WordPress Zero Spam Plugin


Why should your users prove that they’re humans by filling out captchas? Let bots prove they’re not bots with the WordPress Zero Spam plugin.

WordPress Zero Spam blocks registration spam and spam in comments automatically without any additional config or setup. Just install, activate, and enjoy a spam-free site.

Zero Spam was initially built based on the work by David Walsh.

Major features in WordPress Zero Spam include:

  • No captcha, spam isn’t a users’ problem
  • No moderation queues, spam isn’t a administrators’ problem
  • Blocks 99.9% of spam registrations & comments
  • Supports caching plugins to help provide great performance
  • Blocks spammy IPs from ever seeing your site
  • Extend the plugin with action hooks
  • Theme & plugin integration for any form on your site
  • Optional logging, so you can see who’s trying to spam
  • Advanced settings for complete control

Supported Plugins

  • Contact Form 7
  • Gravity Form
  • Ninja Forms
  • BuddyPress

Languages: English

If you have suggestions for a new add-on, feel free to email me at me@benmarshall.me. Want regular updates? Follow me on Twitter or visit my blog.

Download Now (Version 2.0.1) Fork on GitHub WordPress Repo Report Issue





  • Made minor modification on how spam comments are detected. Tested & verified working as expected.
  • Changed how Gravity Forms spam is detected. Needs to be tested & verified.



  • Fixed Gravity Form issues (https://github.com/bmarshall511/wordpress-zero-spam/issues/101)


  • Added IP location service (https://github.com/bmarshall511/wordpress-zero-spam/issues/84)
  • Improved pagination (https://github.com/bmarshall511/wordpress-zero-spam/issues/91)
  • Made date/times match site’s WP time, not servers (https://github.com/bmarshall511/wordpress-zero-spam/issues/89)
  • Removed the banner image to boost performance (https://github.com/bmarshall511/wordpress-zero-spam/issues/86)
  • Enhancements to the admin JS to boost performance
  • Works with Multisite as network activated or per sub site (https://github.com/bmarshall511/wordpress-zero-spam/issues/85)
  • Added BuddyPress support (https://github.com/bmarshall511/wordpress-zero-spam/issues/61)


  • Added missing code documentation and fixed typos (https://github.com/bmarshall511/wordpress-zero-spam/issues/64)
  • Fixed issue with settings not getting initially saved when the plugin is activated. (https://github.com/bmarshall511/wordpress-zero-spam/issues/69)
  • Added ability to auto block spam IPs (https://github.com/bmarshall511/wordpress-zero-spam/issues/71)
  • Added paging to spammer log and blocked IPs (https://github.com/bmarshall511/wordpress-zero-spam/issues/60)
  • Added additional stats and graphs (https://github.com/bmarshall511/wordpress-zero-spam/issues/75)
  • Fixed issue with comment moderators not being able to reply to comments (https://github.com/bmarshall511/wordpress-zero-spam/issues/74)
  • Fix issue with DB errors when first activating plugin (https://github.com/bmarshall511/wordpress-zero-spam/issues/80)


  • Switched to using a nonce to validate form submissions that support WordPress Zero Spam
  • Added Zero Spam plugin settings page for advanced control
  • Fix for for non-logged in users (https://github.com/bmarshall511/wordpress-zero-spam/pull/27, thanks @afragen)
  • Added blank index.php files to prevent directory browsing (https://github.com/bmarshall511/wordpress-zero-spam/pull/24, thanks @TangRufus)
  • Added uninstall.php (https://github.com/bmarshall511/wordpress-zero-spam/pull/23, thanks @TangRufus)
  • Addded support for GitHub Updater plugin (https://github.com/bmarshall511/wordpress-zero-spam/pull/21, thanks @afragen)
  • Added support for Contact Form 7 form submissions (https://github.com/bmarshall511/wordpress-zero-spam/pull/26, thanks @leewillis77)
  • Added ability to log spam detections
  • Fix for warnings cause by default settings not being set before actions run (https://github.com/bmarshall511/wordpress-zero-spam/pull/31, thanks @leewillis77)
  • Installed Compass (http://compass-style.org/)
  • Added support for Gravity Forms
  • Fixed potential issue with sites that use caching plugins
  • Fixed minor typos (thnaks @macbookandrew)


  • Added `zero_spam_found_spam_comment` and `zero_spam_found_spam_registration` action hooks (thanks @tangrufus)
  • Minor updates to the readme file

1.3.1 – 1.3.3

  • Minor fixes to WP SVN repo


  • Removed Grunt creation of the trunk directory
  • Added spam detection script to registration form


  • Fixed some typos in the readme.txt file


  • Removed testing for core function testing
  • Fix for adding comments from admin (thanks @afragen)
  • Removed unneeded WP svn trunk and tags folders from the git repo (thanks @afragen)


  • Updated theme documentation.
  • WordPress generator meta tag removed to help hide WordPress sites from spambots.


