Caution: WordPress comments

Think twice about accepting comments on your blog. Most WordPress comments are spam. Disguised as notes of appreciation, millions of spam comments are sent every day to WordPress blogs like yours and mine.

Most comments are innocuous, like the one above. Typically they read as a variation of:

“Great article. Keep up the great work.”
“You are very astute to write about this matter.”
“Spot on with this write-up, I truly think this fabulous website needs considerably more consideration.”

The goal of most of these senders is to have you approve their comments so they increase the number of links to their own sites. The scammers who generate these comments (by the thousands) are happy if only a fraction are accepted. But by approving them, you can be allowing potentially dangerous links to be created between their site and yours.

The more dangerous comments contain links to malware/virus/phishing sites, but you may not be able to tell by the email of the sender or other clues. Not only can you infect your own computer by accepting them, but the computers of your own visitors who may clicks on a malware link.

Other comments are much more damaging. Approving them can corrupt all the files on your site, including your design and all the posts you have made. You can lose everything. In a particularly brutal example, this morning someone contacted our company for help because he had approved a comment on his site which turned out to be malware. By approving it, it wrote malware into every .php file in his installation, installed someone else as the admin, and changed the admin e-mail address to their own. Basically he lost his entire site. He is on a server that does not do backups. This is one of the worst cases we’ve heard of.

Following are the absolute least, the most basic things you must do to protect yourself.

1. In the Discussion settings of your blog, check An administrator must approve comments.

2. Click the Comment Author Must Fill Out Name And E-mail box, which forces anyone making a comment to provide the necessary information. Some spammers might be deterred by this extra step.

3. Vigilantly check your comments by logging in to your dashboard, and trash all spam. Your speedy response can help diminish further comments from the same source.

4. Install a CAPTCHA script to ensure anyone leaving a comment has to type in the extra code. Automated spam cannot do this.

5. Never, ever approve a comment unless the writer has made a specific reference to something in your post. If the comment could have been made about any of your posts, or any other post, trash it.

6. Check the email of the sender. Trash it if the comment sender’s emails contains strange characters (like %/solarsp0), an exceptionally long address (like, or comes from a company that sounds odd or too generic (like hotbraininsights, xxxlivecam or bestvaluerugs).

7. Never, ever upload an html page from another site. If you copy a photo from another site, be sure to rename it rather than using the entire http:// link. You never want to take the chance that malicious code from another site can infect your own.

In general, unless you have very strong reasons to believe the sender is genuine – for example, they made a comment that includes information that could only have been obtained from reading and thinking about your post, or if you visit the website associated with the email address and decide you do want to be associated with it – I recommend that you do not accept any comments at all.

It is much better to be safe than sorry.

For more information, please refer to these articles.

The Never-Ending Battle Against Comment Spam

Comment Spam

Removing Malware from a WordPress Site

Note: Be particularly careful if you’re on a Mac. Mac users do not tend to protect themselves adequately, in part because of a false sense of security caused by the company’s advertising. One study found that only 26% of Mac users have installed anti-malware software, as opposed to 92% of PC users. Read more