CleanTalk's blog

Sign Up

Stop spam without frustrating your visitors

Create your CleanTalk account and start blocking spam — no CAPTCHA challenges and no impact on visitors.

Security Block Lists

CleanTalk Account

No credit card required • Setup takes less than a minute • Your temporary password will be sent by email.

Tag: wordpress

  • How Much Server Resources Spam Bots Waste

    How Much Server Resources Spam Bots Waste

    When you look at your hosting invoice, you see CPU, RAM, disk and traffic.
    What you don’t see is the hidden line:

    How much of this is spent on spam bots instead of real users.

    Today a big part of web traffic is no longer human. Bad bots:

    • try to register fake accounts,
    • submit spam through forms and comments,
    • hit login, XML-RPC and admin URLs thousands of times a day.

    For your server, each of these bots looks like a normal visitor:

    • PHP runs,
    • WordPress and plugins load,
    • the database is queried,
    • logs and backups grow.

    From a business point of view, this is pure waste:
    you pay for server resources that serve traffic which will never become a customer, lead or subscriber.

    We can see the scale of this problem very clearly in CleanTalk’s own network.

    2025-2026 Spam statistics across CleanTalk's products.
    Source https://cleantalk.org/spam-stats
    • the Anti-Spam layer processed about 91-220 million spam events per month at the application level,
    • while SpamFireWall filtered 560-740 million suspicious requests per month before they reached websites – and in May 2025 it blocked more than 11 billion requests in a single month.

    In total for that period, SpamFireWall handled many times more bad requests than the Anti-Spam checks inside forms and registrations. This is exactly what “reduce server load bots create” means in practice: most of the dirty work is done in the cloud, so your own servers stay free for real visitors.

    In this article, we’ll look at:

    • how spam bots translate into real server and hosting costs,
    • why blocking spam only inside WordPress is not enough if you care about performance and budget,
    • and how CleanTalk SpamFireWall uses cloud filtering to cut bot load before it ever reaches your infrastructure.

    The goal is simple:
    to show spam not only as “junk content”, but as a financial line item, and to explain how CleanTalk helps you shrink that line without changing your whole tech stack.

    2. Problem: Why Spam Bots Are Expensive, Not Just Annoying

    Most teams think of spam bots as a nuisance: fake sign-ups, junk messages, useless comments.

    From a business perspective, they’re something else entirely:

    Spam bots quietly burn real server resources that you pay for – and they never become customers.

    Every spam bot request looks “normal” to your infrastructure:

    • it opens a connection to your server,
    • starts PHP or your application runtime,
    • loads WordPress and all active plugins,
    • may trigger database and cache queries,
    • writes another line into your logs and backups.

    Technically, that bot request costs almost the same as a real visitor.
    The only difference is outcome: there is zero chance it turns into revenue.

    That’s the core of the spam bots server cost problem.

    2.1. Direct server and hosting cost

    If a noticeable share of your traffic is bots – and for many sites it is 20-30% or more – then the same share of your infrastructure is effectively reserved for non-humans:

    • CPU cycles are spent executing code for scripts, not people.
    • RAM is used to keep processes alive for fake sessions.
    • Disk I/O and storage are consumed by logs and backups of bot traffic.

    The result:

    • you hit resource limits earlier,
    • you upgrade hosting plans sooner,
    • you pay for bigger servers than your real audience actually needs.

    This is the hidden spam bots server cost: part of your hosting budget that works only to serve automated garbage traffic.

    2.2. Performance and user experience

    Bots don’t stand in a separate queue. They compete with your real users for the same pool of workers and database connections.

    When a wave of bots hits:

    • pages start loading slower,
    • login, registration and checkout become less responsive,
    • time-outs and 5xx errors appear at the worst possible moment – usually when you run campaigns or receive organic peaks.

    From a business angle, this shows up as:

    • lower conversion rates,
    • worse campaign performance,
    • and the wrong diagnosis: “we need UX changes” or “ads are not working”,
      when the real problem is that servers are busy talking to bots.

    2.3. Security and operational noise

    Bad bots are also responsible for a lot of “background noise” in security and operations:

    • endless login attempts and password guessing,
    • automated vulnerability scans,
    • repeated hits to admin and system URLs.

    Even if these attempts fail, they still generate:

    • alerts and tickets,
    • time spent investigating suspicious spikes,
    • extra rules and manual blocks.

    Your security and DevOps teams pay the cost in attention and hours, rather than focusing on real incidents and product reliability.

    2.4. Dirty analytics and poor decisions

    Finally, spam bots compromise the quality of your data:

    • they inflate visits and page views,
    • distort geography and device statistics,
    • pollute funnels and conversion metrics.

    Marketing and product teams then make decisions based on a dataset where a significant part is not human:

    • overestimating interest from certain regions,
    • underestimating the true conversion rate of real users,
    • misjudging which channels are actually working.

    In short, spam bots are not just about “ugly comments” or “annoying sign-ups”. They are:

    • extra percentage points on your hosting bill,
    • slower pages for real customers,
    • more noise for your security and ops teams,
    • and less reliable analytics for management.

    The rest of this article will show how a cloud filter like CleanTalk SpamFireWall helps reduce server load bots create, so your infrastructure, teams and budget are focused on real visitors instead of scripts.

    3. Data: What CleanTalk Sees in Real Traffic

    Before we talk about solutions, it’s worth asking a simple question:

    “Is this really a big enough problem to care about, or just a few spam submissions a day?”

    CleanTalk’s own network data gives a very clear answer.

    Across thousands of protected websites, CleanTalk records every spam event and firewall block. Between April 2025 and February 2026, the platform processed:

    • Anti-Spam (forms, registrations, comments): from ~86-220 million spam events per month
    • SpamFireWall (cloud filtering): from ~566-825 million suspicious requests per month
    • With a spike in May 2025, when SpamFireWall blocked more than 11 billion requests in a single month.

    In other words: for every batch of spam you see at the application level, there is a much larger wave of bot traffic that can be stopped earlier – in the cloud.

    3.1. Cloud firewall vs in-app spam checks

    Looking at the monthly report:

    • February 2026:
      • Anti-Spam: 91,136,173 events
      • SpamFireWall: 738,199,535 events
    • November 2025:
      • Anti-Spam: 92,113,219
      • SpamFireWall: 721,915,379

    A typical pattern emerges:

    SpamFireWall consistently handles 6-8× more bad requests than the Anti-Spam layer inside forms.

    That means the bulk of hostile or useless traffic never needs to reach PHP, WordPress, or your database at all – as long as you filter it in the cloud first.

    From a “reduce server load bots” perspective, this is the key point:

    • Anti-Spam removes spam content and fake accounts.
    • SpamFireWall removes a huge amount of bot load before your server ever has to care.

    3.2. Billions of requests that never hit customers’ servers

    The May 2025 numbers are a good illustration of scale:

    • Anti-Spam processed 108,609,819 spam events.
    • SpamFireWall blocked 11,001,687,601 requests in the cloud.

    That’s not a rounding error or a minor optimisation. It’s roughly:

    • 100+ million visible spam attempts vs
    • 11 billion blocked at the edge.

    Put differently:

    For every spam submission cleaned up inside a form, there were hundreds of bot requests that could have reached customer servers – but didn’t.

    Those 11 billion requests represent CPU, RAM, I/O and bandwidth that CleanTalk’s cloud absorbed instead of the websites themselves. That’s exactly the “spam bots server cost” that can be shifted away from your own infrastructure.

    3.3. A global problem, not a local glitch

    The same report also shows where spam is coming from. Between April 2025 and February 2026, the top sources of spam traffic in the CleanTalk network were:

    1. United States – 269,351,056 events (24.19%)
    2. Netherlands – 150,566,461 (13.52%)
    3. Germany – 66,958,677 (6.01%)
    4. Russian Federation – 46,137,396 (4.14%)
    5. Brazil – 40,897,099 (3.67%)
    6. China – 40,769,672 (3.66%)
      … and so on.

    This reinforces an important message for decision-makers:

    • spam and bad bots are not an edge case or a local phenomenon,
    • they are a predictable, measurable part of global traffic patterns,
    • and they will appear on almost any public-facing site as soon as it has real traffic.

    Seen through this lens, spam bots server cost stops being an abstract risk and becomes a very concrete, quantifiable component of your infrastructure spend – one that a cloud filter like CleanTalk SpamFireWall can directly reduce.

    4. How Spam Bots Turn into Hosting and Performance Costs

    By this point, it’s clear that bots generate a lot of traffic.
    The next question is simple: where exactly does this show up in your P&L and SLAs?

    Spam bots don’t come with a separate invoice.
    Instead, their cost is spread across four areas: infrastructure, performance, security, and data.

    4.1. Infrastructure: paying to serve non-customers

    Every extra request from a bot pushes your infrastructure a little closer to its limits:

    • CPU – executing PHP, WordPress and plugin code for non-human traffic,
    • RAM – keeping processes and connections alive for fake sessions,
    • Disk & I/O – writing access logs, error logs and larger backups,
    • Bandwidth – sending responses that no human ever sees.

