Why We Don’t Use Akismet
There was a time that Akismet was the go-to weapon against comment spam on WordPress sites. Unfortunately, we don’t think it has kept up with the threats that web developers face, it makes mistakes and still leaves a bunch of garbage comments in your WordPress database. I’ve never used Akismet, can’t really explain why, just didn’t. Olaf used to use it but has since found better alternatives to Akismet.
Reasons to avoid using Akismet
- It’s only free for personal use; otherwise you have to pay from $60 a year for each site up to $50 a month (“for publishing networks, agencies, hosts and universities or multiple sites”). Part of the problem with that concept is that they don’t really define what they consider a “commercial” website. Is a commercial site a mommy blogger with a few Adsense ads or is it only true commercial enterprises that sells a product or service?
- A lot of obvious spam gets through.
- Doesn’t actually block the spammers. Akismet might flag their comments as spam but it does nothing to keep them from dumping 100 spam comments a day on your site. All of that junk uses your bandwidth, disk space and clutters up your WordPress database.
- False positives. Akismet has a reputation for flagging good comments as spam. That means you’re still going to have to slog through all 1,248 comments in your spam folder to make sure it is all truly spam.
- It can ignore comments made by legitimate visitors. I’ve seen several articles about this and experienced it myself. You leave a thoughtful reply to a blog post and when you hit submit there’s no notice of the comment awaiting moderation, no posting of the comment and no outward sign that what you took the time to write was actually accepted. Akismet may have simply blocked it.
Ah, but wait, Akismet is supposed to send suspicious comments to the spam folder. Apparently, not only does it send some legitimate comments to the spam folder, it doesn’t let some comments even into the system. Through the mysteries of their algorithm and reporting system, one of my email addresses was apparently placed on a spammers list. I don’t do a lot of blog commenting and when I do, it is usually several paragraphs long and they are always on point and would contribute to the conversation. In researching this article for Olaf, I found several folks theorizing that a denial of a trackback or even a single blogger tagging a comment with a particular email address can get that email banned in Akismet. I had always just assumed something went wrong between my lousy Internet connection or the blog I was commenting on. I don’t spam. It never occurred to me that I was on some sort of blacklist.
Even allowing for some false positives and blocking of legitimate comments, Olaf and I still don’t use Akismet. If I’m still going to have to review every comment being left on my blog, manually delete them AND never even see some potentially great comments; what’s the point?
So, if we don’t use Akismet anymore, what do we use?
Alternatives to Akismet
There are a number of free alternatives to Akismet that are more effective and are simply a better way to save you time, keep garbage from getting into your database in the first place and block bad bots before they have a chance to leave comments.
First off, Olaf and I don’t think there’s a single answer for fighting comment spam. The spammers are constantly changing their approach and there just doesn’t appear to be a 100% solution available. But, that might be a good thing in the long run. Perhaps some of the reasons why Akismet is not as effective as it once was is that in trying to be a sole solution, it can’t focus enough on each issue we face from spammers.
As a rule, Olaf has been using a three-pronged approach against spammers – filtering the bad traffic, blocking bad bots and automated comment post scripts and a more traditional comment-based spam blocker.
Cloudflare
Cloudflare has become our first line of defense against comment spam. They maintain their own blacklist, use 3rd party lists like AVH and it can be configured to block known spammers by their IP addresses. Once CloudFlare has noticed a new attacker, Cloudflare starts to block the attacker for both the particular website and the entire Cloudflare community. Olaf tells me that Cloudflare has the fastest and most secure network that he has ever worked with. He’s also noticed, across dozens of sites that he owns or operates for his clients, that Cloudflare has measurably decreased site load times. Cloudflare has also been known to recognize and repel brute force attacks against a site.
Simple Google reCAPTCHA
This WordPress plugin offers both options of Google reCAPTCHA: the version where the visitor has to check a checkbox (v2) and the “invisible” version (v3). We think that the invisible version of Google reCAPTCHA is a great option to protect your comment forms. Real visitors are already “checked by Google” and suspicious visitors or bots need solve an image challenge.
