin is indispensable. The Akismet plugin is installed by default on all WordPress installations and free for personal use. You only need to activate it, by getting an API key from Akismet.

Once activated, Akismet checks all comments for spam and allows only legitimate comments to appear in your moderation list.

Make sure user registration is turned off

We recommend keeping user registration turned off because it is almost always used for sending spam. Allowing user registration only makes sense if you have a website that is restricted to members only, or if users need to be logged in to be able to comment. If you are looking for a way to allow users to subscribe to updates on your blog, we recommend using a plugin for this.

Under Settings > General you can find the settings for Membership. Make sure the box for “Anyone can register” is unchecked.

Use CAPTCHA in forms

If you have a contact form on your site or allow user registration, it’s essential that you verify that the user filling in the form is human and not a spambot. The easiest way to do this is a to add a reCAPTCHA plugin to your WordPress site. CAPTCHA helps you to distinguish between humans and robots, by asking humans to perform an action that robots generally don’t understand.

Over the years, bots have become smarter, but luckily so has the CAPTCHA method. Nowadays, you only need to check a box to confirm you are human, instead of typing in a code or number. Only if your behaviour is suspicious, you need to pass another test, for example selecting all images with a cat on it.

Most form plugins already have a built-in reCAPTCHA function. The only thing you need to do to enable it is to get two API keys from Google.

Comments