    If 20-30% of your HTTP requests are bots, then 20-30% of your:

    • provisioned CPU capacity,
    • memory headroom,
    • and outbound traffic

    is effectively reserved for traffic that cannot convert.

    In practical terms, this means:

    • upgrading to a higher hosting plan “because we’re hitting limits”,
    • moving to larger VPS/instances earlier than necessary,
    • keeping a bigger performance buffer “just in case” – and feeding a lot of it to bots.

    That is your spam bots server cost in its purest form:
    the part of your hosting bill that exists only because scripts keep knocking on your door.

    4.2. Performance: bots competing with real users

    Infrastructure cost is only half the story. The other half is user experience.

    Bots don’t politely wait until your real customers are finished. They hit:

    • login and registration endpoints,
    • search and listing pages,
    • checkout and contact forms,

    using the same worker pool and the same database connections as humans.

    The result:

    • CPU spikes during bot waves lead to slower page loads,
    • application queues fill up, leading to higher TTFB,
    • at peak moments (campaigns, product launches, seasonal traffic),
      real users experience timeouts, 5xx errors or just “feels slow”.

    From a business perspective, this translates into:

    • lower conversion rates on key funnels,
    • underperforming ad campaigns,
    • higher cost per acquisition – not because your marketing is bad,
      but because servers are busy serving bots instead of buyers.

    If your goal is to reduce server load bots generate, this is exactly the performance win you’re aiming for:
    freeing capacity so that real users always get a fast, stable experience.

    4.3. Security and operations: constant background noise

    Many of the bots hitting your site are not just spammers, they’re also:

    • brute-forcing passwords,
    • probing for outdated plugins and known CVEs,
    • crawling admin and system URLs looking for weak points.

    Even when they fail, they still create work:

    • alerts in monitoring tools,
    • tickets for the security or DevOps team,
    • time spent investigating suspicious IPs and traffic spikes,
    • manual IP blocks and ad-hoc firewall rules.

    None of this creates value for customers.
    It’s necessary defensive work caused by traffic that should ideally never reach your application in the first place.

    By blocking a large share of this traffic in the cloud, you don’t just protect the server – you also reduce the operational noise your teams have to deal with.

    4.4. Analytics: dirty data, weaker decisions

    Finally, spam bots quietly damage something very important for business: data quality.

    If bot traffic is not filtered properly, it will:

    • inflate visits and page views,
    • distort geography and device breakdowns,
    • pollute funnels with sessions that never had a chance to convert,
    • drag down apparent conversion rates (“lots of traffic, few sign-ups”).

    This leads to bad second-order effects:

    • marketing invests more into audiences and regions with heavy bot presence,
    • channels are misjudged (“this campaign sends junk”, when the junk is bots),
    • product and growth decisions are made on metrics that don’t represent real users.

    Reducing bot load at the edge gives you cleaner numbers:

    • fewer fake sessions,
    • more realistic conversion rates,
    • better signal on which channels, markets and campaigns actually work.

    Put together, this is why spam bots are more than “just annoying”:

    • they drive up your infrastructure spend,
    • reduce performance and conversion for real customers,
    • increase security and operations overhead,
    • and weaken the analytics you use to run the business.

    The next step is to treat this as an architectural issue, not a form-field issue – and that’s where a cloud layer like CleanTalk SpamFireWall comes in as a tool specifically designed to cut this spam bots server cost before it reaches your servers.

    5. Why CAPTCHAs and In-App Filters Don’t Reduce Server Load

    At this point many teams say:

    “We already use CAPTCHA and an anti-spam plugin. Aren’t we covered?”

    You are covered against visible spam – fake comments, junk sign-ups, trash in your inbox.
    You are not covered against the server cost of bots.

    The reason is simple: most traditional anti-spam and security tools work inside your application, not before it.

    5.1. What actually happens with in-app spam protection

    Let’s take a typical WordPress setup:

    • A bot submits a registration or contact form.
    • The request reaches your web server.
    • PHP starts.
    • WordPress loads core, theme and all active plugins.
    • Your anti-spam plugin (or CAPTCHA) finally checks the request and says:
      “This is spam, block it.”

    Yes, you successfully blocked the spam submission.
    But from a server perspective, the heavy work has already happened:

    • CPU cycles were spent loading WordPress and running plugin code.
    • RAM was allocated for the request.
    • Logs were written, backups grew.

    In other words:

    In-app filters protect your content and users,
    but they do not reduce the server load bots generate.

    You have solved the “we don’t want spam in our interface” problem,
    but not the “we don’t want to pay for serving bots” problem.

    5.2. Why this matters more as bot traffic grows

    When bots were rare, this distinction didn’t matter much.
    With bots now representing a third of global traffic, it matters a lot.

    If 20-30% of your requests are bots, and every one of them:

    • boots your app stack,
    • touches your database,
    • sits in the same queues as real users,

    then you are paying a real, recurring spam bots server cost, even if your forms are “clean”.

    Symptoms you may already see:

    • “We keep hitting CPU or I/O limits, even though human traffic hasn’t grown that much.”
    • “The site slows down under spikes that don’t match our campaigns.”
    • “We had to upgrade hosting but didn’t see a proportional improvement in business KPIs.”

    That’s what “blocking too late” looks like.

    5.3. The architectural shift: from “inside the app” to “before the app”

    Big infrastructure players talk a lot about moving protection to the edge:

    • decisions are made as close as possible to the source of traffic,
    • bad requests are dropped before they consume origin resources.

    The same idea applies here, but with a focus on spam and bad bots.

    To actually reduce server load bots create, you need a layer that:

    • sees the request before WordPress, PHP or your framework do,
    • can make a fast decision based on IP, reputation and technical signals,
    • and, if it’s a known bad actor, stops the request right there.

    No PHP.
    No WordPress.
    No database query.
    No extra log entry on your side.

    Only after this cloud filter says “yes”, does the request reach your application, where in-app anti-spam can handle the remaining edge cases (new bots, human spammers, borderline content).

    That’s the architectural gap that CleanTalk SpamFireWall is designed to fill for CMS-driven sites.

    5.4. How CleanTalk is different from “just another CAPTCHA”

    So where does CleanTalk sit compared to CAPTCHAs and typical form plugins?

    Minimal Black White Comparison Chart Table Graph

    You can think of it this way:

    • CAPTCHA protects forms.
    • Anti-Spam protects data and user base.
    • SpamFireWall protects your resources – CPU, RAM, bandwidth, and the time of your teams.

    All three have their place. But if your goal is not only “have less spam”, but also “pay less and perform better under load”, you need something that works before your application – not only inside it.

    In the next section, we’ll look more closely at how SpamFireWall’s cloud filtering actually works and how it translates into fewer bot requests hitting your servers in day-to-day operation.

    6. Solution: CleanTalk SpamFireWall (Cloud Filtering)

    If the problem is that bots consume server resources before your application can stop them,
    the solution has to start before your application too.

    That’s exactly what CleanTalk’s SpamFireWall is designed to do.

    Instead of fighting spam bots only inside WordPress or your CMS, CleanTalk adds a cloud filtering layer in front of your site. The goal is simple:

    Block as many spam/bad bots as possible in the cloud,  so your servers spend their time on real users, not scripts.

    In business language: it’s a way to reduce server load bots create and shrink your spam bots server cost without rebuilding your infrastructure.

    6.1. Two layers working together: cloud + application

    CleanTalk doesn’t replace in-app filters – it adds a second layer in front of them.

    1. SpamFireWall – cloud layer
      • Checks incoming IPs and technical signals against CleanTalk’s global spam and attack database.
      • Blocks known spam bots, brute-force tools and abusive scanners before they reach your server.
      • Offloads a large volume of hostile and useless traffic to the cloud.
    2. Anti-Spam – application layer
      • Runs inside WordPress / your CMS.
      • Analyzes actual form submissions (comments, registrations, contact forms, directory listings, etc.).
      • Blocks spam content, fake accounts and “fresh” spam that can’t be recognized by IP alone.

    Together they form a pipeline:

    Internet → SpamFireWall (CleanTalk cloud) → your server → WordPress / CMS → Anti-Spam → forms & users

    For a significant share of bot traffic, the journey ends at SpamFireWall – and that’s where your savings start.

    6.2. What happens when a visitor (or bot) hits your site

    At a high level, each request goes through three decisions:

    1. Cloud check (SpamFireWall)
      • The visitor’s IP and other technical signals are checked in the CleanTalk cloud.
      • If it matches known spam, attack or abuse patterns, the request is blocked at once.
      • Your web server, PHP and database don’t have to do any work for it.
    2. Application check (Anti-Spam)
      • If the cloud layer allows the request, it reaches your site as usual.
      • When the visitor submits a form (sign-up, login, comment, listing, contact, etc.), that submission is checked by CleanTalk’s Anti-Spam logic.
      • Suspicious content is blocked; clean submissions go through.
    3. Logging and visibility
      • Both layers record what they did in your CleanTalk dashboard:
        • how many requests SpamFireWall blocked,
        • how many spam submissions Anti-Spam stopped,
        • where spam and bots are coming from.

