Easy Way for Comment Spam to Bypass the WordPress Moderation Queue

Did you know that spammers could bypass the WordPress comment moderation feature? If your blog is set to automatically post comments from visitors who have previously approved comments, you could be at risk. However, there is a quick fix to the issue.


WordPress screenshot showing moderation options for commentsIf you manage a blog or website, there's a good chance that you've seen form spam before…and lots of it. There are options for minimizing spam like installing a CAPTCHA, but nothing is 100% effective. In the end, if we can prevent our customers from seeing that spam, we're in good shape.

The benefit of blogging software, like WordPress, is the built-in ability to moderate comments sent through the website. If everything checks out, we just need to click a button to approve it. A problem with moderating comments, however, is the delay. Even if we're diligently monitoring the blog, there will still be some delay before the comments go live for everyone to see.

To mitigate the delay, WordPress gives us an option to automatically go live with comments from anyone who has had comments approved in the past. For example, if Sally Somebody leaves a comment and it's approved, all future comments from Sally will be automatically posted to the website.


Having WordPress automatically approve comments is an excellent feature, especially when there is a lot of back and forth between visitors to the blog. The downside is that all spammers need to do is figure out an e-mail address and name of someone has who posted comments before. There is no IP address check or anything extra being done to make sure they are the same person.


There are probably other ways to deal with this issue, but if we're looking for quick solution, we can require that all comments be moderated by the following steps:

  • Log into the admin area for the blog
  • Click Settings
  • Click Discussion (see Figure 1)
  • Check the box which says "An administrator must always approve the comment" (see Figure 2)
  • Click Save Changes
WordPress screenshot showing the Discussion menu option
Figure 1. Discussion Menu Option
WordPress screenshot showing the checkbox option to prevent comments from being auto-approved
Figure 2. Checkbox Option to Prevent Auto-Approve


Disabling the auto-approve feature in WordPress may not be beneficial for everyone. For example, if you receive hundreds or thousands of comments per day, manually approving those comments may be too much hassle. But if spammers are overwhelming the comments feed by pretending to be one of your regular visitors, you have another option for stopping them.

If you know of other ways to prevent this issue, I would love to hear your feedback in the comments section below. For example, maybe there's a plug-in that forces WordPress to validate the visitor's IP address against their previous comments…


There are currently no comments.

Leave a Comment