If you’ve ever logged into your WordPress site and found a weird comment about something you’ve won, diet pills, or some suspicious link that leads who-knows-where… you’ve already met your first spam bot.
Even if your website doesn’t have a blog, or you’ve never invited people to leave comments, bots are still out there, crawling around and trying to sneak in.
The good news? You can stop them. Even better? You can stop them without needing to install yet another plugin.
Here’s a very simple guide to blocking spam comments on your WordPress site – from the basics to the more techie-techie approach, wherever your skill levels lie.
Step 1 Basic level, no skills required: Turn off comments from inside WordPress.
This is the easiest way to cut off comments at the source – perfect if your site has a blog where readers can leave comments.
Log into your WordPress dashboard:
- Go to Settings > Discussion
- Untick the box that says “Allow people to submit comments on new posts”
- Scroll down and click Save Changes
- Done!
This turns off comments for new posts and pages you create in the future.
But wait!
If you already have pages or posts published, they may still have comments turned on. You’ll need to turn them off too:
Go to Posts or Pages:
- Use the tick box to select a few at a time
- Click Bulk Actions > Edit > Apply
- In the drop-down that says Comments, choose Do not allow
- Click Update
Now you’ve closed the door for humans, but for some sites, bots may still be trying to get in through the windows…
Step 2 Intermediate skills: Add a bit of code to turn off comments site-wide
Warning: Make a backup, and make sure you are working on a child theme.
If you want to make absolutely sure that comments are gone everywhere, this next bit is for you. You’ll need to edit your site’s theme slightly. If that sounds terrifying, don’t worry too much, just make sure you are working on a child theme, not the original theme file. And definitely make a backup first!
In your dashboard, go to Appearance > Theme File Editor:
- Find the file called functions.php
- Scroll to the bottom and paste this:
function disable_all_comments() {
// Remove comment support from all post types
foreach (get_post_types() as $post_type) {
if (post_type_supports($post_type, ‘comments’)) {
remove_post_type_support($post_type, ‘comments’);
remove_post_type_support($post_type, ‘trackbacks’);
}
}
}
add_action(‘admin_init’, ‘disable_all_comments’);
add_filter(‘comments_open’, ‘__return_false’, 20, 2);
add_filter(‘pings_open’, ‘__return_false’, 20, 2);
add_filter(‘comments_array’, ‘__return_empty_array’, 10, 2);
function remove_comment_menu() {
remove_menu_page(‘edit-comments.php’);
}
add_action(‘admin_menu’, ‘remove_comment_menu’);
function redirect_comment_page() {
global $pagenow;
if ($pagenow === ‘edit-comments.php’) {
wp_redirect(admin_url());
exit;
}
}
add_action(‘admin_init’, ‘redirect_comment_page’);
Click Update File
This code tells WordPress: “Nope, comments are not a thing here. Ever.” Even if you accidentally tick a comment box somewhere, this will block it.
Why are you getting spam comments if you don’t even have a blog?
If your site doesn’t have a blog or a comment form, how on earth are spammers even finding you?
Here’s what’s really happening:
It’s all about backlinks
Most spam bots are just trying to sneak in links to dodgy websites – think fake subscriptions, weight loss pills, online casinos and even much much worse – you know what I’m talking about! Even if no one sees the comment, the link might still get picked up by Google. It’s a cheap and nasty attempt at SEO.
They’re testing for weaknesses
Some bots aren’t just spamming – they’re probing. If your site responds to a comment submission, they know it’s an active WordPress site. Later, they might come back and try more aggressive tricks.
They don’t care if you have comments turned on
Spam bots don’t visit your actual website. They just send data directly to a hidden WordPress file called wp-comments-post.php, hoping something sticks. Even if comments are “off”, that file still exists – and unless it’s blocked, it can be targeted.
It’s all automated
These bots are dumb. They don’t read, they don’t check, they just fire off comments to thousands of sites. If even 1% accept them, the spammer wins.
So, no blog, no form, no interest in comments? Doesn’t matter. The bots are still trying.
Let’s stop them properly.
Step 3: Advanced level: Block spam bots at the server level.
To fully block spam attempts – even when the form isn’t visible – we need to block access to the file the bots are targeting: wp-comments-post.php.
We can do this using something called .htaccess. It’s a hidden file that controls how your server behaves.
Important warning:
Editing .htaccess incorrectly can break your website. If you’re not sure, please don’t touch it – just get in touch with your developer and they will sort it for you. If you do want to go ahead, make a backup first!
If you’re feeling confident though…
How to do it:
- Log in to your hosting control panel (like cPanel)
- Go to File Manager
- Open the folder called public_html (or wherever your WordPress files are installed)
- Find the file called .htaccess
- If you don’t see it, click Settings > Show Hidden Files
- Right-click the file and choose Edit
- Scroll to the bottom and paste this:
<Files “wp-comments-post.php”>
Order Allow,Deny
Deny from all
</Files>
Save and close
That’s it. That file is now blocked completely – spam bots are cut off at the door.
Need a Hand? Just Ask
Spam comments are annoying, unnecessary, and completely preventable. Whether you’ve got a visible comment form or not, following the steps above will stop the nonsense and keep your site clean.
If you’re unsure about anything here, or just want it taken care of for you, get in touch. It does not matter if I did not build your site, I’ll happily set it all up, double-check your site, and make sure no bots are getting through. Or better yet, get your site onto a maintenance contract and it will all be done for you as part of monthly maintenance.
Remember, your website should work for you, not for some shady sunglass spammer in the shadows.
