How to Stop Spam Comments on WordPress in 2026 (What Actually Works)

If you launched a WordPress site in the last year, you already know: comment spam is worse than it used to be. A lot worse.

The reason isn't a mystery. Anyone with $20 and a ChatGPT account can spin up a bot that writes plausible, on-topic comments at scale — the kind that slip past keyword blacklists and even Akismet. The old advice (turn on Akismet, add a CAPTCHA, walk away) doesn't hold up anymore.

This guide is the modern playbook: what to enable right now in WordPress, what to add when that's not enough, and what AI spam looks like in 2026 so you actually know what you're fighting.

Why WordPress Comment Spam Suddenly Got Worse

A quick reality check before the tactics.

For two decades, comment spam was easy to spot. Broken English, 14 links to "cheap watches," a username like xZ9q1f. Pattern-matching tools like Akismet were built for that world and they worked great.

That world is gone. In 2026, the spam landing in your moderation queue looks like this:

"Really insightful breakdown of caching strategies — I've been wrestling with this exact issue on a client site. Have you tried [some plugin] for the edge layer? Curious about your take."

Looks like a real reader. References the topic. Drops one soft link. Multiplied across tens of thousands of sites a day.

This is AI-generated comment spam, and it's the reason your spam folder is suddenly full of comments that look almost legitimate. Three things make it worse than what came before:

1. It's grammatically clean. Filters trained on bad English don't catch it.
2. It's on-topic. The bot actually reads the post before commenting.
3. It's cheap. A spammer can generate thousands of unique, post-specific comments for the cost of a sandwich.

If you've been using only the WordPress defaults, the wave is hitting you head-on. Let's fix it.

The 5-Minute Fix: Native WordPress Settings

Before you install anything, turn on the four built-in settings that block most low-effort spam. These take about five minutes total and don't require any plugins.

Go to Settings → Discussion in your WordPress admin:

1. "Comment must be manually approved" — Every comment waits for your review. This stops nothing from arriving, but it stops spam from being published. Good for low-traffic sites.
2. "Comment author must have a previously approved comment" — Once you approve someone, they're trusted. New commenters wait. This is the single highest-leverage native setting.
3. "Hold a comment in the queue if it contains [X] or more links" — Set this to 1. Almost no legitimate first-time commenter posts a link. Almost all spam does.
4. "Automatically close comments on posts older than [X] days" — Set this to 60 or 90. Old posts are spam magnets because they're forgotten. If you're not actively reading comments on a two-year-old post, close them.

That's the floor. It's not enough by itself in 2026 — modern AI spam will still get through, and you'll still spend time approving real comments — but it's the unavoidable starting point.

Why Native Settings Stop Being Enough

If your site gets more than a handful of comments a week, you'll quickly notice the problem with the native approach: manual moderation doesn't scale.

Even with the "previously approved" rule, every new commenter (legitimate or not) sits in your queue. If your blog post goes mildly viral, you're suddenly approving — or rejecting — hundreds of comments by hand. That's where dedicated tools come in.

You have three real categories to choose from:

Pick based on your spam volume and how much you care about reader friction. Most sites end up running two layers — a bot-blocker plus a content-checker.

Bot Blockers: When to Use a CAPTCHA (and When to Skip)

CAPTCHAs and their friendlier cousin, the honeypot, exist to verify the commenter is a human, not an automated script.

Cloudflare Turnstile is the modern, free option. It's invisible most of the time and doesn't make readers click bicycles. If you're already on Cloudflare, this is a no-brainer addition. If you're not, the WordPress plugin works standalone.

Honeypots (used by plugins like Zero Spam) are even quieter — they add invisible form fields that bots fill out and humans don't see. No challenge, no friction, no UI.

Skip CAPTCHA when: your readers are technical (devs especially hate them), your bounce rate on the comment form is already a problem, or you're getting AI spam — most modern AI spam runs through real browsers and walks past challenge-response systems.

Use a honeypot/Turnstile when: you're getting hammered by classic bot spam (50+ comments a day from form posters), and you want a passive layer that doesn't bug humans.

The honest take: CAPTCHAs and honeypots stop bots. They do nothing about a human-driven SEO agency posting paid comments, or AI spam delivered through automated browsers. You still need a content layer.

Pattern-Matching: Akismet and Friends

Pattern-matching plugins compare every comment against a database of known spam — IPs, link patterns, copy-pasted phrases. This is what Akismet, CleanTalk, and Antispam Bee all do at their core.

This approach works great against high-volume, repetitive spam — the same scammer hitting 10,000 sites with the same payload. It's fast, server-light, and battle-tested.

Where it struggles in 2026:

• Novel spam. Every comment generated by an LLM is technically unique. There's no fingerprint to match.
• On-topic spam. Pattern-matching looks at the comment in isolation. It can't tell that a perfectly written comment about caching is irrelevant on a recipe blog.
• Slow updates. New patterns take days to weeks to appear in the database. The early wave of a new spam campaign always gets through.

If you're on a hobby blog with light comment volume, Antispam Bee is the free no-strings-attached pick. If you have multiple sites and want cheap coverage, CleanTalk is hard to beat at $12/year. If you've been using Akismet and it's working — keep using it.

For a deeper comparison of all the major plugins, see our Akismet alternatives breakdown.