    The key architectural shift:

    • Instead of letting every bot request hit WordPress and then deciding “this is spam”,
    • CleanTalk moves a big part of that decision upstream, into the cloud.

    6.3. What this means in practice for server load

    From a business viewpoint, you don’t buy SpamFireWall just to say “we have another security tool”.
    You buy it to change the shape of your traffic:

    • Fewer bot requests reach your origin.
    • Fewer PHP workers are tied up by bots.
    • Fewer database queries are caused by fake sign-ups and scans.
    • More CPU and memory are available for actual customers.

    In CleanTalk’s own stats between April 2025 and February 2026, SpamFireWall consistently processed several times more bad requests than in-app Anti-Spam checks did – including a month with 11+ billion blocked requests. That is a direct, measurable reduction in spam bots server cost for the sites behind it.

    For you, the expected effects are:

    • More stable performance during traffic peaks and campaigns.
    • Less pressure to upgrade hosting “just to survive bot waves”.
    • Cleaner analytics (fewer fake sessions and non-human hits).
    • Less spam and fewer fake accounts for your team to clean up.

    In short: SpamFireWall turns “bots are just part of the internet now” into “bots are largely CleanTalk’s problem, not our servers’ problem”.

    7. Implementation: How to Deploy CleanTalk SpamFireWall (WordPress Example)

    The good news: you don’t need a new infrastructure project or DNS migration to start reducing bot load.

    For a typical WordPress site, enabling CleanTalk + SpamFireWall is a plugin-level change, not a platform rewrite.

    Below is a simple rollout plan you can hand to your tech person or agency.

    7.1. What you need before you start

    • A working WordPress site (any theme, any hosting).
    • Admin access to the WordPress dashboard.
    • A CleanTalk account (trial or paid) – this is created automatically if you use the “Get Access Key” button.

    That’s it. No DNS changes, no reverse proxies, no extra servers to maintain.

    Step 1 – Install the CleanTalk Anti-Spam plugin

    In the WordPress admin:
    1. Go to Plugins → Add New.

    forminator-spam-protection

    2. To install the Anti-Spam plugin, go to your WordPress admin panelPluginsAdd New.

    testing-forminator-spam-protection

    3. In the search box, type: cleantalk.

    4. Find Spam protection, Honeypot, Anti-Spam by CleanTalk.

    testing-forminator-spam-protection

    Click Install, then Activate.

    Step 2 – Connect plugin to the cloud
    1. Navigate to Settings → Anti-Spam by CleanTalk in the WordPress dashboard.
    forminator-spam-protection

    2. Click “Get Access Key Automatically”.

    WordPress will contact CleanTalk, create/link your account, and insert an Access Key.

    1. Click Save Changes.

    Now:

    • your site can communicate with the CleanTalk cloud,
    • basic Anti-Spam checks for forms and comments are active.
    Step 3 – Make sure SpamFireWall is enabled

    The best way to text the spam protection by using a test email,

    stop_email@example.com

    1. Open page with your form (don’t forget to add the shortcode in the page content) in Incognito browser tab.
    2. Fill out the Contact form using stop_email@example.com as sender’s email.
    3. Send the form.
    4. You should see a message from the Anti-Spam plugin confirming that a spam submission was blocked.

    *** Forbidden. Sender blacklisted. Anti-Spam by CleanTalk. ***

    Spam submission was blocked in contact form by Forminator.
    If you see this message, it means CleanTalk successfully working.

    Cloud Dashboard

    In addition, in the Cloud Dashboard you can find extra details regarding all submissions processed by CleanTalk, including HivePress registration and Add Listing forms:

    • IP and email of the sender, as well as the sender’s activity history across other websites connected to the CleanTalk cloud.
    • Geolocation of the sender.
    • Date and time of the submission.
      Page (URL) where the form was submitted (for example, a specific listing submission page).
    • Cloud decision – Approved or Denied.
    • Cloud explanation for the decision (e.g. blacklisted email, bad IP reputation, spam text, etc.).
    • Tools to move the sender to Block or Allow lists so you can fine-tune HivePress spam protection.

    7.2. What about other CMS and custom sites?

    While this section uses WordPress as the example (because it’s the most common), CleanTalk is not limited to WordPress:

    • There are ready-made integrations for other popular CMS and e-commerce / forum engines.
    • For custom platforms, CleanTalk provides an HTTP API, so your developers can send form data to the cloud and get allow/deny decisions back.

    In practice, this means you can apply the same SpamFireWall + Anti-Spam model across most of your public-facing properties, not just WordPress.

    From an implementation standpoint, that’s all you need:

    • plugin install,
    • access key,
      enable SpamFireWall,
    • watch the numbers.

    The heavy lifting – maintaining IP reputation, filtering billions of bot requests, and absorbing the associated server load – is handled by CleanTalk’s infrastructure, not yours.

    8. Business Takeaways: How to Talk About This Inside Your Company

    By now, spam bots should look less like “IT noise” and more like what they really are:

    A recurring, measurable cost on your infrastructure, performance and data – that you don’t have to fully pay.

    Here’s how to frame this for founders, CTOs and CFOs in clear business language.

    8.1. This is not a plugin decision – it’s a cost decision

    Instead of “Should we install one more plugin?”, the better question is:

    • How much of our server budget goes to bots, not humans?
    • How much of that load can we move from our servers to CleanTalk’s cloud?

    You already pay for:

    • hosting and infrastructure capacity,
    • lost conversions when the site is slow,
    • internal time spent cleaning spam and handling security noise.

    CleanTalk + SpamFireWall simply changes who carries part of that load:

    • fewer spam/bot requests reach your servers,
    • less capacity is wasted on non-customers,
    • more headroom is available for real users.

    8.2. Four sentences you can use with leadership

    You can summarise the whole story in four short statements:

    1. Cost
       “A noticeable share of our server capacity is currently used to serve bots.
      CleanTalk’s SpamFireWall blocks a large part of that traffic in the cloud, so we can either delay upgrades or get more out of our existing hosting.”
    2. Performance & revenue
       “Bots compete with real users for CPU and database connections. Reducing bot load gives us more stable page speed and conversion during campaigns and peak traffic.”
    3. Risk & operations
       “Many brute-force and scanner requests never reach our app if we stop them in the cloud. That means fewer alerts, fewer incidents to check, and more time for real engineering work.”
    4. Data & decision quality
       “Filtering bots earlier gives us cleaner analytics – more accurate funnel numbers, conversion rates and geo data, so we can invest in the right channels and markets.”

    All of that is powered by one practical change: turning on SpamFireWall alongside CleanTalk Anti-Spam.

    8.3. What success looks like

    When this is working, you should see:

    • A clear, growing number of SpamFireWall blocks in the CleanTalk dashboard – these are requests your servers no longer process.
    • More stable CPU and response times during both normal days and marketing peaks.
    • Less manual spam moderation and fewer fake accounts for your team to chase.
    • Analytics that look more like human behaviour and less like random noise.

    You don’t have to guess: before/after numbers from SpamFireWall and your hosting panel will tell you whether your spam bots server cost is going down.

    8.4. The real decision

    The internet will only have more bots, not fewer.
    You can’t change that – but you can choose who pays for their requests.

    • Option A: your own servers, hosting budget and teams.
    • Option B: offload a large part of that work to a cloud service that is built to absorb it.

    CleanTalk’s Anti-Spam plugin plus SpamFireWall is a straightforward way to choose option B:

    • no DNS migration,
    • no new infrastructure to maintain,
    • just a cloud filter that sits in front of your site and lets your servers focus on humans.

    That’s ultimately what this article is about:

    Stop treating spam bots as “just annoying”.
    Start treating them as a cost centre –
    and then deliberately make that cost smaller.

    Stop wasting server resources on spam bots

    Create your CleanTalk account and let SpamFireWall block bad bots in the cloud before they reach your server — no CAPTCHA challenges and no friction for real visitors.

    CleanTalk Account

    No credit card required • Setup takes less than a minute • Your temporary password will be sent by email.

  • GiveWP – Spam Protection guide in 2026. Stop spam donations!

    GiveWP – Spam Protection guide in 2026. Stop spam donations!

    CleanTalk has added spam protection for GiveWP using direct form integration. This makes it a good opportunity to explore how to protect GiveWP against spam submissions using both built-in anti-spam tools integrated into the plugin core and third-party solutions. We will start with CleanTalk and then move on to Akismet, Google reCAPTCHA, Cloudflare Turnstile, honeypot techniques, and universal anti-spam plugins available on WordPress.org.

