Previously on the CogitActive Saga:
There are two plugins – Hello Dolly and Akismet – bundled with any installation of WordPress. For the same reasons put forward for themes, you want to delete plugins that you are not using. The question, however, is which of these . . . plugins will I use?
Let me introduce you to what has evolved from an annoyance to a criminal enterprise1:
- Irrelevant or inappropriate messages sent on the Internet to a large number of users.
Admittedly, given their ubiquity, they don’t need any introduction – not anymore. Now, if you enable comments on your blog, you will have to deal with comment spams. The majority of them, poorly written or not, aimed at generating traffic to the spammer’s website. However, many include malicious links and can prove harmful as well. The bottom line is that you don’t want them to get published!
Providentially, WordPress come with Akismet installed by default. According to the codex, this plugin
uses a unique algorithm combined with a community-created database to ‘learn’ which comments are comment spam and which are legitimate3, Being a core plugin, it has to be essential. Right? Yet, it is not activated by default. So, should I activate Akismet to prevent comment spam? Before to answer this question, let me first investigate what is Akismet.
Akismet by Automattic
This plugin is actually a comment spam filtering service; one of the suite of products made by Automattic, the company that runs WordPress.com. Beware! Dot com and NOT dot org. That is the for-profit business owned by Automattic and NOT the WordPress open source software managed by the non-profit WordPress Foundation. Anyway, given its origin, you can rest assured that it is of high quality and will see all the updates it needs. Moreover, you don’t have to fear of it simply being abandoned, as it is the case with many plugins in the realms of WordPress.
From the WordPress Plugin Directory, you can read:
Akismet checks your comments and contact form submissions against our global database of spam to prevent your site from publishing malicious content. Specifically, it filters spam based on information gathered from all websites on which the plugin is activated, allowing (only) legitimate comments. Moreover, when you manually mark a comment as spam (or the other way around), Akismet adds that information to its database. Hence, the algorithm is continuously learning (i.e. improving its accuracy rate) for future filtering.
The most powerful anti-spam plugin for WordPress.Akismet
Apart from this pretentious claim, you can also find on the Akismet website that
cleaning up spam is annoying and time-consuming – which is true – and
Akismet filters out spam, so you can focus on more important things. Of course, for this service, they have
simple, affordable pricing that fits your needs: Personal, Plus and Enterprise. As a matter of fact,
You’ll need an Akismet.com API key to use it, and while
paid subscriptions are available for businesses and commercial sites,
keys are free for personal blogs.
An API key – where API stands for Application Programming Interface – is a string of characters (numbers and letters) that functions like a unique password. Specifically, it is the authorization code, which is passed in an API request; API being the messenger. In plain English, it allows your WordPress application (dot org) to communicate (i.e. send and receive data) with different services (e.g. Akismet).
Like some other WordPress plugins, Aksimet requires an API key to activate its service. To obtain one, you have to sign up for an account (and a plan) on the Akismet website. However, quite confusingly, after doing so, you still need
to create a WordPress.com account in order to get access to the Akismet API key4. In their documentation, they justify this extra step by the fact that
a unified user account system is a necessary step toward getting seamless payment and functional integration across all of [their] tools.
In keeping with this oddity, if you check the WordPress.com documentation about API key, they state that
WordPress.com is gradually phasing out use of the API Key. Specifically, before November 2011, an API key was assigned to every new WordPress.com account. However, since then, API key are only used for activating the Akismet service. Why?
As alluded in the post scriptum on the WordPress Plugin Directory page, Akismet is using a freemium pricing model. Thus, for the Personal plan, you can choose to pay nothing or to contribute somehow (
Name your price). Of note, this (free) plan comes with
spam protection for personal sites and blog only, while the paid versions (Plus and Enterprise) included
advanced stats as well as other features. Notably, only the more expensive of the two (Enterprise) comes with
bulletproof spam protection for . . . multisite installations.
Using myself WordPress Multisite, I was quite curious to know more about this matter:
How about a Multisite install?
