WordPress comments are one of the oldest features of the platform, and they are also one of the most attacked. Spam bots flood them, attackers inject malicious scripts into them, and automated tools use them to probe for vulnerabilities. A single unprotected comment section can turn a trusted site into a malware distribution channel.
Most WordPress site owners focus only on spam when it comes to comments. They install Akismet, turn on moderation, and call it done. But spam is only the visible surface. Below it, three deeper threats exist: cross-site scripting (XSS), SQL injection through comment fields, and comment-based phishing that uses the trust visitors place in your site.
The Three Real Threats in Comments
It helps to separate comment threats into three categories, because each requires a different defense.
Stored XSS. This is the most dangerous comment-based attack. An attacker submits a comment containing JavaScript code. If WordPress does not properly escape the comment content before displaying it, that JavaScript runs in every visitor’s browser. The script can steal session cookies, redirect users to phishing pages, or install malware. WordPress core handles comment escaping correctly in most cases, but plugins and themes that customize comment output often introduce vulnerabilities. WPScan has documented over two dozen stored XSS vulnerabilities in comment-related plugins in the past two years, several of which were actively exploited in the wild.
SQL injection. Comment forms send data to the database, and any input field that touches a SQL query without proper sanitization is a risk. WordPress core uses prepared statements through $wpdb->prepare(), which eliminates the risk for default WordPress comment handling. The danger comes from plugins that store custom comment meta or process comment data through their own database queries. The CVE-2025-69045 vulnerability in FooEvents is a good example of how a plugin’s custom comment-like data handling opened the door to SQL injection.
Phishing and social engineering. Attackers do not always need to break code. Sometimes they just need to break trust. A comment that says “Your account has been compromised, click here to reset your password” with a link to a phishing page can trick even experienced users. These comments do not contain malicious code, so traditional security scanners do not catch them. They rely on the site’s reputation to make the phishing link look legitimate.
How WordPress Core Handles Comment Security
WordPress does a decent job with comment security out of the box. Comment content is escaped before rendering, which prevents the most common stored XSS vectors. The wp_filter_post_kses() function strips dangerous HTML tags from comment content, and esc_html() ensures that anything displayed on the front-end cannot execute as code. The comment submission nonce system prevents cross-site request forgery (CSRF) attacks against the comment form.
There are two important gaps in WordPress core comment security that you need to know about.
First, the wp_filter_post_kses() function does not apply to users with elevated roles. Subscribers and contributors can submit comments that contain HTML tags that would be stripped from anonymous comments. This means a compromised subscriber account can inject script tags through comments if a theme or plugin renders them unsafely.
Second, the comment author name, email, and URL fields are also rendered on the front-end. If your theme displays the comment author URL without validating it, an attacker can use javascript:void(0) or other dangerous schemes in that field. WordPress does check the URL format, but not all themes use the core comment rendering functions.
Essential Comment Security Measures
Close Comments on Old Posts
Every WordPress site has old posts where nobody comments anymore. Attackers know this and target those posts because site owners rarely monitor them. Closing comments automatically after 30 or 60 days eliminates this attack surface. You can configure this in Settings > Discussion > “Automatically close comments on articles older than X days.” Set it to 30 days and your comment security surface drops by about 80 percent.
Use a Two-Step Moderation Queue
Standard WordPress moderation requires every comment to be approved once. Two-step moderation adds an extra layer. In Settings > Discussion, enable “Comment must be manually approved” and “Comment author must have a previously approved comment.” This forces every first-time commenter into moderation regardless of content, and it blocks automated spam tools that rotate through different author names.
Comment moderation is not just about spam. It is about giving yourself time to review the comment author’s URL and email address. A single malicious comment that stays live for 48 hours can compromise hundreds of visitors.
Strip Script Tags From Comment Content
Even though WordPress strips most dangerous content, adding a second layer of filtering never hurts. The simplest approach is a custom function that runs through the comment content before it is saved.
add_filter('pre_comment_content', function($content) {
return wp_strip_all_tags($content);
});This removes all HTML tags from comment content before it reaches the database. The comment becomes plain text only, which makes any XSS attempt impossible. If your site needs HTML in comments (for code snippets or formatting), this approach is too aggressive. In that case, use wp_kses() with a whitelist of allowed tags instead.
Disable Comments on Unused Post Types
By default, WordPress enables comments on posts and pages. If your site uses custom post types like portfolios, testimonials, or team members, check whether comments are enabled on those too. The quickest way to disable comments site-wide is adding this to your theme’s functions.php or a site plugin:
add_action('init', function() {
remove_post_type_support('page', 'comments');
});Repeat the same for any custom post type that does not need comment functionality. Less comment surface means fewer attack vectors.
Preventing Comment-Based Phishing
Technical fixes only catch technical attacks. Comment-based phishing requires a non-technical defense: moderation rules that flag suspicious patterns.
Watch for comments that contain external links, especially shortened URLs or links that use misleading anchor text. Comments that say “great post, check this out” followed by a URL are the most common phishing pattern. Setting comments with more than two links to automatic moderation is a good rule of thumb.
Also check the comment author’s email domain. A legitimate comment from name@gmail.com is normal. A comment from name@phishing-site-xyz.com is not. Akismet and similar services flag these patterns, but they are not perfect. A manual review of the moderation queue once a day catches what automated filters miss.
What About Comment Spam Plugins?
Akismet is the standard for WordPress comment spam filtering, and it comes pre-installed with every WordPress installation. It works well for spam, but it is not a security plugin. It catches comment spam, not comment-based attacks. A comment that contains a phishing link but looks like a normal conversation will pass Akismet’s filters because Akismet checks for spam patterns, not malicious intent.
Security plugins like Trusti Security add a different layer. They monitor for brute force attempts on the login page, detect malicious file uploads, and block suspicious IPs. While they do not directly filter comments, they reduce the overall attack surface that comment-based attacks depend on. A compromised admin account can approve malicious comments, and Trusti Security’s login protection reduces the chance of that account being compromised.
The Minimum Viable Comment Security Checklist
- Close comments on posts older than 30 days — Settings > Discussion
- Enable manual approval for all first-time commenters
- Add
wp_strip_all_tags()filter on comment content - Remove comment support from pages and unused post types
- Review the moderation queue once daily for phishing patterns
- Use a login security plugin to protect admin accounts
- Set automated hold on comments with more than two links
Comments are one of the best engagement features WordPress has, but they are also one of the most exploitable. The steps above take about ten minutes to implement, and they turn your comment section from a liability into a safe space for discussion.