    GiveWP banner at https://wordpress.org/plugins/give/
    GiveWP banner at https://wordpress.org/plugins/give/

    GiveWP – Donation & Fundraising Plugin for WordPress

    In case of any misunderstanding or misinterpretation about which plugin we are referring to, allow me to provide a brief overview of GiveWP

    GiveWP is a powerful WordPress donation plugin that helps nonprofits, charities, and organizations accept online donations directly on their websites. It allows you to create fully customizable donation forms and securely collect one-time or recurring donations without relying on third-party fundraising platforms. To maintain secure fundraising, GiveWP can be combined with spam protection solutions that help prevent fake donations, bot submissions, and fraudulent registrations. The plugin supports popular payment gateways such as PayPal and Stripe, making it easy for donors to contribute using their preferred payment method. Built-in reporting, donor management tools, and fundraising goal tracking help organizations monitor performance and grow contributions. With a wide range of add-ons and integrations, GiveWP scales from small campaigns to large nonprofit organizations while following WordPress best practices for reliability and security.

    According to WordPress.org, over 100,000 websites use this plugin.

    Install GiveWP – Donation Plugin and Fundraising Platform

    Show Instructions

    To have the plugin installed follow this steps,

    1. Search for the plugin in WordPress console -> Plugins -> Add plugin -> Search -> givewp

    GiveWP plugin in WordPress catalog.

    2. Install and Activate the plugin.

    3. Add a campaign and forms in WordPress console -> GiveWP -> Campaigns -> Forms.

    GiveWP. First campaign and form.

    That’s all! GiveWP is installed.

    Anti-Spam plugin by CleanTalk for WordPress

    The next plugin we are going to use is the Anti-Spam plugin by CleanTalk. Here is a short description of it,

    CleanTalk Anti-Spam plugin for WordPress protects your site from spam comments, contact forms, registrations, and fake donations without CAPTCHA. It uses cloud-based spam detection and real-time databases to block bots automatically while keeping the experience smooth for real users. CleanTalk works in the background and requires minimal setup, making it a reliable hands-off anti-spam solution.

    CleanTalk has additional features like Block and Allow lists to manage specific Emails, IPs, Countries, custom frontend message to blocked donations and Emails obfuscation which might be helpful during fundraising events.

    According to WordPress.org, over 200,000 websites use this plugin. All features of Anti-Spam plugin for WordPress.

    How to install CleanTalk Anti-Spam plugin

    Show Instructions

    To install the Anti-Spam plugin, go to your WordPress admin panelPluginsAdd New.

    Then enter «СleanTalk» in the search box and click the Install button for «Spam protection, Anti-Spam, FireWall by CleanTalk».

    After installing the plugin, click the «Activate»‎ button.

    After it is done go to the plugin settings and click the «Get Access Key Automatically» button. Then just click the «Save Settings»‎ button.

    That’s it! GiveWP is completely protected, let’s see how to test the protection.

    How to check spam protection for GiveWP Forms

    You can test the work of Anti-Spam protection for GiveWP by using a test email,

    stop_email@example.com

    1. First, open the form in an Incognito browser tab.
    2. Choose amount to donate.
    3. In the next step fill out the account name data and the stop_email@example.com.
    4. You must see a message as below and in the screenshot.

    *** Forbidden. Fraud prevention. Sender blacklisted. Anti-Spam by CleanTalk. ***

    Testing spam protection for GiveWP.

    In addition, in the Cloud Dashboard you can find extra details regarding all submissions for the donation form,

    • IP, Email of the donator. As well as history of activity a sender among other sites connected to CleanTalk’s cloud.
    • Geolocation of the sender.
    • Date and time of submission.
    • Page (URL) of the submission.
    • Cloud decision – Approved, Denied.
    • Cloud explanation for the decision.
    • Tools to move the sender to Block or Allow lists.
    Anti-Spam log in the CleanTalk's Dashboard.

    What additional anti-spam tools are available for GiveWP?

    Here are a few more tools on the market,

    1. Akismet is a cloud-based anti-spam service that works in the background and has excellent compatibility with WordPress. Most importantly, the GiveWP team has included Akismet integration directly in the core of the plugin, providing a seamless user experience for those who choose Akismet as their anti-spam solution. Akismet settings are located under WordPress console -> GiveWP -> Settings -> Advanced -> Akismet SPAM Protection. Here is full guide how to setup protection.
    2. Honeypot anti-spam techniques protect websites by adding invisible form fields that real users never see but spambots automatically fill in. When these hidden fields are completed, the submission is flagged and blocked, stopping spam without CAPTCHAs or user interaction. GiveWP has built-in honeypot which is located under settings WordPress console -> GiveWP -> Settings -> Security -> Enable Honeypot Field. This option is On in default setting, so should filter some primitive spam bots out of the box.
    3. reCAPTCHA is a spam protection technology by Google that helps protect WordPress websites by distinguishing real users from bots using challenges or behavioral analysis. It reduces automated spam submissions but may require user interaction, such as clicking a checkbox or solving a challenge. GiveWP supports reCaptcha in the core and settings are located by path WordPress console -> GiveWP -> Settings -> General -> Access Control -> reCaptcha. The first step to activate this protection is getting Site and Secret keys, which are available on website.
    4. Turnstile by Cloudflare is another great anti-spam tool which is available for GiveWP. Protects WordPress websites by verifying visitors automatically without CAPTCHAs or puzzles. It blocks bots using browser and behavioral signals while keeping the experience seamless for real users. One drawback is to use Turnstile user must install extra plugin – ‘Give – Cloudflare Turnstile’. The full guide is here.
    5. And we have bunch of standalone, universal, all-in-one plugins like Zero Spam, OOPSpam, hCaptcha for WP which provide anti-spam protection for GiveWP as well. Here is a link to download one of them.

    Here are screenshots for tools above.

    I have questions… (FAQ)

    Does CleanTalk protect against donors emails leak?

    In July 2025, a vulnerability in GiveWP led to an email data leak of Pihole donators. Yes, Anti-Spam by CleanTalk helps protect against such issues. In this case, email addresses were exposed in the HTML code, even though they were invisible on public pages. The plugin prevents this by obfuscating email addresses by default.

    We received hundreds of spam donations immediately after installing GiveWP plugin. How to fix it?

    If you do not have specific anti-spam tool installed. Increasing the minimum donation amount can help stop spam, as bots usually test forms with small payments like $1–$5. Setting a $10+ minimum helps filter out these low-effort automated attacks.

    A donor is trying to submit recurring donations but the transaction isn’t being processed because the donor’s email is considered spam.

    False/positives sometimes happen. In this case just post a support ticket or put this donor in Allow list.

    Final thoughts

    I hope this guide helped resolve all spam issues on your donation form. If not, Sign Up for an account and our CleanTalk team will be happy to help.

    Stop spam without frustrating your visitors

    Create your CleanTalk account and start blocking spam donations — no CAPTCHA challenges and no impact on visitors.

    CleanTalk Account

    No credit card required • Setup takes less than a minute • Your temporary password will be sent by email.

  • HivePress Spam Protection in 2026

    HivePress Spam Protection in 2026

    If you use HivePress to power a directory, classifieds, or marketplace website, you will eventually face spam – fake listings, bot registrations, and junk messages.

    This guide explains how to set up HivePress spam protection using:

    • the Anti-Spam plugin by CleanTalk with direct integration for HivePress, and
    • additional tools like Google reCAPTCHA and basic moderation.

    The integration now protects both:

    • the registration form of HivePress (requests to /wp-json/hivepress/v1/users/), and
    • the Add Listing form used to submit new listings.
    hivepress logo

    HivePress – Business Directory & Classified Ads Plugin

    First, let’s take a quick look at HivePress itself and the types of sites you can build with it.

    HivePress is a free and highly flexible WordPress plugin for building any type of directory or listing website: business directory, job board, classifieds, real estate catalog, rental marketplace, and more.

    Out of the box HivePress provides:

    • listing types, categories and custom fields;
    • powerful search filters and location-based search;
    • user accounts, ratings, reviews, private messages and favorites.

    Because HivePress relies heavily on user-generated content and public forms, it quickly becomes a target for spambots. That’s why it is important to have a reliable HivePress spam protection setup from the beginning.

    As WordPress.org shows, HivePress is currently used on over 10,000 websites and has 213 user reviews with an average rating of 4.9.

    Plugin Homepage at wordpress.org | Website hivepress.io


    Install HivePress to build business directories, classifieds, marketplaces and other listing websites.

    You can set it up in just a few easy steps:

    1. Search for the plugin in WordPress console -> Plugins -> Add plugin -> Search -> Type ‘hivepress

    Untitled design

    2. Install and Activate the plugin.

    3. Add the very first listing in WordPress console -> Listings -> Add New.

    Untitled design (2)

    WordPress console -> Listings -> Add New -> add title, description, images and other fields -> Publish.

    4. That’s all! Your first listing is live and HivePress is ready to use on your site.

    Anti-Spam plugin by CleanTalk for WordPress

    The next tool we’re going to use is the Anti-Spam plugin by CleanTalk.
    Here’s a short overview:

    • CleanTalk is a cloud-based spam protection service for websites, founded in 2012.
    • It automatically blocks spam without CAPTCHAs and doesn’t interrupt the user experience.
    • Protects many types of forms: contact forms, payment forms, registrations, comments, surveys and more.
    • Stops both automated bots and human spam submissions.
    • Uses advanced filtering algorithms and a global spam detection network.
    • Detects spam based on IP address, email address and user behavior.
    • Lets you create custom filtering rules for specific cases.
    • Allows blocking or filtering by IP, email and country.
    • Works quietly in the background and is very easy to install and configure.