5G Blacklist
5G Blacklist creates something of a firewall for your WordPress installation. The folks at PerishablePress.com believe the best way to stop those who wish to harm or exploit your site is to evaluate request strings and simply block them from even accessing your site. 5G helps reduce the number of malicious URL requests and protects against evil exploits, bad requests and other garbage.
5G isn’t a plugin. It is a bit of code that you add to your .htaccess file. If you don’t have direct access to your .htaccess file, you should consider changing hosts.
Antispam Bee
This is a gem of a plugin that has not received the attention it deserves. It is the closest thing to a free version of Akismet except it doesn’t have the problems with false positives and saving all of the spammy comments for review. Antispam Bee blocks virtually all of the garbage from getting into your database in the first place. It doesn’t stop the spammer from leaving the comment; it just deletes it before you ever see it. Of course, you can change the settings to allow the comments into your Spam queue for individual review.
This plugin has a strong and loyal following. When the original developer had to beg off the project, members of the WordPress community have rallied behind him to keep this powerful plugin alive.
Other ways to avoid comment spam
- Remove the URL field from your comment form – This way you make your posts less attractive for spammers. You can do that by placing this snippet into the functions.php file from your child theme.
- If you get a lot of comments from your own small community, it might be an idea to ask comment authors to register first. Be aware this is risky, not everyone likes to make an account for every website. Consider a social login feature instead, these plugins offer this kind of login feature.
Stop Spam, Stop Wasting Time
All in all, the best defense against spam is to utilize a system that begins with preventing access from your WordPress site and then properly handling anyone who manages to get past that first line of defense. We don’t use Akismet anymore because it lets the spammers gain access to the site and may delete legitimate comments. Flagging comments as spam lets the spammers leave their garbage and the blog owner still has to review each comment – a total waste of time.
Deploying an approach that begins at the server level and denies known spammers and hackers from accessing your site in the first place is far more effective. Add to that a plugin like Antispam Bee and you will see your spammy comments virtually disappear – we did.
Published in: WordPress Development
JavaScript nonces are the best approach. I’ve found this plugin to be foolproof:
https://wordpress.org/plugins/lh-zero-spam/
Hello Pete,
Thanks for sharing, actually this plugin doesn’t help to block the bot or spammer who is trying to post a comment. Using nonces will help to keep your comment waiting list clean, but the file wp-comments-post.php is still executed and the load on your server is still high if many posts are done. Our approach is not just about filtering spam, but more to use less resources while offering a comment function.
Olaf,
Your wrong, that plugin is the best as
1. It achieves what everyone wants, which is not spam comments, with minimum impact on users
2. When aborts early meaning minimum server load, actually less than any other wordpress native solution.
Haha, you’re promoting your own plugin (that’s okay) but there other good options.
I see your plugin is using Javascript only to block those spammers, what happens if the user has (some) JavaScript disabled or is using a ad blocker?
Does it still work in that case?
Other question… no offense, but why are your plugin stats so low in numbers of installs?
Your first comment was from 2015 and right now you have less than 1000 installs (or more than 500).
I like Google reCAPTCHA. Seems to stop everything!
Hi Ryan,
CAPTCHA challenges are an option, but they are also an challenger for the visitor who will post a comment for real.
Horrible user experience, plus it’s google
The latest version 3.0 is much better because it’s based on a score (like the spam score in email). That will say only the shady comments will get another challenge. But you’re right captchas are not the best for comment posting :)
(Akismet developer here.) When you say that Akismet leaves “garbage comments” in the database, what do you mean?
“Commercial” is any site that is used for commercial purposes. Selling products, promoting a business, or driving ad revenue are all examples of commercial purposes.
The strictness setting that we added last year allows you to have Akismet auto-delete the most obvious spam, which is usually about 80% of spam comments.
Hope this helps.
Hi Chris, thank you for clarifying that unless a site is 100% revenue free, it’s commercial in your eyes. My first, and somewhat abandoned blog, apparently still has Akismet installed; more on that in a moment. I will take the appropriate action but, I’ll leave it installed for a few days in case you would want more details about my comments below.