  • Initial release.


  1. Paul Solomon
    at 5:53 pm

    Congrats on the new baby, and thanks for this plugin.

    I’d recommend that, if you still keep an eye on the plugin and know that it is OK (even if you are not updating it regularly) then put a sticky post on the WP plugin support forum saying as much. Or send me a quick reply, and I’ll be happy to post for you. People on the support forum are getting concerned about the stale-ness of the updates, and I can’t blame them.

  2. N'goran
    at 3:01 am

    Hi Ben,
    Just to say that I hope you will have time to update your awesome plugin
    Best Regards

  3. at 7:17 pm

    Hi Ben!

    Very innovative plugin concept… love the original post behind it and all the commentary following. 🙂

    Is there a way to make this work for the WordPress login page as well?

    User HATE traditional captchas, even simple ones… but could this be reliable enough as far as compatibility with any browser to work for a login page?


  4. at 5:15 pm

    Would be nice if this slim plugin could be extended to other forms without adding much bulk. Contact form comes to mind.

  5. at 10:26 am

    I noticed that it blocks comments I make myself from the WordPress admin screens, both the post-edit screen and the comments-reply panels. When I temporarily disabled the plugin, I was able to comment.

  6. at 9:34 am

    I’ve installed on my site, on which Akismet was marking about 40 comments/day as spam. Since installation, either no one has tried to comment or all that spam is just being blocked.

    • Marion
      at 9:59 am

      A simple test would be to make a comment while you’re not logged in, and confirm it’s working. Then find how to disable JavaScript in your browser of choice and try to comment again. With JavaScript disabled you should see the failure message.

      • at 10:22 am

        Thanks. it works! (And boy oh boy, does my site fail badly with js turned off.0

      • Marion
        at 8:25 am

        I actually added these mods after I downloaded the plugin, but where I ran into the snag was in getting the random field name back into the JavaScript.

        I had not seen the code before I made the suggestions. The biggest looming issue is how to get the random field name into the form on submit w/o broadcasting its name back in the code before it’s triggered?

        I’ve thought of a few ways to eloquently get the random field where it needs to be, but once it’s in the source code, all a bot has to do is search for the known file name extract the field name, and then all we’ve done is wasted our time.

        I keep thinking the resolution to this is an AJAX request on the form fields, but then I start thinking about too many things that could go wrong w/ that… and then I get indecisive.

        • at 2:10 pm

          I’m working on a similar plugin to Ben’s for Gravity Forms specifically and have been pondering this same issue. The current prototype uses a defined field name, but the value is being generated randomly and included in the form at submission. Even though the value is random, it’s displayed in the source code as JavaScript. I ended up coming to what I suspect is the same approach you’re imagining – trigger an ajax call on page load that retrieves the randomly generated code (stored in a short-term, form-specific, transient) and then adds it to the form. This would keep the random value out of the source code. I suppose it could potentially fall apart in the case of a JS error or interruption of the ajax call – but I can’t think of a situation that would cause this to approach to fail that wouldn’t also cause David and Ben’s approach to also fail.

          • Marion
            at 5:00 pm

            Using the transient data, is a good idea. That, would be an excellent way to pull this off.

          • at 5:54 am

            I’ll link you to the code once I’ve had a chance to put something together that works. I might actually try use the WP Nonce system for this rather than Transients.

  7. at 9:04 am

    A few ideas to help deter bots.

    1) When the plugin is activated make a random string and use it as the name of the field to check against. This would require the bot to change it’s attack per WP install to bypass the field.

    2) Require the REQUEST_METHOD to be POST

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

All comments are held for moderation. I'll publish all comments that are on topic and not rude. You'll even get little stars if you do an extra good job.

You may write comments in Markdown. This is the best way to post any code, inline like `<div>this</div>` or multiline blocks within triple backtick fences (```) with double new lines before and after.

Want to tell me something privately, like pointing out a typo or stuff like that? Contact Me.