WordPress – Comment spam

Unlike most people I write my blog postings just for myself. It keeps me happy.

So in late 2023 I was surprised to receive a few comments. They looked nice, but at the same time looked odd. Nice, but void of meaning. As if written by a nice friendly bot, but they didn’t actually reference anything to do with the specific content of the blog posting.

Initially I received six of these gratuitous comments (see comment spam), from a variety of email addresses, including one with a photo, and another with a logo.

My initial reaction was to accept these comments, but I then decided to just bin them.

Come Janaury 2024 things start to change

Then in early 2024 I started to receive a few more of these gratuitous comments. My initial reaction was still to just bin them.

What was clear was that this second round of meaningless comments, were slightly different.

The first round included sentences such as “It’s evident that you’ve put a lot of thought into it”, “This post has been a great resource for me”, and “I look forward to continuing to learn from this website”.

This second wave of comments included “Can you be more specific about the content of your article? After reading it, I still have some doubts.”, and “I don’t think the title of your article matches the content lol”.

The exact expression “After reading it, I still have some doubts” appeared more than once, as did “Hope you can help me”.

Some comments were totally over-the-top, with “This gateway is phenomenal. The magnificent information unveils the creator’s excitement. I’m awestruck and anticipate more such astounding substance”.

By early July 2024, I have received a total of 113 gratuitous comments, almost exclusively deriving from “.com” accounts in one specific cryptocurrency exchange, which stinks of a potential “con”. This specific exchange has a 1-star Trustpilot rating.

Nothing new, happens all the time

As an aside lots of people have noted that the first hundred comments on any YouTube video that has a certain amount of views are “Thank you” messages, praising the content creator like he/she is some kind of god. Typically stuff like “I can’t believe you offer this for free” or “Finally someone who explains this properly”. The comments are just long enough, and banal enough, that they are not discarded by the control algorithms.

The “authors” don’t described what they are thankful for, why the original post is really nice, or what prompted them to leave a comment in the first place. The effusive praise, with lack of any other substantive commentary, is attached to every worthwhile video, and many people don’t even bother to look at comments anymore. Of course, some video producers like to have lots of (positive) comments so they can attract advertising, etc., but it’s a fools game.

From March 2024, comments in Russian

In March 2024 there was another “evolution” in the spam I received. I started to receive comments (I presume) in Russian. This was coupled with an increased in spam from the same cryptocurrency exchange.

It was about this time that I started to see the occasional comment from addresses (hotmail or outlook accounts) that were neither the cryptocurrency exchange nor in Russian.

There is always some “give away” characteristics, e.g. no explicit reference to the kind content commented on, and often a “I have a question for you”, designed to incite a reply. Some comments were more designed to incite an approval than a reply. Others were foolish enough to add a stupid extra phrase such as “I opted in for your RSS feed too”, when in fact I don’t have a RSS feed.

I loved the comments about my posts on the history of the Manhattan Project, as being “helpful”.

It was around May 2024 that increasingly the messages would include “commercial-looking” links.

In mid-June 2024 I started to receive just links to different types of medication, e.g. ciprofloxacin (antibiotic), diflucan (antifungal medication), lyrica (to treat epilepsy, etc.), and so on…

And in late June 2024 I started to receive messages from “.ua”, for Ukraine, and about the same time the messages in Russian started to increase.

So why do I get these seemingly nice but total gratuitous and useless comments?

Many bloggers receive comments that are bland and lacked specificity. Some people might defined these comments as being “unwarranted” or “uncalled for” in a negative sense, other might just see them as “freely given” or “given without the expectation of compensation” in the positive sense. For me the comments I received were neither negative or positive, just irrelevant and a lite form of attention theft.

Some people appear to think that these comments are made by idiots. People who no longer know how to think properly. Others just clump all types of unwanted comments into a single definition covering trolls, idiots, attention seekers, “con” artists, etc.

