WordPress Plugin to Block Spam Comments

I don’t receive many real comments from actual humans on my posts, but I do receive a lot of annoying spam comments each day. It’s a nuisance to regularly empty the spam folder, but I prefer to leave the option to post comments open for the rare occasion when someone has a follow-up question or comment. There are many WordPress plugins available to block spam, however, they are typically overkill for a small site like mine. I wrote this plugin to provide a simpler solution to block the majority of spam comments. It is not meant to block every possible method that spammers have for generating comments, but it will block the vast majority. The intent was also to avoid employing user obstacles such as CAPTCHAs and other challenge-response tests.

I’ve had this plugin running on my site for several months and I have not had any spam comments.

Add the below code to a .php file and upload it to your plugin directory. Once uploaded, activate the plugin from your dashboard and it will begin blocking spam comments for your site.

The plugin uses three methods to filter spam comments:

  • Timestamp Method: If a comment is submitted in less than 15 seconds after viewing the page or after more than an hour, then the comment will be rejected as spam. The time thresholds should be adjusted to meet your individual needs. I’ve noticed that most spam comments are submitted within 5 seconds after viewing the page.
  • Honeypot Method: Many automated tools for generating spam comments will blindly add data to every available field in a form. The honeypot method adds a non-visible field to the comment form that will cause a comment to be rejected as spam if any information is submitted in the field.
  • Link Counter Method: If a comment includes 2 or more URLs in the comment body, then the comment will be rejected as spam. The number of allowed URLs in a comment should be adjusted to meet your individual needs. Spam comments generally have multiple URLs included in the comment body.
Plugin Name: WP Spam Blocker
Plugin URI: https://www.dalesandro.net/
Description: WordPress plugin to block comment spam.
Version: 1.0
Author URI: https://www.dalesandro.net/

function wp_spam_blocker__pre_comment_on_post() {
  if(!(wp_spam_blocker__is_valid_timestamp() &&
       wp_spam_blocker__is_valid_honeypot() &&
       wp_spam_blocker__is_valid_comment_number_of_urls())) {
    wp_die(__('This comment has been rejected.'));

function wp_spam_blocker__is_valid_timestamp() {
  $salt = get_option('wp_spam_blocker_salt');
  $timestamp_current = time();
  $timestamp_allowed_age_min = 15;
  $timestamp_allowed_age_max = 3600;
  $timestamp_difference = 0;
  $valid = 0;

  $form_hash_value = isset($_POST["wp_spam_blocker"]) ? base64_decode($_POST["wp_spam_blocker"]) : "";
  $data = explode(",", $form_hash_value);

  if(count($data) == 2) {
    if(md5($data[1] . $_SERVER['REMOTE_ADDR'] . $salt) == $data[0]) {
      $timestamp_initial = $data[1];

      if(is_numeric($timestamp_initial)) {
        $timestamp_difference = $timestamp_current - $timestamp_initial;

        if (($timestamp_difference > $timestamp_allowed_age_min) && ($timestamp_difference < $timestamp_allowed_age_max)) {
          $valid = 1;

  return $valid;

function wp_spam_blocker__is_valid_honeypot() {
  $valid = 0;

  if(isset($_POST["wp_spam_blocker_comment"])) {
    if(strlen($_POST["wp_spam_blocker_comment"]) == 0) {
      $valid = 1;

  return $valid;

function wp_spam_blocker__is_valid_comment_number_of_urls() {
  $number_of_urls_allowed = 1;
  $matches = null;
  $count = 0;
  $valid = 0;

  $count = preg_match_all("~\b(?:https?://)?(?:[a-z0-9-]+[.])*(?:[a-z0-9-]+[.][a-z]{2,4})/?~is", $_POST["comment"], $matches);

  if($count <= $number_of_urls_allowed) {
    $valid = 1;

  return $valid;

function wp_spam_blocker__comment_form() {
  echo('<p style="display: none;"><label for="wp_spam_blocker_comment">Do Not Use</label>' .
       '<textarea id="wp_spam_blocker_comment" name="wp_spam_blocker_comment" cols="45" rows="8"' .
       '></textarea></p>' .
       '<input type="hidden" id="wp_spam_blocker" name="wp_spam_blocker" value="' .
       wp_spam_blocker__get_hash() .'"/>');

function wp_spam_blocker__get_hash() {
  $salt = get_option('wp_spam_blocker_salt');
  $timestamp = time();

  return base64_encode(md5($timestamp . $_SERVER['REMOTE_ADDR'] . $salt) . "," . $timestamp);

function wp_spam_blocker__activate() {
  update_option('wp_spam_blocker_salt', md5(microtime().rand()));

function wp_spam_blocker__deactivate() {

add_action('comment_form', 'wp_spam_blocker__comment_form');

add_action('pre_comment_on_post', 'wp_spam_blocker__pre_comment_on_post');

register_activation_hook(__FILE__, 'wp_spam_blocker__activate');

register_deactivation_hook(__FILE__, 'wp_spam_blocker__deactivate');

Leave a Comment