Akismet was the right answer for comment spam from 2008 to about 2022. It blocked the obvious junk — keyword stuffing, link salads, weird Cyrillic floods — and it shipped with WordPress so it was a default. In 2026 it is still useful as a first layer, but it is not enough on its own. Here is what changed and what to do about it.
What Akismet was always good at
Akismet scores each comment against a large pattern database: known spam URLs, IPs, emails, content fingerprints. It is fast, lightweight, and the false-positive rate is low. For comments that look obviously spammy, it still catches the vast majority.
What changed
The economics of comment spam shifted. The original spam was cheap to write but obvious. New comment spam is generated by language models and looks like this:
“Really enjoyed this read. The point you made about caching and TTFB matches what we saw on our last project. Have you considered looking at how this interacts with the new H3 stack?”
That comment is perfectly on-topic, conversational, and includes a relevant follow-up question. It will land on a post about WordPress performance. The link in the author’s URL field points somewhere mildly suspicious — usually a thin SEO site that just wants the backlink. Akismet has no signal to score this as spam. The pattern looks like a real reader.
Why this matters even if you do not care about comments
A surprising number of WordPress sites have comment forms still enabled on posts and pages where nobody reads them. Each successful spam comment that publishes drops a do-follow or no-follow link from your domain to a low-quality target. Google notices, eventually. Three years of accumulated comment spam links is a real Core Update risk.
What a layered defence looks like in 2026
- Akismet for the easy lift. Keep it. It is still good at the bulk.
- Intent scoring on the content of the comment. This is what catches the realistic AI-written stuff. The model reads the comment in context of the post and the author URL and decides whether it looks like a real reader or an SEO play.
- Honeypot + timing in the comment form. Catches scrapers that bypass the JS and POST directly.
- Author-URL reputation. If the URL field points somewhere new and thin, weight that as a signal even if the comment is well-written.
QWeb Spam Shield handles all four layers
Spam Shield runs the full stack: honeypots, timing, AI intent scoring on the comment content, and author-URL reputation — alongside whatever you already have configured for Akismet. The realistic AI-written comments that get past Akismet are exactly what its model was trained on.
What to audit this week
Run this query in your wp-cli or phpMyAdmin to see how much spam is sitting approved on your site:
SELECT COUNT(*) FROM wp_comments WHERE comment_approved = 1 AND comment_author_url != '';
If the number is in the thousands and you do not have an active editorial review, you almost certainly have a pile of low-quality outbound links from your comment form. Disable comments on posts older than two years, sweep the approved-with-URL set for spam patterns, and add intent scoring on top of Akismet for the new comments going forward. That covers most sites without breaking anything that was working.