One interpretation is that the meaningless comment is designed to draw me into responding or acknowledging someone who makes an effort to comment. It may be a first step in a “con”, because replying to a meaningless comment shows that you are a “nice guy”, ingenuous, even a “sitting duck”, so an ideal target.

Defining gratuitous as spam

WPdefinitions tells us that spam is unwanted and unsolicited messages, and in WordPress it can manifest in various forms, such as comment spam, trackback/pingback spam, and registration spam.

Comment spam is the most common form of spam on WordPress. Spammers use bots to post automated comments on blogs, usually for the purpose of creating backlinks to their own sites. These comments may contain links to malicious or inappropriate sites or simply posts unrelated to the topic of the blog post.
Trackback spam and pingbacks are mechanisms that let bloggers know when someone else has linked to their articles. However, similar to comments, these systems can be exploited by spammers to generate unwanted links.
Registration spam is an attempt to create automated user accounts on someones WordPress site. The authors can then use these accounts to post unwanted content or simply inflate the number of users on their site(s).

Fortunately, there are several strategies to fight spam on WordPress, namely:-

Anti-spam plugins are available that can assist in blocking spam. One notable example is Akismet, a widely used anti-spam plugin. Akismet verifies comments and trackbacks by comparing them to its extensive spam database, effectively preventing the publication of unwanted content.
Discussion settings in the WordPress dashboard can be used to control how comments are posted and approved. For example, in my case comments must be approved manually, so I can send them all to spam, and delete them.
CAPTCHA and human verification plugins can add an extra layer of protection because they require people to prove that they are human before submitting comments or forms.

WordPress has a page dedicated to preventing spam, although it remains a bit generic. Pressidium does a better job in suggesting ways to combat spam.

As far as I understand things the really big difference between bin (trash) and spam is that the bin holds comments so that later they can be throw out (deleted). Whereas marking comments as spam means that the comments are hidden, and are either moved to the trash or deleted immediately (based on the settings of the anti-spam plugin). Also, the username, email address and other details of the user who wrote the spam comment, are remembered. WordPress can automatically hide new comments from the same author.

So are these gratuitous comments just a nuisance?

The obvious answer is “Yes” they are a nuisance, and “No” they are not gratuitous.

Initially I just binned these gratuitous or nuisance comments, now I define them as spam.

In fact my very first reaction was to accept these comments, then I decided to bin them. I found “The WordPress Comment System Explained” very informative, and wpbeginner has a webpage “12+ Vital Tips and Tools to Combat Comment Spam in WordPress“.

You’re most likely receiving spam comments designed to either:

Boost search engine rankings for certain sites (especially Binance affiliates or crypto scams).
Phish or redirect readers to scam, malware, or affiliate sites.
Probe your blog for vulnerabilities.

Here’s a breakdown of what’s happening and why:

🔎 Why These Comments Appear

Binance Mentions
- These are almost always SEO spam or crypto scams.
- Spammers often name-drop “Binance” to appear legitimate or exploit its credibility.
- They may embed affiliate links or fake recommendations in the comment author or body.
Russian-Language Comments
- This is also typical of bot-generated spam. Russian (and sometimes Chinese) spam comments are widespread and can be:
  - Crypto- or gambling-related
  - Porn or adult-content related
  - Generic fake praise used to camouflage malicious links
- These often use Cyrillic characters to bypass certain filters or just to scatter content that blends into different language blogs.
Positive, Flattering Tone
- “Nice post!” or “Very informative!” is a common tactic to get past moderation.
- The idea is to make the comment look harmless so it gets approved, thereby publishing the spam link.

