DEV Community

Cover image for Simple Guides to Stop Hacks, Bots, and Spam on WordPress (Beginner Friendly)
Calin V.
Calin V.

Posted on • Originally published at Medium

Simple Guides to Stop Hacks, Bots, and Spam on WordPress (Beginner Friendly)

#wordpress #antispam #bruteforce #security

If you run a WordPress site, you have probably seen at least one of these:

  • Strange login attempts at all hours
  • Spam comments with random links
  • "User registration" spam (even if you did not ask for it)
  • Sudden traffic spikes that do not look like real visitors

The important thing to understand is this: most attacks are not personal. They are automated bots trying the same "easy doors" on thousands of sites per hour. Your goal is to stop looking like an easy target, without becoming a security expert.

The simple plan

  1. Tighten WordPress comment rules (it catches a lot of junk cheaply). 
  2. Add one spam filter (Akismet or Antispam Bee are common choices). 
  3. Add brute force protection on forms (a security plugin can do this).
  4. Hide the comment paths bots always hit (this removes the "easy doors"). 

1: Stop the "easy wins" bots look for (15 minutes)

Bots do not "think" like humans. They try the same predictable places over and over:

  • Common login addresses
  • Common admin addresses
  • Common WordPress paths that reveal what you run
  • Common form targets, especially comments

This is why many sites get hit even when the owner did nothing wrong. Bots are just scanning the internet for the same patterns.

A beginner-friendly strategy is "layered protection", meaning you use a few simple controls that work together. You do not need 10 plugins. You need the right 1–2 protections set up correctly.

2: Fix comment spam at the source (no tech skills required)

Before you install anything, use WordPress's built-in Discussion settings. They are basic, but surprisingly effective when configured.

Here are the best beginner settings to review:

1) Hold comments with too many links
Spam comments usually contain multiple links. WordPress lets you hold comments for moderation if they contain more than a set number of links.

2) Use the moderation and block lists
You can add words, domains, and patterns that should be held or blocked. WordPress documentation specifically recommends using the Discussion settings to reduce spam and make moderation easier.

3) Turn on moderation for first-time commenters
This keeps random bots from publishing instantly. It also reduces the chance that your site ends up showing spam links publicly.

If you are not sure where these options are, WordPress documents the Discussion settings screen and what each option does.

3: Add a spam filter plugin (simple, "set and forget")

WordPress settings help, but the biggest upgrade is adding an anti-spam plugin.

Two common approaches:

1): Akismet (popular, reliable)

Akismet automatically checks comments and filters spam. It is widely used, but it typically requires an API key, and paid plans apply for commercial use.

2): Antispam Bee (simple and privacy-friendly)

Antispam Bee focuses on blocking spam comments and trackbacks, and it is promoted as working without captchas and without sending personal data to third-party services.

Practical advice: If you already get heavy comment spam, start with one of these. You can always switch later, but doing nothing costs you time every week.

4: Stop brute force attempts (login plus forms)

Brute force is when bots try many password attempts until something works. A good security tool limits attempts and blocks abusive behavior.

For example, Wordfence documents brute force protection as limiting repeated login attempts. And its plugin listing describes brute force protection as part of login security.

This matters for two reasons:

  • It reduces the chance of a successful login attack.
  • It reduces server load from constant bot traffic.

If your site feels slow during attack bursts, brute force controls often help immediately.

5: Hide comment paths 

Here is the problem with many anti-spam and security setups: they react after bots arrive.

Another approach is to remove the obvious targets bots are programmed to hit.

WP Ghost focuses heavily on changing and hiding common WordPress paths that bots typically hit, including options to change the comments URL. 

Why this helps?

Think of bots like someone trying the same 10 doors in every building. If your doors are not where they expect, many automated scripts fail and move on.

This does not replace the normal comment behavior, but can stop many hacker bots' attacks and spam attempts, especially when combined with brute force protection.

How to protect the WordPress comments form with WP Ghost

WP Ghost's own guidance for comments includes steps like:

  • activating Safe Mode or Ghost Mode
  • changing the comments path
  • hiding the comments path
  • enabling brute force protection on the comments form

A simple setup flow looks like this:

  • Install and activate WP Ghost
  • Enable the mode designed for path protection (Safe Mode or Ghost Mode, depending on your setup)
  • Change the comments path, this helps reduce automated comment spam that targets the default comment posting address.
  • Hide the comments path, so bots hits on common WordPress paths do not see an obvious target.
  • Turn on brute force protection for the comments form, this blocks repeated attempts and reduces bot floods.
  • Test like a normal visitor, open a post and submit a test comment. Confirm real visitors can comment, while spam attempts get blocked or challenged.

I hope this documentation helps you stay out of spammers' reach and stay focused on growing your website and making money.

Top comments (0)