Spam is a total waste of time and resources but people still try to do it to obtain backlinks via black hat SEO techniques.

The spam take cane various forms ranging from comment spam to fake user registrations, it can clutter your site, slow it down, and pose security risks. But don't worry, there are plenty of effective strategies to keep your site spam-free. Let's dive into the key methods you can use to combat spam on your WordPress site.

We've had plenty of spam registrations just because people were able to set their user/author bio and it would show up in our bbPress support forum. We just were about to close this and start deleting accounts but then just used several techniques to make this harder for the spammers. The login/registration page requires entering a user/password (basic authentication) just before WordPress shows any page content. Additionally, we just removed the content from the author bio and all of the spammy links are no longer being displayed

Spam must be fought at several levels a

  • Server Firewall level
  • Web Server level (nginx/apache)
  • Site/WordPress level
    • Blocking Admin Area
    • Using Security/Anti-spam plugins

It depends on the access that you have to your server and your (team's) technical expertise you can fight spam at the level that you're comfortable at. Ideally, it should be on all levels.

Server Firewall level

This requires deep understand of server internals. You need somebody with DevOps skills to setup the proper systems in place to block the requests that are spammy or from spammers.

When this is set up correctly this wastes minimal resources because the spammers can't even reach your server.

Their requests just keep waiting for a response from the site but the server is not responding.

If you're using Cloudflare you can block countries so they don't access your site.

Log in to your Cloudflare account and select your website. Navigate to the Firewall tab and Create a Firewall Rule.

Web Server level (nginx/apache)

This anti-spam protection also requires some devops/sys admin knowledge.

You can add some protection via .htaccess rules which are executed very early and this saves resources.

Blocking IP address 

<Directory "/var/www/html">
    Require all granted
    Require not ip 192.168.1.1
    Require not ip 11.22.33.0/24
</Directory>

Explanation

Calculating the Range of IP Addresses For the CIDR 11.22.33.0/24 this is an example of CIDR (Classless Inter-Domain Routing).

In short this way we block IP addresses starting from 11.22.33.1 to 11.22.33.255 this is usually the case when people are using servers from within the same network.

Site/WordPress level

Blocking the Admin Area

This is one of the most efficient ways to block the spam.

WordPress Plugins

Akismet, Wordfence, and Sucuri, and our Orbisius Spam Shield (paid)

These plugins are effective in blocking spam on your WordPress site.

FAQ - Frequently Asked Questions regarding Spam

why people bother to spam?

It's all for backlinks and also to redirect users to bad sites. Those spammers attempt to access a site and find an outdated WordPress plugin, theme or WordPress itself and when they find a way.

Did your WordPress site ever crash because bad plugins or themes? Next time you should use qSandbox.

Disclaimer: The content in this post is for educational purposes only. Always remember to take a backup before doing any of the suggested steps just to be on the safe side.
Referral Note: When you purchase through a referral link (if any) on this page, we may earn a commission.
If you're feeling thankful, you can buy me a coffee or a beer