How to

How to Block Spam Comments in WordPress with CAPTCHA

Spam is a problem that every Internet user runs into sooner or later. Although it’s most commonly associated with e-mails and inboxes, it’s a big problem for WordPress installations too. If you have any kind of web form that collects information – be it a comment section, order forms, or a “Contact Us” page—you’re going to get some amount of spam no matter what you do.

You might assume that spammers target only specific websites and website types. Unfortunately, you’d be wrong. Spammers mostly use indiscriminate bots that find WordPress websites and attack them without analyzing how valuable their actions might be. That’s because the act of posting dud comments that direct users to malicious websites is so cheap that it doesn’t matter if it barely works. As a result, all kind of websites, moderators, and administrators have to deal with spam.

In this article, we’ll explain how to block spam comments in WordPress with CAPTCHA and its newer version: reCAPTCHA. We’ll go over how these two technologies work, the advantages of each one, and last but not least, how you can install and use each one on your website. We’ll also cover what you can do when CAPTCHA doesn’t work properly, so make sure to read all the way through.

#How does comment spam affect WordPress websites?

How does comment spam affect WordPress websites?

If your WordPress blog has a comment section, you’re going to get spam messages. The way these work is pretty simple. Spam bots will find your blog and start submitting randomized messages in your comment section. Hidden inside these messages are links that make the bots’ owners money every time someone opens them. This whole process is a pain for several reasons:

  • People who are new to the Internet may click the links thinking you endorse or support them, and trust you less afterwards. 
  • Legitimate users find it difficult to have meaningful conversations with spam messages littering your comment section. 
  • Spam messages make it difficult to find and moderate authentic feedback that could be helpful. 
  • A large amount of spam makes your website look unprofessional and uncared for.
  • Last but not least, spam comments can harm your visitors and even your own website. 

Now, posting spam as a way to make money might seem absurd to you. However, the spam industry makes over $200 million dollars per year and costs us 100 times as much ($20 billion). Since the activity is so lucrative, it’s unlikely to stop anytime soon, which means that website owners and managers have to protect themselves. One of the most popular and effective ways to do this is through something called CAPTCHA.

#Introducing CAPTCHA and reCAPTCHA

Introducing CAPTCHA and reCAPTCHA
Introducing CAPTCHA and reCAPTCHA

The CAPTCHA technology uses a simple script that lets people visit websites while locking spam bots out. It does this by using a filter that only people can pass. The most popular way this is done is via an image of altered text. Bots can usually read regular, printed letters but these scrambled ones confuse them. This means that only humans can access websites protected by CAPTCHA. There is even a feature that lets users hear the word in the CAPTCHA image and gain access that way. 

CAPTCHA was highly effective at keeping bots out when it just came out. Unfortunately, new research shows that quality A.I.s can now read 99.8% of CAPTCHA text quickly and accurately. This, in turn, means that CAPTCHA technology is no longer effective at keeping out bots. In response, its creators developed an updated version: reCAPTCHA.

With reCAPTCHA, users are no longer asked to read text. Instead, they’re asked to solve a math equation, check a box, or look at an image and highlight specific objects (e.g. traffic lights). Although this version of the spam filter is often easier for human users to solve, it’s a lot tougher for bots to trick. That’s because reCAPTCHA uses a protocol called Advanced Risk Analysis to weigh how trustworthy a user is over time. If a user was evaluated as human from past Internet usage, the tests will be easier. If a user has been flagged as suspicious, the tests they have to pass will be more advanced.

The newest reCAPTCHA version (reCAPTCHA v3) introduces the “invisible reCAPTCHA”. This new approach uses complex algorithms to determine if a user is a bot or not, and only displays the bugging “chose the images” popups in case it suspects you are a robot. This comes with a drawback however, Google will display a reCAPTCHA icon on the buttom of your pages.

One last cool thing to know is that CAPTCHA literally helped make old books digital. Here’s how that works: a photo of an old book is scanned and broken up into images of single words. These words are then analyzed by an app, as well as multiple CAPTCHA users. Once the system decides that consensus on a word has been reached, it anchors that specific image of a word to their digital equivalent. This way, old books and books with unusual print can be digitized and preserved for the future. Talk about taking lemons and turning them into lemonade, huh? 

Experiencing Wordpress problems and slow loading times? Presslabs can help take your worries away.

