WordPress Discussion Settings: Correctly Configure Comments, Moderation and Spam Protection

WordPress Discussion Settings: Correctly Configure Comments, Moderation and Spam Protection

The discussion settings in WordPress control how visitors can interact with your content. Here you define whether comments are allowed, whether new comments must be reviewed first, whether pingbacks and trackbacks are permitted, and how WordPress should handle suspicious comments.

Comments can be valuable, especially for blogs, news sections, guide pages and knowledge bases. They allow follow-up questions, discussions and additional user interaction. At the same time, comment sections are a popular target for spam bots, SEO spam, phishing links and automated advertising messages. A clean configuration protects your website, your visitors and your database.

Where can you find the discussion settings?

You can find the settings in the WordPress dashboard under:

Settings > Discussion

There you will see several sections that control different aspects of comment management. Depending on the WordPress version, language setting, theme and installed plugins, individual options may be named slightly differently.

Typical sections are:

• Default post settings
• Other comment settings
• Email notifications
• Comment approval
• Comment moderation
• Disallowed comment keywords
• Avatars

1. Generally allow or disable comments

The most important decision is: Do you want to allow comments on your website at all? For classic blogs or community websites, comments can be useful. For company pages, landing pages, contact pages or purely informational pages, comments are often not necessary.

In the discussion settings, you can specify whether visitors are allowed to comment on new posts by default. This setting mainly affects new content. Posts that have already been published may have their own comment settings.

Comments are useful if:

• you want to actively discuss with readers,
• your content requires explanation,
• you want to answer follow-up questions directly below articles,
• you want to build a community,
• you can moderate comments regularly.

Comments are less useful if:

• you do not have time for moderation,
• your website is heavily affected by spam,
• the website consists of static company pages,
• you prefer to receive customer enquiries via forms,
• legal or organisational reasons speak against public discussions.

2. Enable or disable comments for individual posts

The global discussion settings apply as the default for new posts. However, you can also control comments individually for each post or page.

To do this, open a post in the WordPress editor and check the settings for Discussion. Depending on the editor and view, you may first need to display this section. There you can enable or disable comments and pingbacks for the individual piece of content.

This is practical if you generally allow comments but want to disable them on certain pages. Examples:

• Contact page
• Legal notice
• Privacy policy
• Landing pages
• Product pages without a need for discussion
• old posts with a high volume of spam

3. Disable pingbacks and trackbacks

Pingbacks and trackbacks are notifications that can be generated when other websites link to your content. The idea comes from earlier blogging times: websites were supposed to automatically inform each other about links.

In practice, pingbacks and trackbacks are now often abused for spam. Many modern websites no longer need this function. For this reason, it makes sense for many WordPress projects to disable pingbacks and trackbacks.

Advantages of disabling them:

• fewer spam entries,
• fewer unnecessary notifications,
• lower database load,
• less attack and abuse surface,
• clearer comment management.

4. Comment author must provide name and email address

WordPress can require comment authors to provide a name and an email address. This option helps reduce anonymous spam comments somewhat. However, it does not replace real spam protection.

For professional websites, this setting usually makes sense. Visitors should know that their data is being processed. Therefore, make sure that your privacy policy correctly describes comments and the associated data processing.

5. Users must be registered and logged in

A stricter option is to allow comments only from registered and logged-in users. This can reduce spam, but it is a high barrier for normal visitors.

This setting is more suitable for:

• member areas,
• internal platforms,
• course websites,
• communities,
• closed customer areas.

For normal blogs or company websites, this barrier can result in hardly any genuine comments being posted.

6. Automatically close comments after a certain time

WordPress offers the option of automatically closing comments on older posts. This can be very helpful if particularly old posts attract a lot of spam.

Example: You can automatically disable comments after 30, 60 or 90 days. New posts then remain open for comments for a certain period of time, while older posts are closed.

This function is useful if:

• old posts receive a lot of spam,
• discussions are no longer relevant after some time,
• you want to reduce moderation effort,
• you have many older blog articles.

If your content is intended to be discussed over the long term, you should use this setting carefully.

7. Enable comment moderation

One of the most important security settings is manual comment approval. Enable the option that comments are only published after review by an administrator or moderator.

This prevents spam, offensive content, phishing links or dubious advertising from becoming publicly visible immediately.

Manual approval is especially recommended for:

• company websites,
• blogs with public visibility,
• websites dealing with sensitive topics,
• new websites without established spam protection,
• pages with many external visitors.

8. Automatically approve previously approved authors

WordPress offers the option to automatically approve comments from authors if they have already written an approved comment. This can reduce moderation effort if you have an active and trustworthy readership.

For small blogs, this setting can be practical. For company websites or websites that are highly vulnerable to spam, full manual approval is often safer.

If you use this function, you should regularly check whether approved users continue to write reputable comments.

9. Moderate comments with links

Many spam comments contain links. WordPress can automatically move comments to the moderation queue if they contain a certain number of links.

A sensible value is often 1 or 2. This means comments with links are not published automatically, but are reviewed first.

This is important because spam comments often link to the following targets:

• fake shops,
• phishing pages,
• malware pages,
• gambling offers,
• SEO spam networks,
• questionable affiliate offers.

External links in comments should therefore never be published without review.

10. Use moderation list and disallowed terms

In the discussion settings, you can enter words, URLs, email addresses, IP addresses or terms that should cause comments to be automatically moderated or blocked.

There are two important areas:

• Comment moderation: Comments containing certain terms are moved to the queue.
• Disallowed comment keywords: Comments containing certain terms are moved directly to the trash or spam.

This function is helpful when you recognise recurring spam patterns. However, do not enter terms that are too general. Otherwise, genuine comments may be blocked accidentally.

