How to Stop Spammers & Scammers—*Without* Annoying Real Visitors

Teresa Rosche Ott
Teresa Rosche Ott
Updated

That moment of dread when your phone buzzes again, with the 37th notification in 10 minutes. You know it’s because your site is getting hammered, and you can’t seem to make it stop.

Our friend K knows exactly how that feels.

Or what about when you have the smallest of small businesses, and a would-be client is blocked and labeled a spammer while trying to sign up? True story (mine). Hopefully you’ll never experience the dread that comes with learning a scammer has used your e-commerce site to test their stolen credit card numbers. Nobody deserves those kinds of chargebacks.

WordPress website owner, worriedly reviewing notifications on his mobile phone as his site gets hammered by spam.
This is not our friend K, although the worried expression on his face was probably accurate.

Hopefully, the website spam currently in your life has less potential for severe consequences. It’s just filling up your inbox, cluttering up your WordPress dashboard, and sometimes causing public embarrassment (it’s OK…there are worse things than the links to Viagra deals that popped up on your most visible blog post).

Whatever the reason that compelled you to seek out this post, don’t stress – there’s a quick and thorough fix. Plus some helpful WordPress settings changes that won’t take long. So I’ll skip the deep dive into all the motivations for and causes of spam; if you’re like me you just want to make it stopwithout forcing actual people to perform silly tricks like CAPTCHA before they can do business with you.

Table of Contents

TL;DR:

  • Free anti-spam plugins are better than nothing, but of limited help — especially with forms.
  • CleanTalk protects more, but aggressively interferes with your visitors and business.
  • Some WordPress settings can contribute to spam and should be changed.
  • OOPSpam protects e-commerce, comments and every other spam target you’re likely to have on your site.

The Crime Scenes – AKA Common Spam Targets

As a website owner, dealing with spam can be a significant drain on your time and resources. You need this info before we talk about plugins, so you can understand why some solutions might not be effective for your specific website.

There are four main areas spammers love to abuse:

  • Website forms of any kind can attract a barrage of meaningless submissions that clog up your database and your email inbox, making it harder to manage legitimate inquiries.
  • Comment spam on your blog is an eyesore and can drive genuine readers away, reducing engagement and your site’s credibility. Enabling comment moderation helps, but the burden is on you to sort through and evaluate comments.
  • Bogus user registrations not only inflate your user metrics artificially but also pose a security risk, potentially opening up avenues for more severe attacks.
  • Card testing attempts flood your payment system with small transactions, trying to identify valid card details. That can lead to payment gateway issues and financial losses.

In every case, spam diverts your attention from growing your business and providing a quality experience to your real customers.

A man laughing heartily beside a computer screen displaying a webpage with a playful message, "We'd love to bake you happy!" and an incomplete scam email in the text box, intending to highlight a humorous contrast between the serious tone of the scam and the lighthearted website content.
Scammers have no problem picking on the smallest and nicest of small businesses. Jerks!

Anti-Spam Plugins I Have Known and (Sometimes) Loved

When your business involves the internet, staying flexible about the solutions you use is important, especially with website plugins. It’s essential that plugins are developed and maintained by responsive teams, particularly when they impact website security or business reputation, like anti-spam plugins.

I have a core set of familiar plugins I like, developed by teams I trust because of their track record. I’ll stick with them for years as long as they serve my clients well, don’t have many issues, and quickly address any that do come up. That’s why, in over a decade of working with WordPress, I’ve used only four anti-spam solutions: Akismet, AntiSpam Bee, CleanTalk, and OOPSpam.

It’s been a bit of a journey – the last couple years especially. At each point along the way, others sharing their experience provided input that helped me decide where to go next. Now it’s my turn to help.

Reputable Freebies

Free plugins like Akismet and AntiSpam Bee are champs when it comes to filtering out comment spam. But they’re mostly limited to that. So, if your website has e-commerce, a contact form, email signup, user registration, or you use an alternate commenting system like wpDiscuz or Disqus, you’re out of luck.

A graphic of "Antispam Bee" with features listed: Free, Reputable, Blocks Comment Spam, with a checkmark next to each, and Protects Against All Types of Spam & Form Abuse, with a cross mark. There is a cartoon bee character at the top right.

This leaves gaping holes in your defenses, because spammers and would-be hackers don’t stop at comment spam. Anything on your site that lets someone (or some bot) add text is fair game for abuse.