Unless every site is purely personal, each subsite in your Multisite install will need to have a subscription, even if using the same top level domain name.
What do people recommend?
Pretty much all the articles on preventing comment spams are encouraging you to install this
must-have anti-spam plugin, but with varying degrees of enthusiasm.
One of the best Spam Blocking Plugins is the Akismet plugin for WordPress.Ariel
You need a spam blocker . . . we think Akismet really should be your first choice.John Hughes
It’s my humble opinion that Akismet is the mother of all plugins and that no WordPress site is complete without a fully activated version of Akismet running on it.Lisa Sabin-Wilson
Apparently, WordPress agrees with them, as Akismet is a core plugin; meaning that it comes pre-installed in every installation. Just to keep things in perspective, however, the second core plugin is Hello Dolly. There is nothing more to say! Yet, let me expound on this a bit…
As nicely put by Desiree Johnson,
because Akismet is algorithm based, it can make mistakes4. While the accuracy rate has improved since the release of the plugin in 2005 and the algorithm is continuously learning,
some real comments can be blocked, and in some cases, a few spam [comments] can make it through4.
There are occasions where the plugin will mark a well-meaning comment as spam for one reason or another, however, those are usually few and far between.Ariel
it is highly recommended that you take a look at your spam queue every once in a while so that you don’t miss a legitimate comment getting deleted by mistake. Similarly, it is wise to check the comments to see if Akismet did not miss a spam comment.
It’s probably worth your while to check the Akismet Spam page once a week to make sure that the plugin hasn’t captured any legitimate comments.Lisa Sabin-Wilson
Beyond these more pragmatic opinions about Akismet, there are also some views that are worth mentioning:
Akismet spam protection is an effective tool, but it may not be the only comment management plugin your site needs as it evolves.Desiree Johnson
As your site grow, you will find that you need other options to work alongside with Akismet to reduce the amount of spam.Syed Balkhi
On the other side of the spectrum
So far, I have addressed the mainstream ideas about Akismet and spam blocker plugins in general:
You should be using a spam blocker — no exceptions.Ariel
To say you need a spam blocker is an understatement.John Hughes
However, there are some people claiming that
not all websites need spam blockers4. In particular, Jeff Star claims that
you can configure a powerful anti-spam strategy for just about any type of site without any plugins — not even Akismet5. His article is admittedly quite old (first published in 2009); yet, his argument is still valid:
WordPress is well-equipped to handle the job all by itself.
One of the most underrated strengths of WordPress is its built-in anti-spam functionality. With an ounce of knowledge and a pound of forethought, you can configure your WordPress Discussion settings to act as a powerful and effective defense against the evil forces of spam. No plugins required!Jeff Star
There are indeed solid built-in tools (that come with every installation of WordPress) to prevent comment spam. In particular, the Settings > Discussion screen gives you complete control on how to handle comments (see below). One of these tools, the Comment Moderation feature
runs a number of tests on each new comment before posting it to your blog. If a comment fails one of these tests, it is not displayed immediately on the site but is placed in a queue for moderation7. Specifically, you can
hold comments for moderation if they contain an unusually large number of hyperlinks7. In addition, you can
specify a set of moderation keys which, if present in any part of the comment, will cause it to be held for moderation7.
These keys are specified one per line in the large text area, which is blank by default. Moderation keys can include Spam Words, swear words, IP addresses, and Regular Expressions.
This text area
works in exactly the same way as the comment moderation box, except that comments that match these words will be deleted immediately and without notification7. In fact, they will automatically go straight to the Trash folder (instead of being held for moderation). Thus, they are not lost until you delete them permanently from that folder.
As warned by the codex,
choose your blacklist words wisely3. Indeed, the items entered will match inside words as well. For instance, “press” will match “WordPress”. Therefore, don’t be too hasty in blacklisting the word “ass” because this
will automatically delete comments containing ass, asses, assistance, passionate, assumption, etc3.
