What is GASP Protection for blog comments and how to enable it?

Note: The option to use GASP Bot Checking for WordPress Comment SPAM has been deprecated. This option is replaced with the AntiBot Detection Engine and completely removed. You may find the all Comments SPAM depreciated options under the "Depreciated Options" settings here:

The original G.A.S.P. plugin for WordPress was a great plugin, but eventually it too became subject to adaptation by spammers networks and lost its effectiveness.

When this happened, we decided to implement our own version of Comments SPAM protection, using the principle of the GASP plugin as the basis for it.

How to enable GASP protection for blog comments

To enable this, go to Comments SPAM module => Bot SPAM => and click to enable SPAM Bot Protection option:

Once you enable this option on your site, several things will happen (see the screenshot below)

  1. The most obvious change to your site will be that all blog comment forms will have a check box added to them. This checkbox must be checked by any visitor who wishes to add a comment to the site.
  2. The comment 'Submit' button will have its text replaced with a message indicating that the visitor must wait a certain length of time before posting a comment. Once this time has passed, the button is re-enabled and comments may be posted.
  3. After a certain length of time (again, configurable in the options) the submit button will become disabled and if the visitor still wishes to add a comment, they will need to refresh the page.


    This method prevents 100% of automated spambot comments - i.e. comments posted to WordPress sites by spambot machines.

It doesn't prevent spam comments by humans. However, it does deter spam by humans because it forces them to wait before they can post a comment. Since most readers actually read a post before commenting, this "wait" is actually rarely noticed by most visitors.

To learn more about how this actually works you'll need to read the blog post that discusses the approach. In summary, it uses unique tokens per page visit.  A visitor to a page must present the same valid token that was assigned to them on that particular visit before a posted comment is allowed.

It's very strict, but doesn't require any CAPCTHA or cause any user inconvenience... and blocks 100% of automated spambot comments.

Note: You can trying out our Antibot Detection Engine. They're the newer, better way to protect the forms.

This completely removes the need for  CAPTCHAs, and Shield’s own GASP “I’m a human” checkbox. We’re passively testing a visitor’s status (no direct interaction required from the visitor), and we build their Bot Score and allow or deny the request.
This system is best explained in our release blog posts here.

For more information about Shield's Comments SPAM, read the blog article here.