If you’re not yet experiencing spammer-related issues, go ahead and install AntiSpam Bee. Then check your WordPress settings (more on that below) to make sure you’re not inviting an extra level of spammer trouble. Just know that the day will come when you’ll need to do more.

Why AntiSpam Bee vs Akismet? To be fair, it has been years since I personally used Akismet. At least one of my issues with it (site speed) has reportedly improved. But, I am still seeing complaints about its high rates of false positives. And, Akismet is not free for business use.

When I began working with WordPress, the internet was a kinder place, with fewer spammers. Akismet came pre-installed with WordPress, and I just left it. When I began looking at its impact on load speed, though, I switched to AntiSpam Bee.

Wait — Spammers Love Forms, Too?

Logo of "CleanTalk" with a red prohibition sign (a circle with a diagonal line) across it.

It wasn’t long before spammers started abusing my contact and intake forms, so I switched to CleanTalk. It is a paid plugin, but it’s super cheap.

The moment I installed CleanTalk the form spam stopped, so I bought, used and recommended it for years. Then, a couple of years ago, incidences of false positives became more and more numerous. This was for both me and my clients, which was multiplied the frustration.

Every time CleanTalk would do something to address the false positives, it’d be good for a while. I’d have hope and relax about finding a replacement. Everyone has off days, etc. But it kept happening.

Then, CleanTalk did something careless. I was angry. And done.

false pos·i·tive
noun

A test result which incorrectly indicates that a particular condition or attribute is present. “Zoe was annoyed after discovering yet another CleanTalk false positive in her website dashboard: A reader question that would have made a fantastic contribution to the discussion, but instead was flagged as spam and blocked.”

Definition from Oxford Languages

OOPSpam (adios, CleanTalk)

Searching in and posting to the unofficial water cooler group/brain trust for WordPress nerds like me (shoutout to The Admin Bar!) about comprehensive anti-spam solutions for WordPress, I learned about OOPSpam, as well as a few other CleanTalk alternatives.

A stylized black blob with two white circles to represent eyes and the word "OOPSspam" written in black underneath, all set against a yellow background.

I also heard more stories about CleanTalk false positives. For the most part, CleanTalk does work better than a lot of solutions, and to be fair it is still working well for a number of other Admin Bar members.

I shut off CleanTalk, and did the OOPSpam free trial. It was effortless, until I ran out of the 40 free API calls allotted for the trial. When your site just does its thing, and you don’t check under the hood regularly, it’s hard to appreciate how many times a day even a low-traffic site like ours gets hit by bots and spammers. They absolutely don’t care that we’re little guys.

OOPSpam protects:

  • Contact forms
  • Lead gen forms
  • E-commerce (e.g., card testing attacks)
  • Comments
  • Reviews
  • User registration
  • Newsletter/email list signup

WordPress Settings You Shouldn’t Ignore

I won’t provide a step-by-step settings tutorial, for a couple of reasons. First, because it’s already been done well enough. And, because OOPSpam makes your WordPress settings matter less. Possibly not at all. Still, I adjust the settings for sites I design/build (or fix, sometimes) to discourage spam comments and scam user registrations. You should, too.

  • Spam Comments – Tips and settings to reduce comment spam. Read more here.
  • Scam Registrations – Tactics for cutting down on fake user sign-ups. Read more here.

Website Firewalls Help (Kind Of)

A firewall scrutinizes incoming traffic to your website. If it spots something shady, like a sketchy comment from a suspect IP address, it’ll block it right away. Essentially, it’s an early warning system and barrier, keeping out unwanted spam and ensuring that only legit traffic gets through. AFV Site Care protects your site with a firewall. Cloudflare and Wordfence do, too.

As much as I’d love to tell you firewalls are the ultimate spam-busting superheroes, truth be told, they’re imperfect. While they do keep a lot of junk out, some spam can still slip through the cracks. Between comment spam, form spam, and fake user registrations, there are just too many opportunities for spammers.

To be fair, some solutions can block more spam than others, if you adjust the settings. But if you crank up the anti-spam dial too high, there’s a good chance you’ll also end up blocking legitimate users from interacting with your site. Nobody wants to lock out a sincere customer trying to sign up for your newsletter or leave a genuine comment on a post. So, it’s all about finding the right balance, where you’re filtering out the bad stuff without annoying real visitors.

For AFV and most of the sites we manage, this means a firewall is important. But not the only tool in our spam-fighter arsenal.