While this post is a bit of an attack on Akismet, our point was primarily that folks should not rely on a single tool to defend against spam. Your plugin comes installed on WordPress. It seems a natural place to begin any discussion on spam. Unfortunately, there simply doesn’t appear to be a single plugin or script that can filter the bad traffic, block bad bots and automated comment post scripts and provide a more traditional comment-based spam blocker.
I know Olaf has been working on my blog security for several years. He has tried a number of plugins and combinations of things. His efforts did include utilizing Akismet. However, since installing the configuration suggested in this post, my comment spam has virtually disappeared. YAY!
As to the accuracy of Akismet…
It’s funny sometimes how things on the web work. Around the time I handed over this article to Olaf, that old and low-traffic blog started getting hit. When I logged in to see what was going on, I found that somehow this blog missed getting Olaf’s security treatment and only had Akismet running. All of the spam comments, that were getting through, were obvious attempts at garnering backlinks to a number of different Facebook profiles. Granted, it’s running version 3.1.1 from back in March. However, your reply said the major changes were made a year ago.
I realize how hard it must be to program to beat these folks, it is such a continually moving target. Most of the Facebook spams have cut/pasted/scraped content from somewhere and they would probably pass a lot of spam filters – after all they look like comments, it would most likely take a human to recognize that they don’t make sense in context with the post they were attached to. But, there are several where it seems they should have been easily flagged but were let through as ham:
About a screen’s full worth of letters and number with strings like “d0bed0b” repeated over and over again.
A shorter one with a different string of letters and numbers ending with a three word keyword phrase.
Another with some text and then this: “Posted on May 11, 2012 by” followed by a bunch of code that looks like it was trying to pull data from somewhere on Twitter.
What really has me confused is that my Akismet Stats for August are 167 spam, 51 ham, 0 missed spam and 0 false positives.
I have no idea of the true number of spam comments from August. Am I right in guessing that it would require me to flag “Pending” posts as spam to get them counted as “missed”? And, “false positives” would be things in my Spam folder that I marked as not being spam?
3 obvious misses out of 218 is obviously a great result – 98%. 21 missed still offers an 90% catch rate. Unfortunately, I suspect those numbers would have gotten worse, since someone has obviously found a hole to exploit.
What seems more worrisome is that there are only 20 comments sitting in pending and 1 in spam from this month – most of which came in yesterday and the day before. If Akismet is right and there were 51 “ham” comments, it would seem there are 30 ham comments missing.
I left the install of Akismet as it was in case you would like more info on the stuff that was getting through. Perhaps updating to the latest version would have flagged the spam that I received. Based on the changes identified in the Changelog on the WP Repository, I’m not sure it would have changed things though. I did, however, install AVH and AntiSpam Bee and they stopped the attack completely.
That’s right.
It’s possible/probably that the other 166 spam were auto-deleted due to being super-obvious.
Can you send me the key and blog that these stats are from (either at finke@automattic.com or support@akismet.com)? The ham stat being off by that much is strange, and the spam that got through sounds like stuff that is being caught on other sites.
Thank you for the information about how Akismet was actually storing too much on your site and affecting its usability. I am just starting a blog and I’m trying to choose an anti-spam product. While many articles complain about the cost of Aksimet, your article is giving me another more serious issue to consider: am I capable of debugging problems created by Akismet.
I actually have the same issues with Akismet. I just think it has been letting way to much obvious spam through over the last 6 months or so. I didn’t use to need to go through approved comments and spam-mark anything (or very few) before but these days I know that of the approved comments 90% will be obvious spam-comments.
I also do not think the ham-number is correct. It says that in July 2016 so far I’ve gotten 52 ham-comments … but I only have 5 approved comments. Unless it counts all it incorrectly marked as “approved” and ignores that I’ve spam marked basically every one of them?
I’m getting Akismet via Vaultpress but am seriously considering testing something else …
Hi Bjorn,
thanks for sharing your experience with Akismet.