A finely tuned WordPress Blacklist list eliminates the need for many types of plugins. Granted, it takes a bit of persistence to build up a good list, but once you do, it is very difficult for spammers to get around it.Jeff Star
Many simpler options (in the Settings > Discussion screen) can really help combat comment spam as well. First, you can deselect the first two options of Default article settings since a huge portion of trackbacks are spams (see the “Pingbacks and trackbacks” textbox in Configuring WordPress (Multisite) Settings). Second, in the Other comment settings, it is best to check Comment author must fill out name and e-mail – even though this will not help much. Third,
requiring users to log in before commenting is an extremely effective way of preventing comment spam5 – this option not being realistic for everybody, though. Fourth, a
very effective antispam technique6 is to close automatically comments on old posts after [X] days. By default, this is set to 14 days. While I opted for 30 days, other people extend this period up to
90 days5. Last, Jeff Star suggests also to use the option Break comments into pages with  top level comments per page – apparently
a great way to reduce the incentive to spam your site5.
To recap, no comment should go live without moderation and Akismet will
remove the headache of moderating spammy comments. But here is the catch:
Akismet is not perfect and you still have to check for false positives (i.e. legitimate comments marked as spam) and false negatives (i.e. spams not detected). Of note, it will delete spams after 15 days; hence the recommendation
to check the Akismet Spam page once a week6.
Moreover, to activate Akismet, you need to create an account, what is more a WordPress.com account. After opting for a self-hosted website (see A website for your podcast) – that is choosing WordPress.org over free blog services like WordPress.com – I was not really thrilled by the idea. Even if you can create a WordPress.com account without creating a blog, this looks like a vicious circle to me. Add to this, the Multisite constraint and you can see where my decision is heading.
In keeping with Jeff Star assertions, there is
a 100%-guaranteed way of completely eliminating spam without using any plugins whatsoever5. I have deliberately omitted this important setting (Settings > Discussion) until now, saving the best for last. Indeed, the Comment Must Be Manually Approved option will ensure that you have complete control over your blog comments; no comment will go live without moderation.
Depending upon the amount of comments and control you want over comments on your WordPress site, you may want to moderate all comments on your site.WordPress codex
While this won’t reduce the number of spams you will receive, it is an effective way to prevent them from appearing on your site. Admittedly, this is a labor-intensive task, even more so when a reviewing process is implemented on top of it (see Comment Policy). A direct consequence of this approach is that comments are not immediately visible; which can be a potential frustration for legitimate posters. On the other hand, it will ensure visitors to your site only see high-quality comments that you have approved. Do I need to remind you CogitActive guiding principles?
So, do I need Akismet? As long as a manual moderation remains manageable, the answer is NO. Of course, as this blog grows more popular, spam is likely to become a larger issue. Yet, I hope never to have to rely on spam blockers. Besides, if I were to envisage using them, Akismet might not be my plugin of choice;
there are plenty of excellent alternatives indeed.
To conclude, whatever approach you choose, it is vital that you remove
irrelevant, malicious content before it gets published and hurts your site’s credibility. By the way, let me put an end to your dreams about comments; I had to awaken myself to this harsh reality:
You need to mentally prepare yourself for the hard fact that more than 99% of the comments you will receive is going to be spam.Harsh Agrawal
Coming next: What about Jetpack?
1 Spams are not just about advertising (disgusting products or not), but can also be used for malicious attacks such as phishing. In addition, they can distribute malware, either by including it directly in the spam or by linking to a site with infected content. ^
2 Spam (2010) Oxford Dictionary of English – Third Edition. Oxford University Press. ^
3 See Combating Comment Spam. ^
4 Desiree Johnson (2019) What is the Akismet plugin? Bluehost. ^
5 Jeff Star (2017) You don’t need any plugin to stop comment spam. Digwp. ^
6 Lisa Sabin-Wilson (2017) WordPress All-in-One For Dummies – Third Edition. Hoboken, New Jersey: John Wiley & Sons. ^
7 See Comment Moderation. ^