Our entire WordPress hosting know-how has shaped today’s Presslabs Managed platform. We’ve built a bold infrastructure, with security and performance as our top priorities.

#Enabling CAPTCHA and reCAPTCHA

Now you know how CAPTCHA and reCAPTCHA work. Although CAPTCHA is a lot easier to fool, remember that most bots on the Internet aren’t super advanced. If your website isn’t very popular, e.g. it’s a blog you only share with your family and friends, the older technology may be more than enough to protect you. Regardless of what you choose, here are instructions and plugin recommendations for installing both services.

#Best WordPress CAPTCHA and reCAPTCHA plugins

Best WordPress CAPTCHA and reCAPTCHA plugins

#1. Google reCAPTCHA

Google reCAPTCHA

Google’s CAPTCHA is the best-known, most widely recognized version of the filter on the Internet. If you’ve ever been prompted to find cars or traffic lights in a photo, or asked to tick a checkbox, you’ve seen it. This plugin comes with a free and premium version, the latter of which has some cool features, like the ability to choose a language. Using the plugin is as simple as registering with Google, downloading the plugin, and setting up your Site Key and Secret Key. The only drawback is that Google’s code is all about reCAPTCHA, meaning you have to go elsewhere if you want CAPTCHA. 

#2. Really Simple CAPTCHA

Really Simple CAPTCHA

This is one of the best plugins we’ve seen for WordPress, period. It’s very easy to use, it works without fail, and it integrates well with Akismet. It also uses traditional CAPTCHA technology, which is an important advantage for many website managers and owners. Really Simple CAPTCHA may look a little less sleek than Google’s version, but it’s also easier to set up and use.

#3. Conditional CAPTCHA

Conditional CAPTCHA

Conditional CAPTCHA is a newer and (arguably) more advanced CAPTCHA plugin. It works a little like Google’s reCAPTCHA, in the sense that it only asks users to go through the verification process if certain conditions are met. For example, if a previous device and IP have been flagged as trustworthy, conditional CAPTCHA won’t trigger. If you want a smart CAPTCHA plugin that doesn’t rely on the reCAPTCHA technology, this is an excellent choice.

#4. Math CAPTCHA


If you’re looking for something different, consider Math CAPTCHA. This plugin asks your page visitors to solve math problems to access your websites. It’s highly customizable too, with the ability to choose which forms require math CAPTCHA and the ability to show multiple CAPTCHA boxes. 

#5. Blue Captcha

Blue Captcha

Blue CAPTCHA is a highly customizable plugin with a whopping 7 (!) different difficulty levels. It’s highly effective at protecting your website from unwanted visitors and has some cool extras like a blocking option, the ability to configure CAPTCHA images, and activity logging (which helps you understand which users are human as a moderator).

Now let’s talk about actually installing these plugins on your site! 

#Installing a CAPTCHA plugin

Installing a CAPTCHA plugin is easy. You just: 

1. Log into WordPress with Administrator-level access. 

2. Click “Add New Plugins” and find (or manually upload) the one you want. 

3. Once you install the Plugin successfully, it’s time to set it up. Depending on the plugin you went with, you’ll either have to find it in your left-hand menu or access settings from the Plugin screen. 

4. Follow the on-screen instructions until you get a CAPTCHA setup that works for you. 

5. Browse your own website as a visitor to make sure that the installation went smoothly. 

#Installing Google’s ReCAPTCHA

This works a little differently because you have to sign up with Google first. You can do this using their reCAPTCHA API registration page. Here’s how you do it: 

1. Choose “Invisible reCAPTCHA” and register the websites you want reCAPTCHA for. 

2. Accepts the Terms of Service. 

3. Find your API Key Pair and save both keys. 

4. Log into WordPress with Administrator-level access.

5. Go to “Plugins” and install the Google reCAPTCHA plugin, either by uploading it manually or finding it in WordPress’ plugin silo. 

6. Activate the plugin and go to its settings. 

7. Use your keys from step 3. 

8. Customize CAPTCHA if necessary and make sure it works by browsing your website as a visitor. 

And that’s it! Once you’ve gone through the above steps, you’ve installed CAPTCHA and/ or reCAPTCHA on your website.

#How else can you fight spam?

Even though CAPTCHA and reCAPTCHA are both effective at preventing spam, it helps to know other ways to deal with the problem. First, spammers are always looking for new ways to put spam into your comments section. Second, some of them use manual work, or a mix of manual and automated work, to overcome CAPTCHA technology. To that end, here are a few other things you can do to help yourself.

