Learn how to configure WordPress discussion and comment settings to cut down spam, protect your site’s reputation, and keep real conversations flowing.
Why Comment Settings Matter for Security
WordPress comments can be great for engagement, but they’re also a common entry point for spam, phishing links, and abusive content. Poorly configured comment settings can:
- Fill your database with spam and junk content
- Expose visitors to malicious or misleading links
- Hurt your SEO if spammy links are indexed
- Increase server load and moderation workload
The good news: you can significantly reduce risk just by configuring the built-in WordPress Discussion settings correctly, plus a few related tools.
Step 1: Decide Whether You Really Need Comments
Before you harden comment security, decide if you need comments at all. Many business sites don’t.
Questions to ask
- Do comments help your sales, support, or community goals?
- Do you have time to moderate comments regularly?
- Do you already use other channels (email, chat, social) for conversation?
If the answer is mostly “no,” consider disabling comments globally and using a contact form instead.
How to disable comments sitewide
- In WordPress, go to Dashboard ? Settings ? Discussion.
- Under Default post settings, uncheck “Allow people to submit comments on new posts”.
- Scroll down and click Save Changes.
This stops comments on new content. To close comments on existing posts in bulk, you can use the bulk edit tools in Dashboard ? Posts.
Step 2: Configure Core Discussion Settings Safely
WordPress provides detailed options for controlling who can comment and how comments are handled. The official documentation lists these options in the Discussion Settings screen.Source
Recommended baseline settings
Go to Dashboard ? Settings ? Discussion and review these key sections:
1. Default post settings
- Allow link notifications from other blogs (pingbacks and trackbacks): Uncheck to reduce spam and noise.
- Allow people to submit comments on new posts: Leave checked only if you truly want comments.
2. Other comment settings
- Comment author must fill out name and email: Check to discourage drive-by spam.
- Users must be registered and logged in to comment: Consider checking for business sites where open comments aren’t essential.
- Automatically close comments on posts older than X days: Enable and set to 30–90 days to limit long-tail spam on old posts.
- Enable threaded (nested) comments: Optional; affects layout, not security.
3. Email me whenever
- Anyone posts a comment: Enable if your comment volume is low and you want to review quickly.
- A comment is held for moderation: Recommended so you can approve or delete promptly.
4. Before a comment appears
- Comment must be manually approved: Strongly recommended for most business sites.
- Comment author must have a previously approved comment: You can use this instead of full manual approval if you have trusted regular commenters.
5. Comment Moderation and Disallowed Keys
These fields let you automatically hold or trash comments based on content:
- Comment Moderation: Add patterns like multiple links or specific keywords that should send a comment to moderation.
- Disallowed Comment Keys: Add words, IPs, or URLs that should send comments straight to the trash.
Use this sparingly to avoid blocking legitimate comments. Start with obvious spam phrases or domains you see repeatedly.
Step 3: Use Built-In and Plugin-Based Anti-Spam Tools
Core settings help, but you’ll usually want an anti-spam solution as well. WordPress ships with Akismet as an optional plugin, and there are other reputable anti-spam plugins in the official directory.Source
Enable a reputable anti-spam plugin
- Go to Dashboard ? Plugins ? Installed Plugins.
- If Akismet Anti-Spam is listed, click Activate. If not, go to Plugins ? Add New and search for it.
- Click Settings under Akismet and follow the prompts to connect an API key.
Alternative anti-spam plugins are available in the WordPress.org plugin directory. Always favor well-maintained plugins with many active installs and recent updates.
Step 4: Protect Visitors from Harmful Links
Spam comments often contain links to malicious or low-quality sites. You can reduce risk by:
- Keeping comments in moderation until reviewed
- Deleting comments with suspicious or irrelevant links
- Limiting the number of links allowed per comment in Comment Moderation
Search engines may follow links in comments, so spammy links can harm your SEO. Google’s guidance recommends using rel="nofollow" (or similar values) on user-generated links to avoid passing ranking signals.Source
How WordPress handles comment links by default
By default, WordPress outputs comment author URLs with rel="ugc" and often nofollow in modern themes, which signals user-generated content to search engines.Source If you’re using a custom theme or older code, your developer can confirm that comment links include appropriate rel attributes.
Step 5: Limit Exposure of Commenter Data
Comments can reveal user information (names, emails, IPs). Treat this data carefully:
- Avoid displaying commenter email addresses publicly.
- Ensure your privacy policy explains how you handle comment data.
- Use HTTPS so comment submissions are encrypted in transit.
From a security perspective, HTTPS (TLS) helps protect login and comment forms from eavesdropping or tampering.Source
Step 6: Keep Comment Templates and Forms Secure
Most Compass Production sites use standard, well-maintained themes and forms, which already include security protections like nonces and sanitization. If your site uses custom comment templates, your developer should ensure they follow WordPress coding standards.
Key practices include:
- Using WordPress comment template functions (e.g.,
comment_form()) instead of custom raw HTML where possible - Escaping output and sanitizing input according to WordPress coding standardsSource
- Not adding extra sensitive fields (like phone numbers) unless absolutely necessary
Step 7: What You Should See
After configuring your comment settings and anti-spam tools, you should notice:
- New comments appearing in Dashboard ? Comments with a clear status (Pending, Approved, Spam, Trash).
- Far fewer obvious spam comments reaching the “Pending” or “Approved” state.
- On the front end, posts either show a clean, simple comment form or no comment form at all (if disabled).
- Visitors can leave legitimate comments without confusing errors or excessive friction.
Ongoing Maintenance Tips
- Review comments weekly (or more often if you have high traffic).
- Empty spam and trash periodically to keep your database lean.
- Adjust moderation keywords if new spam patterns appear.
- Audit plugins annually to ensure your anti-spam plugin is still maintained and necessary.
With these settings and habits in place, you’ll significantly reduce spam and abuse while keeping genuine conversations open and safe.