    According to WordPress.org, Anti-Spam by CleanTalk for WordPress has over 200,000 active installations, with 3,168 reviews and an average rating of 4.7.

    Plugin Homepage at cleantalk.org | Latest release at GitHub.com | Website cleantalk.org

    Install the CleanTalk Anti-Spam plugin

    Show Instructions

    To install the Anti-Spam plugin, go to your WordPress admin panelPluginsAdd New.

    forminator-spam-protection

    Then enter «СleanTalk» in the search box and click the Install button for «Spam protection, Anti-Spam, FireWall by CleanTalk».

    testing-forminator-spam-protection

    After installing the plugin, click the «Activate»‎ button.

    testing-forminator-spam-protection

    After it is done go to the plugin settings and click the «Get Access Key Automatically» button. Then just click the «Save Settings»‎ button.

    forminator-spam-protection

    That’s it! From now you know how to completely protect your HivePress from spam.

    Check if spam protection works with HivePress

    The best way to test the spam protection by using a test email,

    stop_email@example.com

    1. Open page with your form (don’t forget to add the shortcode in the page content) in Incognito browser tab.
    2. Fill out the Contact form using stop_email@example.com as sender’s email.
    3. Send the form.
    4. You should see a message from the Anti-Spam plugin confirming that a spam submission was blocked.

    *** Forbidden. Sender blacklisted. Anti-Spam by CleanTalk. ***

    Spam submission was blocked in contact form by Forminator.
    If you see this message, it means CleanTalk successfully protects your HivePress forms (registration and Add Listing) from spam.

    Cloud Dashboard

    In addition, in the Cloud Dashboard you can find extra details regarding all submissions processed by CleanTalk, including HivePress registration and Add Listing forms:

    • IP and email of the sender, as well as the sender’s activity history across other websites connected to the CleanTalk cloud.
    • Geolocation of the sender.
    • Date and time of the submission.
      Page (URL) where the form was submitted (for example, a specific listing submission page).
    • Cloud decision – Approved or Denied.
    • Cloud explanation for the decision (e.g. blacklisted email, bad IP reputation, spam text, etc.).
    • Tools to move the sender to Block or Allow lists so you can fine-tune HivePress spam protection.

    Google reCAPTCHA, hCaptcha, and Cloudflare Turnstile

    Besides CleanTalk and the built-in HivePress tools, you can also use cloud CAPTCHA / anti-bot services together with HivePress to reduce spam and protect registration and Add Listing forms.

    Google reCAPTCHA (native HivePress integration)

    HivePress has a core integration with Google reCAPTCHA v2:

    • First, register your site in the Google reCAPTCHA admin and generate a Site Key and Secret Key.
    • Then go to WordPress console → HivePress → Settings → Integrations → reCAPTCHA and paste these keys.
    • In the same section you can select which HivePress forms to protect (for example, registration, login, listing submission).

    This helps reduce spam submissions and adds an extra security layer to HivePress forms, while CleanTalk continues to filter all submissions in the background.

    hCaptcha

    HivePress does not currently include native hCaptcha support. However, you can use hCaptcha on your site via separate WordPress plugins (for example, “hCaptcha for Forms and More”) that add hCaptcha to standard WordPress forms and some popular plugins.

    Key benefits of hCaptcha compared to reCAPTCHA:

    • Better privacy for visitors. hCaptcha collects less tracking data and is more focused on privacy and GDPR-friendly use.
    • Reduced dependence on Google services. Useful for projects that prefer not to rely on Google infrastructure for branding or compliance reasons.
    • Optional monetization. hCaptcha offers a program where site owners can earn small rewards for solved challenges, something reCAPTCHA does not provide.

    To use hCaptcha you need to:

    • obtain a Site Key and Secret Key in the hCaptcha dashboard,
    • install and configure the corresponding WordPress plugin,
    • and test that hCaptcha is correctly displayed and working on your HivePress registration and Add Listing forms (since there is no direct HivePress integration yet).

    Cloudflare Turnstile

    Cloudflare Turnstile is a modern CAPTCHA alternative that verifies users mostly in the background, without classic image puzzles.

    Turnstile can be connected to WordPress via dedicated plugins that integrate Turnstile with standard WordPress forms and some third-party plugins.

    Main benefits of Cloudflare Turnstile compared to classic reCAPTCHA:

    • Invisible verification. Turnstile usually works silently in the background, so users can submit forms without extra clicks and image challenges.
    • Higher form completion rates. With fewer interruptions, registration and listing submission forms tend to have fewer abandoned attempts.
    • Strong privacy approach. Turnstile is designed to minimize user tracking and does not rely on heavy behavioral profiling, which makes it more privacy-friendly than traditional CAPTCHA solutions.

    As with hCaptcha, you need to:

    • obtain a Site Key and Secret Key in the Cloudflare Turnstile dashboard,
    • configure the chosen WordPress plugin,
    • and verify that Turnstile is actually applied to the pages where HivePress renders registration or Add Listing forms.

    Honeypot, Akismet and third-party Anti-Spam plugins

    Additionally, let’s consider standalone plugins and anti-spam mechanics that also work for HivePress-based websites.

    Honeypot

    Honeypot is one of the simplest anti-spam mechanics against primitive spam bots. It works by adding hidden fields that are only detected and filled by bots. When a bot fills these fields, the submission is blocked automatically, while legitimate users never see any additional challenges.

    Because no CAPTCHA or interaction is required, honeypots:

    • help maintain a smooth user experience,
    • reduce friction on registration and Add Listing forms,
    • and add a lightweight extra layer of protection.

    You can enable honeypot protection via a dedicated WordPress plugin, for example WP Armour – Honeypot Anti Spam.

    Settings are available in the plugin configuration, for example:

    • WordPress console -> Plugins -> Add New -> Search -> type ‘WP Armour’
    • Install and Activate the plugin.
    • WordPress console -> Settings -> WP Armour (or the plugin’s own menu item) -> enable honeypot protection for the forms used with HivePress (registration / Add Listing pages).

    Third-party Anti-Spam plugins

    Akismet

    Akismet Anti-Spam helps WordPress users automatically filter spam submissions by analyzing form data against its global spam detection network. It works in the background to identify suspicious content and prevent unwanted messages from reaching your inbox or database. This reduces manual moderation and helps keep comments and basic contact forms clean.

    For HivePress websites, Akismet can be used together with CleanTalk to:

    • filter blog comments and simple contact forms,
    • reduce low-quality submissions outside of HivePress-specific forms.

    In order to activate protection the user must:

    1. Install and activate the third-party plugin Akismet Anti-Spam.
    2. Get an API key from Akismet and enter it in the plugin settings.
    3. Enable spam checking for the content types you need (comments, contact forms, etc.).

    Typical path:

    • WordPress console -> Plugins -> Add New -> Search -> type ‘Akismet’
    • Install and Activate the plugin.
    • WordPress console -> Settings -> Akismet Anti-Spam -> enter API key and save.

    Other universal Anti-Spam plugins

    WP Armour, OOPSpam, Maspik, and Simple CAPTCHA Alternative are universal anti-spam plugins for WordPress that provide additional spam protection at the site level. They can help filter spam on contact forms, comments and other areas of your site that are not covered directly by HivePress integration.

    All of these solutions can be found in the search results at wordpress.org:

    WordPress console -> Plugins -> Add New -> Search -> type ‘WP Armour’ | ‘OOPSpam’ | ‘Maspik’ | ‘Simple CAPTCHA Alternative’
    Install and Activate the chosen plugin, then configure it according to its documentation.

    These third-party plugins can be used alongside CleanTalk and HivePress as optional extra layers of protection for high-risk or high-traffic projects.

    This guide explains how to protect HivePress forms using the Anti-Spam plugin by CleanTalk together with additional tools such as Google reCAPTCHA, hCaptcha, Cloudflare Turnstile, honeypot mechanisms and third-party anti-spam plugins like Akismet, OOPSpam, WP Armour and Maspik.

    Frequently Asked Questions (FAQ)

    Still getting spam through your HivePress forms?