AI Detection: Reading the Comment, Not Matching It

The new generation of anti-spam tools approaches the problem differently: instead of matching comments against known patterns, an AI reads each comment and evaluates whether it's genuinely relevant to the post it was left on.

This is the approach RightComments takes. Every comment goes through an LLM that judges three things:

1. Is this comment actually about this post, or is it generic filler?
2. Does it add anything (a question, a counterpoint, a personal experience), or is it just an excuse to drop a link?
3. Would a thoughtful site owner publish this?

The advantage is that AI spam, which fools pattern-matching by being grammatically clean and topically loose, gets caught by AI detection — because the AI evaluating the comment isn't fooled by the AI that wrote it. They're both looking at the same signals (relevance, intent, depth) and one is judging the other.

It's also the only approach we know of that handles the on-topic, well-written, but useless category — the soft-pitch comment that praises your post and tries to start a "conversation" that ends in a link.

The trade-off: it's a paid plugin ($8.99/month for 1,000 comments) where Antispam Bee is free. If your moderation queue is currently a daily annoyance, the math works out fast.

The Layered Approach That Actually Works

In practice, most low-spam WordPress sites in 2026 run something like this:

1. All four native discussion settings on (queue links, require approval for new commenters, auto-close old posts)
2. A bot blocker — Cloudflare Turnstile or a honeypot plugin
3. A content checker — either a pattern-matching plugin (free tier acceptable) or AI detection (if pattern-matching is leaking)

You don't need all three to do anything. But each layer catches a different category of attacker, and the cost of running two together is usually zero or close to it.

If you're going to pick one paid tool, pick the content checker. That's where the actual decision-making happens — everything else is just filtering noise out of the input.

A Note on Disabling Comments Entirely

If you read enough of these guides, you'll hit advice along the lines of "just turn off comments." This is the nuclear option, and it deserves an honest discussion.

You should consider turning off comments when:

• You don't have time to moderate them
• Your audience doesn't engage in comments (they DM you, post on social, etc.)
• The signal-to-noise ratio is so bad that you're scaring off real readers

You should keep them when:

• Comments contribute to SEO (search engines treat comment-rich posts as more "alive")
• Your community actually uses them (look at your last 20 approved comments — are they real conversations?)
• You're publishing tutorials or technical content where readers ask questions

If you're disabling comments because spam moderation is too painful, that's the wrong reason — it's solving a tooling problem by removing a feature. Fix the tooling first.

Stop Spam Comments on WordPress: TL;DR

For the impatient:

• 5 minutes: Toggle the four native discussion settings above.
• Add a bot blocker: Cloudflare Turnstile if you're already on Cloudflare, otherwise a honeypot plugin like Zero Spam.
• Add a content checker: Antispam Bee if you're on a hobby budget, RightComments if AI spam is leaking through pattern-matching.
• Close comments on posts older than 60–90 days.
• Don't disable comments as the solution to a tooling problem.

That's the playbook. The whole game now is layering — one tool to verify the commenter is human, another to verify the comment is real.

Frequently Asked Questions

Why am I suddenly getting so many spam comments on my blog?

AI dropped the cost of generating convincing comment spam to near zero. What used to take a human in a click-farm can now be produced automatically, in unique on-topic form, at scale. Any WordPress site running only the defaults from 2023 will see a step-change increase in 2026.

How do I disable comments on a WordPress post?

For a single post: open the post editor, click the three-dot menu in the top right, choose Options, and uncheck Discussion → Allow comments. To disable comments site-wide for new posts, go to Settings → Discussion and uncheck Allow people to submit comments on new posts. Note that this only affects new posts — comments already enabled on old posts stay enabled until you close them individually or use a plugin like Disable Comments.

Does Akismet still work in 2026?

It works for traditional spam — repetitive, link-heavy, low-effort comments. It struggles with modern AI-generated spam that's grammatically clean and topically relevant. If your Akismet spam folder is full of obviously fake comments, it's doing its job. If your moderation queue is full of comments that look real but feel off, you've outgrown pattern-matching and need a content-level filter.

Are CAPTCHAs still effective against spam comments?

For automated bot scripts, yes. For AI spam delivered through real browser sessions, no — modern spam operations can solve any visible CAPTCHA programmatically, and invisible challenges like Turnstile are designed to pass through human-driven sessions (which is how most AI spam is delivered now). CAPTCHAs are still useful as a layer, but don't expect them to be your full solution.

What's the difference between comment spam and trackback/pingback spam?

Comment spam is fake comments posted to your comment form. Trackback and pingback spam are notifications that another site has linked to yours — except the "other site" is fake and the link is bait. The fix for trackback/pingback spam is the same: go to Settings → Discussion and uncheck Allow link notifications from other blogs (pingbacks and trackbacks). Most modern WordPress sites disable these entirely.

Can I run multiple anti-spam plugins together?

You can, and most sites do — but pair them by layer, not by redundancy. Running Akismet and CleanTalk side-by-side is pointless (they do the same thing). Running a honeypot plugin + a content-checker is the right pattern. Two plugins that both modify the comment approval workflow can conflict and silently lose comments, so test after adding the second one.

How do I stop spam comments without using a plugin?

You can get pretty far with native WordPress settings alone: require manual approval, require previously approved comments, queue comments with 1+ links, and auto-close comments on old posts. You'll spend more time in your moderation queue, but you can run a low-traffic blog this way indefinitely. Once you're past about 5 spam comments a day, the time saved by a plugin pays for itself.