I don’t check the HAM, but you’re right there are many false positives. Even stupid comments with typos and spammy links. The funny thing is that if you wait a few days and hit the “Check for spam” button, Akismet will filter most of them afterwards. This doesn’t help because the admin/moderator still gets notifications on the first place. Try these plugins too (and let us know how it works for you)
https://wordpress.org/plugins/wp-spamshield/
https://wordpress.org/plugins/zero-spam/ (note it doesn’t work with Jetpack comments)
https://wordpress.org/plugins/cleantalk-spam-protect/ (maybe one of the best, $8 / year and website is much cheaper then moderating spam)
Interesting post in regards to stopping spam. I honestly have never needed anything better than akismet but its nice to know that there’s a lot of alternatives out there just in case if I ever get to the point where askimet is no longer doing what I need it to do.
Hi Robin,
In my opinion Akismet is an easy way to fight comment spam on your personal site. For a commercial site your need to pay for using the Akismet service. Right now avoid using Akismet for commercial site, because this blog is still getting false positives every week. Even some weeks later Akismet doesn’t know it’s spam if click the re-check button. On the other site Akismet has filtered 1000+ spam comments as well :)
So akismet gives too many false positives, it really is terrible.
These days Akismet has become better, but it’s still not filtering stupid spam with links and shady content.
It’s a self learning system, so sometimes it needs weeks for the knowledge that a comment is spam or not. In the meantime you list might rise up to 100’s of spam message in your moderation list :(
I have an issue related to Akismet. Hope you guys could help me. I am using GoDaddy WordPress hosting. I have never installed Akismet. But recently it appears (by itself) on my WordPress Website. I am not able to remove it neither from WordPress nor from the ftp. Why did it appear by itself when I dont even need it? I dont let ppl cooment nor register to my website. I dont need it. Do you guys have any idea?
Hi,
Akismet is a kind of feature plugin for WordPress and is re-installed with every “bigger” update. Just keep the plugin deactivated and you will nog have a problem with the plugin. Sure you can remove every time an update was done…
Every WordPress website has this “problem” :)
Akismet is easily the worst service I have ever encountered. I paid the money, I have all the information to get into my account, but Akismet won’t even let me access their site. My website says it’s activated, but all I get is messages from Akismet that there are problems. My spam has actually increased exponentially since I installed and activated it. (WordPress says it’s activated, but it obviously isn’t.) I actually think Akismet searches out spam and sends it to my site, rather than the opposite. I think it’s a service that increases spam on purpose.
Hi Chuck,
your problem sounds more like a connection problem between your website and Jetpack (Jetpack includes a spam filter too).
Do you ever tried to contact WordPress support? They are very responsive to paying customers.
For this website I use the premium version of Ninja Firewall, they offer a spam filter too and your website is secure for a lower price than what you pay for Jetpack or Akismet. Sure there are some false positives from people submitting the spam comment manually, but that happens with all comment spam plugins I’ve tested.
Thanks for the article, Olaf!
Disclaimer: I’m co-founder at OOPSpam, competitor of Akismet .
While we work mostly with non-Wordpress websites, the article is helpful for me as we started focus on WordPress eco-system as well.
Since then Akismet update their pricing, now it is much more expensive for agencies or other large websites (we are talking about $1000+ per month). I personally like Antispam Bee as a free alternative.
The principles behind reCapthca is powerful however it lacks accessibility (they partially addressed it with v3) and privacy. As you mentioned reCaptcha uses Score which is a better way to handle different set of spam issues. We also found that score works effectively for niche industries.
Hi Onar,
This article is pretty old and I’m sure there are better solutions available now. Do you have plans to make a WordPress plugin? How about a OOPspam subscription especially for bloggers? $49 a month is for most bloggers more than their hosting expenses ;)
PS. Sorry for the late response.
I didn’t get any notification. I’m sorry for the late response too :)
Good point on pricing. We do have a WordPress plugin (https://wordpress.org/plugins/oopspam-anti-spam/).
We also started an invite only plan “Starter” which is $17 for people who manage a few websites. Currently, the plan isn’t available on the dashboard but can be purchased by contacting us.