    If nothing works in this guide, try a few more things:

    1. Block spammers by particular IPs, countries and email masks via Personal lists in your CleanTalk account.
    2. Enable listing moderation in HivePress, so new listings must be approved by an admin before they go live.
    3. Check for plugin conflicts – temporarily disable other anti-spam / security plugins and test HivePress registration and Add Listing forms only with CleanTalk enabled.
    4. Submit a support request to CleanTalk, attaching examples of spam submissions (IPs, emails, message text, page URLs). The support team will do their best to tune spam protection for your specific case.
    reCAPTCHA not saving in HivePs settingress or showing errors

    If reCAPTCHA keys are not saved or you see an error in HivePress → Settings → Integrations → reCAPTCHA:

    1. Make sure you are using the correct key type (usually reCAPTCHA v2 for HivePress).
    2. Double-check that the domain in the Google reCAPTCHA admin exactly matches your site.
    3. Remove any extra spaces when pasting the Site Key and Secret Key.
    4. Try temporarily disabling other CAPTCHA / security plugins and saving the settings again.
    5. If the issue persists, you can switch to an alternative solution such as hCaptcha or Cloudflare Turnstile via a separate WordPress plugin, while keeping CleanTalk as your main spam filter.
    HivePress + hCaptcha / Turnstile does not prevent spam

    If you enabled hCaptcha or Cloudflare Turnstile but spam still comes through:

    1. Do not rely on hCaptcha / Turnstile alone – always keep CleanTalk Anti-Spam enabled as the primary filter.
    2. Enable honeypot protection if it is available in your chosen security / form plugins to catch simple bots.
      Check that there are no plugin conflicts disabling CleanTalk checks or bypassing them.
    3. Use layered protection: CleanTalk + CAPTCHA (reCAPTCHA / hCaptcha / Turnstile) + HivePress moderation usually works much better than any single method.
    Emails from HivePress forms are going to spam.
    1. Check SMTP configuration and avoid sending mail via the default PHP mail() function.
    2. Install and configure an SMTP plugin, so your site sends messages through an authenticated email account (hosting mail, Gmail, or a transactional service).
    3. Verify that your domain has proper SPF / DKIM / DMARC records to improve sender reputation.
    4. After configuring SMTP, send a few test submissions from HivePress forms and confirm that notifications now arrive in the inbox, not in spam.

    Recommended Anti-Spam Stack for HivePress (2026)

    Finally, no single anti-spam tool can stop every type of spam submission. The most reliable approach for HivePress websites is a layered protection stack, where each tool blocks a different category of bots and spam behavior.

    Starting from the latest plugin update, the Anti-Spam plugin by CleanTalk includes a direct integration with HivePress. It automatically protects the HivePress registration form and the Add Listing form before a new user account or listing is created, without any extra settings inside HivePress. This integration is the core of the recommended anti-spam stack below.

    Recommended setup by site type

    Small business directory / local listings

    • CleanTalk Anti-Spam (with direct HivePress integration)
    • Optional honeypot protection in a security/form plugin
    • Basic HivePress listing moderation

    High-traffic classifieds or service marketplace

    • CleanTalk Anti-Spam (with direct HivePress integration)
    • Google reCAPTCHA or Cloudflare Turnstile on registration and Add Listing forms
    • Listing moderation for new or untrusted users

    Membership / registration-heavy HivePress sites

    • CleanTalk Anti-Spam (with direct HivePress integration)
    • Cloudflare Turnstile or hCaptcha on registration and login
    • Optional honeypot protection for additional bot filtering

    By now, most spam issues in your HivePress registration, login and Add Listing forms should be resolved. If not, sign up for a CleanTalk account or log in to your existing one and contact our support team – we will be happy to help you fine-tune spam protection for your specific case.

    Stop spam without frustrating your visitors

    Create your CleanTalk account and start blocking spam forms, surveys, polls and quiz answers — no CAPTCHA challenges and no impact on visitors.

    CleanTalk Account

    No credit card required • Setup takes less than a minute • Your temporary password will be sent by email.

  • Why do contact form 7 users prefer Anti-spam by CleanTalk against reCAPTCHA?

    As a WordPress user let me share my experience of using CAPTCHA less and CAPTCHA style Anti-Spam tools on the example of Contact form 7.

    Is reCAPTCHA good or bad for Contact form 7?

    Contact Form 7 users may prefer Anti-Spam plugin by CleanTalk over reCAPTCHA for several reasons, as each solution has its own advantages and disadvantages. Here are some potential reasons why some users prefer Anti-spam by CleanTalk:

    1. Simplicity: Anti-spam by CleanTalk offers a simpler and more user-friendly solution compared to reCAPTCHA. It doesn’t require users to solve puzzles or click checkboxes, which can be seen as an added step that may deter some visitors from submitting forms.
    2. Reduced User Friction: reCAPTCHA can sometimes lead to a less than ideal user experience, especially for those who find it challenging to complete the visual or interactive challenges. Anti-spam by CleanTalk doesn’t require any user interaction, so it doesn’t add any friction to the form submission process. More drawbacks of CAPTCHA/reCAPTCHA.
    3. Invisible to Users: Anti-spam by CleanTalk works invisibly in the background, so users are not aware of its presence. In contrast, reCAPTCHA typically requires users to complete a task to prove they are not a bot.
    4. Accessibility: Some users have accessibility concerns with reCAPTCHA, as it relies on visual verification. Anti-spam by CleanTalk does not present accessibility challenges in the same way, making it a more inclusive solution.
    5. Accuracy: Anti-spam by CleanTalk uses a combination of methods, including machine learning and a vast database of known spam sources, to identify and block spam submissions. This approach can be effective in detecting and preventing spam without relying on user interaction.
    6. Reduced False Positives: reCAPTCHA, while effective at blocking bots, may occasionally generate false positives, blocking legitimate users. Anti-spam by CleanTalk aims to minimize false positives, ensuring that genuine inquiries are not inadvertently marked as spam.
    7. Customization: Users have the ability to customize Anti-spam by CleanTalk settings to meet their specific needs and preferences, tailoring the spam protection to their site’s requirements.
    8. Integration: Anti-spam by CleanTalk is designed to seamlessly integrate with Contact Form 7 and other popular form plugins, making it easy for users to implement spam protection without significant configuration.
    Anti-Spam by CleanTalk

    It’s important to note that the choice between Anti-spam by CleanTalk and reCAPTCHA may depend on the specific needs and preferences of individual website owners. Some users may prioritize ease of use and a seamless user experience, while others may prioritize the high level of bot detection offered by reCAPTCHA. Ultimately, the choice between these solutions should align with your website’s goals and the user experience you want to provide. Additionally, some users may opt to use both solutions in combination to enhance spam protection further.

    How to install Anti-Spam by CleanTalk?

    To install and configure the “Anti-Spam by CleanTalk” WordPress plugin for your website, follow these steps:

    1. Log in to Your WordPress Dashboard:

    Navigate to your WordPress admin dashboard by entering your site’s URL followed by “/wp-admin” (e.g., “https://yourwebsite.com/wp-admin“).

    2. Access the Plugins Section:

    In the WordPress dashboard, locate and click on the “Plugins” option in the left-hand menu.

    3. Click “Add New”:

    On the Plugins page, click the “Add New” button at the top of the screen. This will take you to the Add Plugins page.

    4. Search for “Anti-Spam by CleanTalk”:

    In the search bar on the Add Plugins page, type “Anti-Spam by CleanTalk” and press Enter. The search results will appear.

    5. Install the Plugin:

    Locate the “Anti-Spam by CleanTalk” plugin in the search results. Click the “Install Now” button next to the plugin’s name.

    6. Activate the Plugin:

    After installation, a new button will appear that says “Activate.” Click this button to activate the Anti-Spam by CleanTalk plugin.

    7. Enter Your Access Key:

    Once the plugin is activated, you’ll need to enter your access key to enable the anti-spam features. You can obtain the access key by signing up for CleanTalk on their website (https://cleantalk.org/) and subscribing to their service. After subscribing, you’ll receive an access key via email.

    a. In the WordPress dashboard, go to “Settings” in the left-hand menu.

    b. Click on “Anti-Spam by CleanTalk” from the submenu.

    c. Enter your access key in the provided field.

    d. Click the “Check Access Key” button to validate your access key.

    8. Configure Settings:

    Once your access key is validated, you can configure the plugin settings according to your preferences. The settings allow you to customize the anti-spam protection for your site, including options for comments, registrations, contact forms, and more.

    9. Save Changes:

    After configuring your settings, don’t forget to click the “Save Changes” button to apply your chosen anti-spam settings.

    10. Verify That It’s Working:

    To ensure that the plugin is effectively blocking spam, just use email stop_email@example.com in a contact form 7. You have to see a special response from Anti-Spam by CleanTalk that describes a reason for blocking. 

    *** Forbidden. Sender blacklisted. ***
    Anti-Spam by CleanTalk shows the reason of blocking form submission.

    11. Periodic Review:

    Periodically review the plugin’s dashboard to check its performance and verify that it’s actively blocking spam submissions. CleanTalk provides statistics on the number of spam attempts blocked.

    That’s it! You’ve successfully installed and configured the “Anti-Spam by CleanTalk” plugin on your WordPress website. This plugin will help protect your site from unwanted spam submissions and improve the overall security and user experience of your WordPress site.

  • wpForo Forum – Spam Protection

    wpForo Forum – Spam Protection

    CleanTalk added spam protection for wpForo Forum multi-layout bulletin board using direct form integration. So in case, you prefer using wpForo be sure to use the most effective Anti-Spam plugin. Read the guide below and learn 4 steps to protect your wpForo Forms from spam.