🔧 What You Can Do

Use a Strong Anti-Spam Plugin
- If you’re on WordPress:
  - ✅ Akismet (free for personal blogs) – one of the best
  - 🛡️ Antispam Bee – great for GDPR-compliant European sites
  - ⚠️ Avoid CAPTCHA-only solutions — bots can bypass them now
Turn Off Comments on Older Posts
- Most spam targets old posts that aren’t being monitored actively.
- In WordPress: Settings → Discussion → Automatically close comments on articles older than X days.
Use Comment Moderation
- Require manual approval for all comments.
- Or hold any comment with links for moderation (Settings → Discussion → Comment Moderation).
Block IPs or Countries (Advanced)
- You can block known spam IPs or entire regions if you’re not targeting Russian-speaking audiences.

🚫 Don’t Approve These Comments

Even if they seem flattering, never approve or reply to them. They often:

Contain hidden links (even in usernames or profile images).
Are used to test whether your blog is being actively moderated.

If you’d like, I can check your site’s comment settings or suggest a custom setup based on your blogging goals.

please check

To check your WordPress comment settings and improve spam protection, follow these steps inside your WordPress dashboard:

✅ 1. Check Comment Settings

Go to:
Settings → Discussion

Make sure these are set:

✅ Comment author must fill out name and email
✅ Users must be registered and logged in to comment (optional but powerful)
✅ Automatically close comments on posts older than [14] days (or any value that suits you)
✅ Comment must be manually approved
✅ Hold a comment in the queue if it contains 1 or more links

✅ 2. Install a Spam Protection Plugin

Option A: Akismet (recommended for most blogs)

Go to Plugins → Add New
Search for Akismet Anti-Spam
Install and activate it
Connect with a free API key (you’ll be guided)

Option B: Antispam Bee

GDPR-friendly, doesn’t require external accounts
Install via Plugins → Add New, search for Antispam Bee
In its settings:
- ✅ Trust commenters with Gravatars
- ✅ Block comments from specific countries/languages (e.g. Russian if unwanted)
- ✅ Validate IP address of commenters

✅ 3. Optional: Block Keywords or Patterns

In Settings → Discussion → Comment Blacklist, add terms like:

This will send any comment containing these to trash immediately.

If you’d like, you can export your settings or let me know what plugin(s) you’re already using, and I can tailor recommendations (e.g. for Elementor, Jetpack, WPForms, etc.). Let me know also if your blog accepts comments on all posts or just some.

So the first thing is to check if you use the same credentials for other accounts, that might have been revealed during a data breach. Using outdated plugins, themes, or old versions of WordPress can also lead to vulnerabilities on a site.

The more a website is popular, the more it becomes a target.

From my perspective, the constant desire of these spam comments is to incite a reply.

I never reply, and I just class them as spam, and erase them when I do a cleanup.

Update - July-August 2024

From 7 July 2024 until 13 August 2024 (37 days) I received 51 spam comments, which was a substantial increase over the first 6 months of 2024. Also I started to receive a few comments in a very, very poor, almost incomprehensible English, and also in something that looks vaguely like Latin (but wasn’t).

Update - December 2024 to January 2025

From 14 December 2024 to 16 January 2025 (33 days) I received 95 spam comments, so again a substantial increase over my last check. Nothing really new, just more of the same, and the vast majority from the same source, a cryptocurrency exchange.

Update - February 2025

In February 2025 I received 78 spam comments, in a 28 day period. Mostly from the same cryptocurrency exchange. However, a new trend appeared. Fewer spam from the exchange and 28 spam messages from a variety of other sources, some including embedded links. A few “.ru” and no repeat messages.

Update - May 2025

During May 2025 I received 112 spam comments, 75 from the same cryptocurrency exchange. There were 27 “other” comments including links, and only four in Russian. Comments from gaming and casinos were down, but I now received some a few generic comments relating to airport pickups. Were these linked to me using Uber for some airport pickups? An unusual coincidence!

In addition I received 7 comments offering taxi services for Punta Cana, but each was directly “commenting” on reviews I made of flights/aircraft.

There were a couple of really odd ones. The first was in Chinese and offered a hired killer. The other offered people to do a very “hazardous job”.