Close the Comments on Your WordPress Page If You Do Not Use Them
Last week, we helped a customer restore communication with Gmail’s email systems. The issue wasn’t caused by malware, infected mailboxes, or compromised website files. Surprisingly, the culprit was a comment awaiting approval in their WordPress dashboard. This incident highlights an important security consideration for WordPress site owners.
WordPress Comments Functionality
WordPress, by default, offers visitors the ability to comment on articles or pages. When you create content on your website, the comment functionality is automatically enabled, allowing visitors to leave their feedback.
However, before these comments are published, they typically require approval from the website administrator.
You can access the comments from the menu on the left side of your WordPress dashboard: Comments
It’s important to note that not all websites benefit from user comments. In fact, sometimes it’s best to completely disable this feature.
When to Disable WordPress Comments
Here are some cases where it makes sense to completely disable user comments:
- Your website doesn’t have a blog, or you use WordPress to create other types of pages like landing pages for products or services
- Your content primarily shows information about services or products through static pages, rather than encouraging information exchange
- Your website exists mainly to present your corporate identity and business activities
- Your visitors should contact you through other channels, such as a dedicated forum or contact form
Gmail Blocking Due to Malicious Content
Our customer used a Gmail address (@gmail.com) as their default administrator email. Various malicious bots were submitting comments on articles, resulting in daily WordPress notification emails being sent to the administrator.
These bots left spam or scam messages in their comments, which were included in the body of notification emails sent to the administrator’s Gmail inbox. Gmail’s security systems scanned these emails, detected the malicious content, and took action.
The end result was severe: Gmail and SpamHaus blocked the IP address of the web server hosting the website, affecting not just the site in question but all other domains hosted on the same server.
The image above shows example comments. Spam comments from bots typically contain suspicious links and text designed to trick users.
Important: If you see suspicious comments awaiting approval with malicious links or text, you should consider disabling comments on your WordPress site immediately.
How to Disable Comments in WordPress
From your WordPress admin dashboard, go to Settings » Discussion.
There, you need to disable the option “Allow people to submit comments on new posts”. Also, in the section “Email me whenever”, uncheck “Anyone posts a comment” and “A comment is held for moderation”.
There are two limitations to this method:
- It doesn’t remove existing comments from your site (you’ll need to delete those manually)
- It only disables comments on new posts, not on existing ones
Fortunately, there’s a workaround for this. On the same page, locate “Automatically close comments on articles older than X days”, check the box and enter 0 in the field.
This will close all comments on current posts. Combined with the previous setting, this effectively disables comments across your entire website.
By taking these steps, you’ll protect your site from potential security issues related to comment spam while maintaining your site’s reputation and email deliverability.