Examples of useful entries can include:

• recurring spam domains,
• obvious fraud-related terms,
• specific IP addresses in cases of abuse,
• typical spam phrases,
• unwanted advertising keywords.

11. Delete comment spam regularly

Spam comments should not remain permanently in your database. A large amount of spam can make administration confusing and unnecessarily bloat the database.

This does not mean that a single spam comment noticeably slows down your website. However, with thousands or tens of thousands of entries, database maintenance can become more relevant.

Check regularly:

• spam folder,
• comment queue,
• trash,
• old pingbacks,
• suspicious comment authors,
• recurring spam patterns.

12. Anti-spam plugins for comments

WordPress’ built-in tools are helpful, but often not sufficient when spam volume is high. In such cases, a specialised anti-spam plugin can be useful.

Common approaches include:

• Honeypot protection: Invisible fields or checks against simple bots.
• Comment spam filters: Evaluation of comments based on typical spam patterns.
• Cloud-based checks: Comments are evaluated via an external service.
• Blocklists: Suspicious IPs, domains or terms are detected.

Examples of commonly used solutions include Antispam Bee, Akismet, WP Armour or CleanTalk. Which solution fits best depends on your website, your data protection requirements and the amount of spam.

13. Difference between comment spam and email spam

Comment spam and email spam are two different problems. Comment spam concerns content that appears directly in WordPress below posts or lands in the comment queue. Email spam concerns your mailbox or your mail servers.

Server-side email protection mechanisms such as BoxTrapper can help with certain email spam scenarios, but they do not automatically protect the comment area of your WordPress website. For WordPress comments, you need settings in WordPress itself or suitable anti-spam plugins.

• Spam protection with BoxTrapper in cPanel

14. Check avatars and Gravatar

WordPress can display avatars next to comments. Gravatar is often used for this. This can generate external requests when avatar images are loaded from an external service.

If privacy, loading time or external connections are particularly important for your website, you should check whether avatars are really needed. You can disable avatars in the discussion settings or use alternative local solutions.

Advantages of disabled avatars:

• fewer external requests,
• simpler comment layout,
• potentially better loading time,
• fewer privacy questions,
• less visual distraction.

15. Data protection for comments

Comments process personal data. This may include name, email address, website URL, IP address, comment content, timestamp and technical information.

Your privacy policy should explain how comments are processed. Depending on your website and target group, additional notices may be useful.

Check in particular:

• Which data is stored when comments are submitted?
• Is the IP address stored?
• Are external services used for avatars or spam checks?
• How long are comments stored?
• Can users request deletion?
• Is the privacy policy up to date?

If you use external anti-spam services, these should also be taken into account in the privacy policy.

16. SEO: Why comment spam can be harmful

Comments can enrich a page if they contain genuine questions, additions and discussions. Spam comments do the opposite. They can contain dubious links, irrelevant content and dangerous references.

From an SEO perspective, the following are problematic:

• publicly visible spam links,
• irrelevant keyword texts,
• phishing or malware references,
• poor user experience,
• loss of trust among visitors,
• unmoderated comment areas.

Activated moderation therefore protects not only your website, but also your reputation.

17. GEO: Well-maintained discussions as a trust signal

GEO, meaning Generative Engine Optimization, describes the optimisation of content for AI-supported search and answer systems. Well-maintained comments can be indirectly helpful if they answer genuine questions and contain additional useful information.

Unmoderated spam comments, on the other hand, are a negative signal for quality and trustworthiness. A website with cleanly moderated discussions, clear content and up-to-date answers appears more reliable than a website full of spam and dubious links.

For GEO, the following are particularly important:

• factually correct content,
• clean moderation,
• no spam links,
• clear answers to user questions,
• up-to-date information,
• trustworthy website structure.

Recommended basic settings

1. Decide consciously on comments: Only enable them if you really want to moderate them.
2. Disable pingbacks and trackbacks: Sensible for many modern websites.
3. Require name and email: Reduces anonymous spam comments somewhat.
4. Enable manual approval: Review comments before publication.
5. Moderate comments with links: Move them to the queue from as little as one link.
6. Maintain moderation list: Add recurring spam terms and domains.
7. Check old posts: Automatically close comments on old posts if needed.
8. Delete spam regularly: Keep the database clean.
9. Check anti-spam plugin: Add one if spam volume is high.
10. Update privacy policy: Take comments, avatars and spam checks into account.

Frequently asked questions about WordPress discussion settings

Where can I find the discussion settings in WordPress?

You can find them in the WordPress dashboard under Settings > Discussion.

Should I enable comments in WordPress?

That depends on the purpose of your website. Comments can be useful for blogs and guides. For purely corporate websites or landing pages, they are often not necessary.

Should I disable pingbacks and trackbacks?

For many modern websites, this is recommended because pingbacks and trackbacks are often abused for spam and rarely provide real benefit.

Why should I manually approve comments?

This prevents spam, dubious links or unwanted content from appearing publicly on your website immediately.

Can I have comments with links checked automatically?

Yes. In the discussion settings, you can specify that comments with a certain number of links are moved to the moderation queue.

Does BoxTrapper help against WordPress comment spam?

BoxTrapper helps with email spam protection, but it does not directly protect the WordPress comment area. For comments, you should use WordPress settings and anti-spam plugins.

Do many spam comments make my website slow?

Individual spam comments are normally not a problem. Very large amounts, however, can unnecessarily bloat the database and make administration more difficult. Regular deletion is recommended.

Are comments relevant to data protection?

Yes. Comments may contain personal data such as name, email address, IP address and comment content. Your privacy policy should take this into account.