No Plugin Needed: A Complete Code-Based Solution for WordPress Spam Comment Protection

Implementing WordPress Spam Protection Without Plugins

Spam comments are a common issue in WordPress. While plugins can solve this, implementing a solution via code offers better control over logic, reduces plugin dependency, and improves performance. This guide provides a complete anti-spam solution by modifying your theme's functions.php file.

Core Code Implementation

Add the following code to your active theme's functions.php file:

add_action('preprocess_comment', 'custom_preprocess_comment');
function custom_preprocess_comment($commentdata) {
    // 1. Nonce verification for CSRF protection
    $nonce = wp_create_nonce('comment_nonce_' . $commentdata['comment_post_ID']);
    if (!isset($_POST['comment_nonce']) || $_POST['comment_nonce'] !== $nonce) {
        wp_die('Invalid comment request. Please refresh the page and try again.');
    }

    // 2. Optional: Require at least one Chinese character
    if (!preg_match('/[x{4e00}-x{9fa5}]+/u', $commentdata['comment_content'])) {
        wp_die('Comment content must contain at least one Chinese character.');
    }

    // 3. WordPress built-in blacklist check
    $check = wp_blacklist_check(
        $commentdata['comment_author'],
        $commentdata['comment_author_email'],
        $commentdata['comment_author_url'],
        $commentdata['comment_content'],
        $commentdata['comment_author_IP'],
        $commentdata['comment_agent']
    );
    if ($check) {
        wp_die('Your comment triggered spam rules.');
    }

    // 4. Optional: Require user to be logged in
    if (!is_user_logged_in()) {
        wp_die('Please log in to post a comment.');
    }

    // 5. Strip HTML tags to prevent XSS attacks
    $commentdata['comment_content'] = strip_tags($commentdata['comment_content']);

    return $commentdata;
}

Code Function Explanation

• Nonce Verification: Generates a unique token for each comment form to prevent CSRF attacks and bot submissions.
• Chinese Character Check: Uses regex to require at least one Chinese character, effectively filtering spam in other languages. This rule is optional and can be adjusted or removed.
• Blacklist Check: Calls WordPress's built-in wp_blacklist_check() function, which uses the blacklist from the Discussion settings.
• Login Requirement: Restricts commenting to logged-in users, suitable for member-only or high-security sites.
• HTML Tag Stripping: Uses strip_tags() to remove all HTML from comment content, enhancing security.

Frontend Form Integration

The Nonce verification requires a hidden field in the comment form. Add this code to your theme's comment template (usually comments.php or within the comment section of single.php):

<?php
    $nonce = wp_create_nonce('comment_nonce_' . get_the_ID());
    echo '<input type="hidden" name="comment_nonce" value="' . esc_attr($nonce) . '" />';
?>

Place it inside the <form> tag, before the submit button.

Notes & Optimization Tips

1. Customize Rules: The provided rules (e.g., requiring Chinese, mandatory login) are strict. Adjust or comment them out based on your site's needs.
2. Error Handling: wp_die() terminates with an error message. You can customize the error page style via CSS or hooks.
3. Performance: Server-side validation has minimal performance impact. For very high comment volume, consider caching or more complex rules.
4. Compatibility: Code works with WordPress 5.0+. Modify in a child theme to prevent overwrites during updates.

Tip: Always backup before modifying theme files. Test code snippets first using a 'Code Snippets' plugin.

This method lets you build an effective, customizable anti-spam system for WordPress without installing additional plugins.