    Once the CleanTalk Anti-Spam plugin is installed it starts to protect all of the existing forms on your WordPress website. It may not only be wpForo forms but also many others.

    Download CleanTalk Anti-Spam plugin | Download wpForo Forum 

    How to install CleanTalk Anti-Spam plugin

    To install the Anti-Spam plugin, go to your WordPress admin panelPluginsAdd New.

    Then enter «СleanTalk» in the search box and click the Install button for «Spam protection, Anti-Spam, FireWall by CleanTalk».

    After installing the plugin, click the «Activate»‎ button.

    After it is done go to the plugin settings and click the «Get Access Key Automatically» button. Then just click the «Save Settings»‎ button.

    That’s it! From now you know how to completely protect your wpForo Forum plugin from spam.

    How to check spam protection for wpForo Forms

    You can test the work of Anti-Spam protection for your СonvertKit Forms by using a test email s @ cleantalk.org (without spaces). First, open the form in an Incognito browser tab. Fill in all the required form fields and send a form. After submitting the form, you will see a block message about the block on the form submission.

    If you have any questions, add a comment and we will be happy to help you.

    Create your CleanTalk account – Register now and protect your СonvertKit Forms from spam in 5 minutes

    Update

    The protection works only for website visitors, not for website admins. Be sure to test the form protection using Incognito mode.

    Additional features

    • CleanTalk protects all forms at once: comments, registrations, feedbacks, contacts, reviews.
    • Installation takes about 1-2 minutes.
    • Smart 99% protection against spambots.
    • Always online – 24/7 technical support.
    • Logs, SpamFireWall, personal lists, country filters, stop-words, and many others.

    Discover CleanTalk Anti-Spam plugin features.

  • How to Check wp-content for Malware with Security by CleanTalk?

    How to Check wp-content for Malware with Security by CleanTalk?

    WordPress powers a significant portion of the internet, making it an attractive target for cyberattacks. Ensuring the security of your WordPress website is paramount. One essential aspect of WordPress security is regularly checking your wp-content directory for vulnerabilities. In this article, we’ll guide you through the process of safeguarding your wp-content folder using the powerful Security by CleanTalk plugin.

    Why Checking wp-content for Malware is Crucial?

    Your website’s wp-content directory is a critical part of your WordPress installation. It contains themes, plugins, and uploaded media files, making it an attractive target for hackers. Malicious actors often seek vulnerabilities in this directory to compromise your website’s security.

    Checking wp-content is vital because it allows you to:

    1. Detect Unauthorized Access: Regular checks help you identify any unauthorized changes or suspicious files within your wp-content folder.
    2. Prevent Malware Infections: Detecting malware early can prevent it from spreading throughout your site, damaging your reputation and potentially harming your visitors.
    3. Maintain Website Performance: A compromised wp-content directory can slow down your site and disrupt its functionality. Regular checks help maintain optimal performance.
    4. Protect Sensitive Data: Your wp-content directory may contain sensitive information. Ensuring its security safeguards your data and user information.

    Introducing Security by CleanTalk

    To streamline the process of checking your wp-content directory and enhancing your WordPress security, we recommend installing the “Security by CleanTalk” plugin. This comprehensive security plugin offers a wide range of features to protect your website, including:

    1. Real-time Firewall: Defends your site against malicious traffic and hacking attempts in real-time.
    2. Spam Protection: Blocks spam comments and registrations to keep your site’s content clean.
    3. Malware Scanner: Regularly scans your website for malware, vulnerabilities, and unsafe permissions.
    4. Login Page Security: Protects your login page from brute force attacks.
    5. Two-Factor Authentication (2FA): Adds an extra layer of login security for administrators.
    6. IP and Country Blocking: Allows you to block specific IP addresses or entire countries to prevent malicious access.
    7. Security Audit Trails: Keeps a record of all security-related events on your site for monitoring and analysis.

    How to Install Security by CleanTalk

    Follow these simple steps to install and activate Security by CleanTalk on your WordPress website:

    1. Login to Your WordPress Admin Dashboard: Navigate to your WordPress dashboard by entering your site’s URL followed by “/wp-admin” (e.g., “https://yourwebsite.com/wp-admin“).
    2. Go to Plugins: In the left sidebar, click on “Plugins.”
    3. Add New Plugin: Click the “Add New” button at the top of the Plugins page.
    4. Search for “Security by CleanTalk”: In the search bar, type “Security by CleanTalk” and press Enter.
    5. Install and Activate: When you see the plugin in the search results, click “Install Now,” and then click “Activate” once it’s installed.
    6. Configure Settings: Visit the “Security by CleanTalk” settings page in your WordPress dashboard to configure the plugin’s settings to your liking. Be sure to set up the malware scanner to check your wp-content directory regularly.
    7. Enjoy Enhanced Security: With Security by CleanTalk in place, your WordPress website is now fortified against threats, and your wp-content directory will be regularly monitored for vulnerabilities.
    Security by CleanTalk at WordPress.
    The Malware scanner checked and found an issue with wp-content.
    The Malware scanner cured files at wp-content.

    Conclusion

    Regularly checking your wp-content directory is an essential part of maintaining a secure WordPress website. To simplify this process and ensure comprehensive protection for your site, we recommend installing the “Security by CleanTalk” plugin. With its wide range of security features, this plugin will help you safeguard your website, keeping it safe from threats and ensuring the integrity of your wp-content directory.

    Anyway, if you are unsure how to identify, remove, or clean malware using the plugin, you can book a WordPress malware removal with our Security & Pentest team.

    Don’t leave the security of your WordPress site to chance—take proactive steps today by installing Security by CleanTalk and regularly checking your wp-content folder for peace of mind and a secure online presence.

  • User Registration & Membership – Spam Protection Guide in 2026

    User Registration & Membership – Spam Protection Guide in 2026

    CleanTalk has added spam protection for the User Registration & Membership WordPress plugin by WPEverest through direct form integration. If you use this plugin, be sure to enable the highly effective CleanTalk Anti-Spam solution. In this post, we also review all anti-spam options available for User Registration & Membership.

    User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

    First of all let’s see what this plugin is,

    User Registration & Membership by WPEverest is a powerful WordPress plugin for creating custom user registration forms, login pages, and membership websites without coding. It features a drag-and-drop form builder, user profile management, content restriction, and payment integrations for subscription-based sites. Ideal for communities, online courses, and client portals, the plugin helps website owners manage users and memberships efficiently while improving user experience.

    According wordpress.org, this plugin is installed on 60,000+ sites. All features of Anti-Spam plugin by CleanTalk for WordPress.

    Installing User Registration & Membership

    There are few steps to be this plugin installed,

    1. Go to WordPress console -> Plugins -> Add plugin, type ‘user’.
    2. Install ‘User Registration & Membership’ by WPEverest and activate the plugin.
    3. Next you see a setup screen, that can be skipped on this moment.
    4. That’s all the plugin is installed!

    On the next steps we work with page YOUR-SITE.COM/registration/.

    By the if you want place the registration form on another page,

    1. Follow to WordPress console -> User Registration & Membership -> Registration form.
    2. Copy shortcode like this [user_registration_form id=”8″] from the right/top corner of screen and place on any other page you want to.

    Anti-Spam plugin by CleanTalk for WordPress

    In beginning a few words about the plugin that we are going to use against spam,

    CleanTalk Anti-Spam plugin for WordPress automatically protects your website from spam comments, registrations, contact forms, and fake orders without using CAPTCHA. It uses cloud-based spam detection and real-time databases to block bots in the background while keeping the experience smooth for legitimate visitors.

    According wordpress.org, this plugin is installed on 200,000+ web sites. To install the plugin please follow this guide.

    The next step is testing the anti-spam protection.

    How to check spam protection for User Registration & Membership

    We are going to test protection and the most important step in this process to do it as a regular visitor, not as as authorized user/administrator in WordPress console!

    Follow this,

    1. Jump to YOUR-SITE.COM/registration/ in incognito mode in your browser.
    2. Fill up the form using test email address s@cleantalk.org. This is a service email, using which do not cause block listing your IP in CleanTalk’s cloud.
    3. You see response from the cloud like this,

    *** Forbidden. Sender blacklisted. Anti-Spam by CleanTalk. ***

    That’s all! The protection is active and ready to go. If you have any questions, add a comment and we will be happy to help you. In addition, in the Cloud Dashboard you can find extra details regarding all submissions for registration form.

    What additional anti-spam tools are available for User Registration & Membership?