#1. Use Akismet

Akismet Anti-Spam

Akismet started out as a plugin you have to install but turned out to be so useful that now it comes pre-installed on all WordPress versions. The only thing you need to do is get an API key after activating the plugin. Akismet is basically a filter that separates incoming comments into spam and human messages. Although it can slip up, just like an e-mail spam filter, it’s highly effective and is an excellent way to fight spam.

#2. Use Cookies

Most Internet users are now familiar with cookies thanks to evolving Internet privacy requirements. What you may not know is that you can also fight spam with cookies. This requires you installing the Cookies for Comments WordPress plugin. It works by checking whether the user accessing your website downloads images or stylesheets, both of which are required to view your website properly. If they don’t, they’re flagged as a likely bot and prevented from posting. 

#3. Disable HTML for comments

Simple Comments – WooCommerce and WordPress

Like we said earlier in this post, spambots work by using hyperlinks to direct users to spam. If you disable HTML, they can no longer do this. There are many plugins that remove HTML functionality from the comment section, but a paid one that we like a lot is Simple Comments. Free alternatives are widely available, but Simple Comments is both easy to use and powerful – so it gets a nod from us. 

#Troubleshooting CAPTCHA

Are users complaining about your CAPTCHAs being impossible to read? Don’t fret. This is a common problem. A large number of website owners and moderators are making CAPTCHA forms so hard that human users have trouble with them. Here’s what you can do to solve this problem.

#1. Add instructions to your form

Some simple instructions can help your website visitors a great deal. For example, does your CAPTCHA or reCAPTCHA form expire? Let users know. Does your CAPTCHA form ask users to solve a maths problem? Indicate whether the answer should be written down in numbers or letters. Little instructions like these will minimize the trouble people run into with the forms. 

#2. Os and 0s, Is and 1s, and cases

Are you using a CAPTCHA form that relies on numbers as well as letters? Then consider using styling that makes it difficult to confuse the two. 

The same applies to differentcase letters. If you use a CAPTCHA script with letters that vary in size, people might get confused between a “k” and a “K”, an uppercase “i” and a lowercase “L”, etc. Keep all of this in mind when configuring your CAPTCHA.

#3. Add audio playback

Adding an audible version of your CAPTCHA image does two things. First, it lets people with limited eyesight access your comments section. Second, it gives other users an alternative to having to figure out what’s in the image. It’s a win-win situation for everyone, and fortunately, most modern CAPTCHA services give you the option of adding audio playback.

#4. Use reCAPTCHA

If you can’t make CAPTCHA work for your users no matter what you do, consider switching to reCAPTCHA. This technology has two advantages. First, it tracks what your users do and gives trusted users simple checks that don’t frustrate them. Second, it removes the text-recognition aspect of the process, which is the core problem with CAPTCHA.

#When are CAPTCHA and reCAPTCHA unnecessary?

Although CAPTCHA and reCAPTCHA are useful, valuable technologies, don’t just assume you need either one on your website for protection. There are several use cases where you need neither CAPTCHA nor reCAPTCHA. For example: 

1. If your website has a very low number of spam comments. For example, let’s say you run a private blog that only a few people know about. If bots don’t find your website, you don’t necessarily need to protect yourself. All you’re going to do is frustrate your few visitors for no reason. 

2. Your website is already protected, e.g. by restricting access to users with passwords and/or logins. If this is the case, bots have no way to get to your comment section or even view your posts. Again, no reason to use CAPTCHA.

3. You have a managed services provider that gives you a tailor-fit solution that may or may not feature CAPTCHA/reCAPTCHA. If this is the case and your provider doesn’t believe you need this particular filter, don’t insist unless their strategy doesn’t work. 

#Final words

Spam costs the world over $20 billion dollars each year. That’s comparable to the GDP of Afghanistan, one of the world’s larger countries. CAPTCHA and reCAPTCHA are two technologies that can help make sure that your website’s comment section doesn’t fall prey to spam—which is why they’re so important and valuable.

Having read this article, you know how to install both filters and also how they work. If you’d like to learn more about protecting your website at a high level, especially as a serious publisher, consider contacting us for a free consultation.

Smart Managed WordPress Hosting

Presslabs provides high-performance hosting and business intelligence for the WordPress sites you care about.

Signup to Presslabs Newsletter

Thanks you for subscribing!