Why I Gave OOPSpam My Money

I’d like to tell you I researched all available options, compared them on their specs, and landed on the best one. But, no. While OOPSpam is the best anti-spam tool I’ve used to date, I discovered it only after rage-posting about CleanTalk in Facebook group I mentioned earlier. A few other group members commented about OOPSpam, and gave it high marks. Literally no one had anything negative to say. That never happens.

I’m about two months in as of the date of this post, and I’ve had zero false positives. I like that I have the option to see in my WordPress dashboard what OOPSpam thinks is spam. From there I can also mark something as spam that wasn’t flagged by OOPSpam, and vice-versa (if that were to occur).

With CleanTalk, I had to log in to their website and rifle through dozens upon dozens of entries. I did this when someone told me they submitted a form, and I didn’t want to make them fill it out all over again. I also did it for a client who was having problems with CleanTalk. I’ll never get back those wasted hours, but if I can save just one other person…

There are a few OOPSpam settings you can optionally adjust, and it is helpful (and super easy) to block entire countries (I know there are good people in Russia and China, but only its spammers visit AFV, so…). Importantly, OOPSpam is GDPR compliant.

Also important: OOPSpam will not negatively affect your website’s loading speed.

Is there a downside? Like most amazing products, it seems a little pricey when compared to other anti-spam solutions. This one covers more spammer targets than anything else, with the possible exception of solutions that are so aggressive they also block real people. And, it’s easy to set up. Adjusting CleanTalk’s configuration was a real hassle, so ease of use is something I appreciate.

OOPSpam has a 7-day free trial. I decided to start there, and if it was amazingly perfect I would buy. The trial includes a limited number of API calls, though, so it may not last you the entire 7 days (mine didn’t – thanks, spammers). But I’d seen enough to decide it was worth the investment.

A happy signup discovery for people like me, who may not need as big a plan as OOPSpam’s official smallest plan: At the bottom of the pricing table there’s an inconspicuous little note asking you to contact them about a Starter plan if you need less than 15k API calls per month. I had no idea how many I’d need. So far it’s been far fewer than I thought, and far less than allotted 15k/month. That starter plan is only $17/month (as of July 2024), and even cheaper if you pay annually.

Finding the Right Mix for Your Anti-Spam Needs

We’ve covered the essentials of combating spammers and scammers, discussed useful (and semi-useful) anti-spam plugins, and highlighted the importance of robust settings and firewalls. To recap the important points: Give your website a solid defense against time-wasting and embarrassing spam — and block unwanted intrusions — by following this checklist:

  • Check your WordPress settings; adjust as noted in the articles linked above.
  • Use Antispam Bee if you only have comment spam and no forms on your site.
  • Add a comprehensive solution like OOPSpam if you have forms on your site or are experiencing other spam activity.
  • Be sure your website is protected by a firewall.

The fact that spammers are always changing their tactics to get one over on us can be really frustrating. But remember: We can change our tactics, too, and turn the tables on spammers.

If you’re concerned about the reputation and security consequences of spam, try OOPSpam. If it solves your spam problems as simply and thoroughly as it did ours, you’ll do what I did and tell them to take your money. I can’t complain, though. OOPSpam promises 99.99% accuracy; so far, it’s been 100%.

Some of the products, services or companies linked from this page or elsewhere on this site are those which we have affiliate relationships. We recommend them because we use and trust them and know they will serve you well. Not because we get paid. We think you should do business with them whether you use our links or not.

Why AFV No Longer Uses or Recommends CleanTalk

In May of 2024, CleanTalk sent all of their customers an e-mail warning (see below) that appeared to be a legitimate security alert about a vulnerable plugin on their websites. The subject line included “Critical Vulnerability” and “Update Now!” Many people who had no reason to worry — AFV clients among them — were understandably alarmed.

I took the alert seriously and spent time checking out each site. I was baffled to find that none of the worried clients actually had the plugin installed. So we all wasted a bit of time, then breathed a sigh of relief when it was clear the sites were not affected. Better safe than sorry, right?

It was important to me to reach out to CleanTalk and find out what had triggered the emails, and make sure it didn’t happen again. Because the last thing the internet needs is a bunch more people assuming a security alert is just another false alarm. The response I received back made me livid.

The “Critical Vulnerability/Update Now!” message was a marketing ploy. They referred to it as a newsletter. And, they seemed to be either clueless or heartless about the effects of this “marketing.” Ultimately it worked out for the better for me, but they stressed everyone out. I couldn’t in good conscious continue with them.

Bogus vulnerability alert email sent by CleanTalk Anti-Spam's marketing department.