    On this day on the market there are a few more tools to protect User Registration & Membership against spam bots. As well as this plugin has some built-in tools. Let’s see what we have,

    1. This plugin has built-in integration with Google reCaptcha version 2 and 3. reCAPTCHA by Google helps protect WordPress registration forms from spam by verifying that users are real people using behavioral analysis or interactive challenges. It blocks automated bot sign-ups and reduces fake registrations while allowing legitimate users to register securely.
      The settings located are here WordPress console -> User Registration & Membership -> Registration & Login -> Captcha. The Site and Secret keys are available on website.
    2. The next tool is hCaptcha. hCaptcha is a privacy-focused CAPTCHA solution that protects WordPress registration forms from spam by requiring users to complete human verification challenges, helping block automated bot sign-ups. Unlike reCAPTCHA by Google, hCaptcha places stronger emphasis on user privacy and data control, making it a popular alternative for websites that want effective spam protection with less tracking.
      The settings located are here WordPress console -> User Registration & Membership -> Registration & Login -> Captcha. The Site Key and Secret key are available on website.
    3. Next is Turnstile by Cloudflare. It protects WordPress registration forms from spam by automatically verifying visitors using browser and behavioral signals without showing CAPTCHA challenges. Unlike reCAPTCHA, Turnstile is designed to be privacy-friendly and frictionless, reducing spam registrations while keeping the signup process seamless for real users.
      The settings located are unde same path as tools before WordPress console -> User Registration & Membership -> Registration & Login -> Captcha. The Site Key and Secret key are available on website.
    4. There are also bunch of universal anti-spam plugins like Simple CAPTCHA Alternative by Elliot Sowersby, WP Armour and etc. All of them can be found on wordpress.org.

    As my research shows there is no plugins or direct integration with Akismet.

    I have questions…

    What if I don’t use User Registration & Membership plugin, but still have spam registrations (users)?

    In this case, Anti-Spam by CleanTalk is the best way to get rid of standard wordpress registration forms spam.

    Does this guide work for WPforo plugin?

    No, it does not. Read this guide instead to protect WPforo Forum against spam registrations.

    How about spam protection for s2Member plugin?

    Please use another guide in order of s2member spam protection.

    Final thoughts

    I hope this guide helped resolve all spam issues on your registration form. If not, Sign Up for an account and our CleanTalk team will be happy to help.

  • Our Client’s Review: BRNDTIME

    Our Client’s Review: BRNDTIME

    We’re happy to share feedback from one of our valued clients — Christophe Thielens, founder of BRNDTIME.

    At CleanTalk, we truly appreciate hearing how our anti-spam solution helps agencies and businesses keep their websites clean, fast, and user-friendly. Reviews like this motivate our team to continue improving our technology and delivering invisible, reliable protection against spam.

    About BRNDTIME

    BRNDTIME is a digital marketing agency based in Belgium, focused on helping SMEs and independent professionals grow their online presence.
    The agency specializes in building high-performance WordPress websites, SEO, online advertising, branding, content creation, and email marketing — always with a strong emphasis on usability, performance, and measurable results.

    Client feedback

    Christophe shared his experience with CleanTalk both on WordPress.org and on the BRNDTIME website:

    “Very good plugin — works very well for my agency.
    No captchas, no false positives, no slowdowns.
    A solid and trustworthy plugin.”

    BRNDTIME – Digital marketing bureau 01 29 2026 03 19 PM
    BRNDTIME – Digital marketing bureau 01 29 2026 03 19 PM

    Using CleanTalk Anti-Spam, BRNDTIME protects WordPress websites from spam submissions without affecting visitor experience. The absence of CAPTCHAs, combined with accurate filtering and no performance impact, allows the agency to focus on building and marketing websites — not cleaning up spam.

    We’d like to thank Christophe Thielens and the BRNDTIME team for trusting CleanTalk to protect their projects and for sharing their honest feedback with the WordPress community.

    🔗 Client website: https://brndtime.be/

    🔗 WordPress.org review: https://wordpress.org/support/topic/very-good-plugin-works-very-wel-for-my-agencie/

    🔗 BRNDTIME article about CleanTalk:
    https://brndtime.be/2026/01/27/cleantalk-anti-spam-plugins-spamvrije-wordpress-website/

  • How Spam Activity Changes Over Time — and Why It’s Not Related to License Expiration

    How Spam Activity Changes Over Time — and Why It’s Not Related to License Expiration

    From time to time, website owners report a sudden increase in spam activity and try to link it to plugin settings, hosting, or license status.
    However, these assumptions often overlook how dynamic spam behavior truly is.
    To illustrate this, I conducted a small study analyzing spam distribution over time using data from several of our WordPress sites.

    First, I’ll look at data for three of our WordPress sites, which host our themed blogs. The statistics are for the year.

    1. Our blog, ClanTalk Anti-Spam and Security https://blog.cleantalk.org/

    The screenshot shows the statistics for the year.
    As you can see from the graph, the number of spam attacks isn’t linear, but fluctuates from month to month. Only since August has there been any stability, and the number of spam attacks has been more or less consistent.

    All time 10 979 spam blocked 10 21 2025 11 17 AM
    All time 10 979 spam blocked 10 21 2025 11 17 AM

    2. Our blog, research.cleantalk.org


    The graph shows an increase in spam attacks at the beginning of the year, followed by a decline to almost zero. However, in May, there is a peak in spam attacks, followed by a sharp decline. Subsequently, there is a slight increase in spam attacks.

    All time 6 567 spam blocked 10 21 2025 11 30 AM
    All time 6 567 spam blocked 10 21 2025 11 30 AM

    3. Our blog, blog.doboard.com


    The blog was launched recently, and from the very beginning, it was clear that the number of spam attacks was high, but after some time, there was a decrease.

    All time 195 spam blocked 10 21 2025 11 29 AM
    All time 195 spam blocked 10 21 2025 11 29 AM

    4. Personal WordPress Test Site


    The following graph shows statistics for my personal WordPress site, which I use for testing.
    The graph shows a steady increase, peaking in May and then declining.

    All time 19 510 spam blocked 10 21 2025 11 19 AM
    All time 19 510 spam blocked 10 21 2025 11 19 AM

    What Does This Tell Us?

    Based on this data, I can draw the following conclusions:
    the number of spam attacks does not show any trend, other than a possible seasonal factor.


    The number of spam attacks may not be linear from month to month or even from day to day. At some points, there may be more, at others, fewer. A low-traffic site like my test site can receive a much higher number of spam attacks than a site with more traffic, a larger number of articles, and a higher search engine ranking.

    What I did next?

    Now let’s talk about how a user can evaluate the difference between the amount of spam a client sees while using an anti-spam service and when the license expires.

    First, as you can see on our new site, the number of spam attacks increases as it gets added to spam lists.

    Second, when a client installs the CleanTalk Anti-Spam plugin, we have the SpamFireWall option. This option blocks spammers before they reach the site.

    CleanTalk Anti Spam Dashboard 10 21 2025 11 20 AM
    CleanTalk Anti Spam Dashboard 10 21 2025 11 20 AM

    As you can see from this table, we currently receive 12-14 spam attacks per day. These requests can be found, for example, in the spam folder on their site. On average, there were 57 spam attacks per week, and SpamFireWall (SFW) blocked another 350.

    Then, I disabled SFW, and the number of spam attacks reaching the website form immediately increased to 120 on average. So, we see that when using SFW, 50% of spam attacks reach the website and forms, and the remaining spam attacks were stopped by SFW and simply didn’t reach the website.

    Therefore, when assessing the amount of spam, we must also take into account the portion of SFW traffic that simply didn’t reach the website forms. You can track statistics for your sites in the Trends section of the ClanTalk Dashboard.

    To summarize

    The number of spam attacks is not constant and can be higher or lower. Also, when using SFW, you only see a portion of the spam reaching the forms on your website. Having or not having a CleanTalk license doesn’t affect the number of spam attacks.

  • Client Review: Climate Change Dispatch

    Client Review: Climate Change Dispatch

    We are happy to share feedback from one of our clients — Thomas, the owner of climatechangedispatch.com

    Great support, even better spam killer

    I was using Akismet for WordPress for years until I found Cleantalk. I got an email from Automaticc, which owns Akismet and Jetpack, stating that because I had some ads on my site, I had to pay a ridiculous amount of money. They gave me 30 days. I switched to Cleantalk as it was cheaper, and the difference was amazing.
    Not only did it catch spam, but the personal blacklists are a timesaver. No more hits or misses from imprecise wording in the Discussion settings. And the support is absolutely superb. The few times I’ve needed them, they were prompt and fantastic. The firewall and bot-crawler features are also a timesaver. Did you know that auto-bots crawl your site and slow it down? I’m talking spammy bots looking for email addies. This plugin stops them. And also prevents spam after spam from getting through via rate limiting. Try it out, and I swear you will rarely, if ever, have to get rid of spam manually. It’s that good!

    We thank Thomas for his detailed feedback and trust in CleanTalk.
    It’s always a pleasure to hear that our service helps clients protect their websites and save time.

CleanTalk

About

Create a support ticket

Contact us

Dashboard

Sign up / Sign in

Anti-Spam

Anti-Spam for Websites

Anti-Spam API

Best Anti-Spam Plugins in 2026

Check IP

Check Email

Filter fake emails

Hide contact data

Security

Website Malware Scanner

WordPress Malware Removal

WordPress Security Plugin