Block Comment Spam Bots


Comments are processed by the wp-post-comments.php file. Automated spammers (‘spam bots’) can provide (‘post’) data directly to that page, bypassing any comment processing, by using CURL/WGET commands.

The result is comment spam – and not always caught by common comment spam checkers. Even if it is, processing that spam takes some server resources, including writing to the database.

This plugin adds a simple and changing hidden field value to the comment form. The processing of the comment form is changed to check for that hidden field. If not found, then the normal comment form entry was bypassed by the spam bot, so the comment is discarded. Otherwise, the comment is processed normally.

This is the best solution to block comment spam. We’ve tested it on a site that had 20-40 spam comments a day. With this plugin enabled, there have been none. Not one. Zero. No comment spam during a week of testing, and it continues to block comment spam on our sites.

The Admin, Comments page is modified to show a column with the value of the hidden field. This is an assurance that the comment was not entered via an automated CURL/WGET to the wp-comments-post.php file. A comment that is on the list that does not show the hidden field value was entered manually, and other comment spam blocking techniques might be needed for your site. But you won’t see those blocked comments with this plugin enabled.

An information screen provides a CURL command you can use to test the effectiveness of blocking (or not blocking) direct access to the wp-comments-post.php file.

Current version adds the hidden field to the comment form after a delay to help block bots that are using the comment form to submit.

This provides a total solution to comment spam.


  • No screenshots; no settings screen needed.


This section describes how to install the plugin and get it working.

  1. Upload the plugin files to the /wp-content/plugins/plugin-name directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress
  3. Use the Settings->Plugin Name screen to configure the plugin
  4. (Make your instructions match the desired user flow for activating and installing your plugin. Include any steps that might be needed for explanatory purposes)


Does it really work?

Yep. We’ve tested it on a site that was getting 20-40 spam comments a day. With this latest version, there have been no spam comments. And the protection continued for a full week during our testing. Just like that battery rabbit, it’s still going strong, blocking comment spam.

Does this modify the comment form?

The comment form will look as it always did.

Are there any settings?

Nope. Just an information screen about how it works, including an easy way to test blocking automated comment spam.

What about customized comment forms?

No changes to the visual or operational comment form is made. It just adds a hidden field with a unique value, then checks for that field on submit. Plus it blocks direct posting to the comment processing code.

What about Contact forms?

This plugin doesn’t affect Contact forms; it just works on comments.

But we have a solution for Contact forms – see our site. It works on WordPress and other sites. Takes a small bit of customization for your WP theme, but full instructions are included.

And, like this plugin, it’s entirely free.

So a full solution for comment and contact spam is …?

This plugin, plus the FormSpammerTrap code you can easily add to your site.

You’re welcome!


There are no reviews for this plugin.

Contributors & Developers

“Block Comment Spam Bots” is open source software. The following people have contributed to this plugin.



Version 2.1 (24 July 2020)
– added a delay to showing the ‘submit’ button. It will display after a short delay. This will prevent an inadvertent ‘spammer catch’ of a person that creates a comment offline, then pastes the comment text into the comment box and then submits before the timeout. (The timeout is there to prevent a bot submission of the comment.)
Initially, the person will not see the submit button. After the short delay, the submit button will appear as normal.

Version 2.0 (23 July 2020)
– fixed bug where hidden field wasn’t being inserted into the comment form if the user was not logged in. Bug didn’t happen when user was logged in.
– set the extra hidden field to not be visible on the form.
– note that this plugin uses the wp_generate_uuid4() function to create a (mostly) random value used in the hidden field after the delay. This value is not truly random; there is the possibility of duplicates. But we don’t care if there are duplicates, just that it’s a WP-verifiable UUID, and that it was changed after the delay. (The delay in changing that hidden fields, and verifying it is a WP-valid UUID, is one of the layers of spambot protection.)
– Changed heading/text of the hidden meta value shown on the Admin Comment Editing screen, and made the field read-only.
– Added single-click of the CURL command on the Settings page to get it into your clipboard.
– removed some unused/testing code.

Version 1.5 (1 Jan 2020)
– Changed the styling of the box that shows the CURL command for the site.
– Added an additional image showing a possible result from the CURL command.
– Minor CSS changes.
– Some minor changes to the information on the settings/information screen.

Version 1.4 (29 Dec 2019)
– Added more info to the FAQ area.
– Some more info on the Settings/Info screen.

Version 1.3 (24 Dec 2019)
– Added the storage and display of the hidden field on the Admin, Comments screen. That field can be edited, although not sure why you would want to.
– The addition of a column for the hidden field value will allow you to see if a spammy comment was entered manually. A blank value indicates that the comment was entered manually.
– Added a timed delay to change the value of the hidden field, to prevent automated entry of the actual comment form.
– Added additional information on the ‘Info/Settings’ screen, including the CURL command you can use to try to automated a comment.
– All function and variable names now have a prefix to ensure that there are no conflicts with other core/theme/plugin functions or values.
– Added CSS files, and images in the assets folder.
– Some minor changes to this readme file for additional information.

Version 1.2 (23 Dec 2019)
– Not released/testing version

Version 1.1 (18 Dec 2019)
– Initial Release (prior versions used in development only)