ExpressionEngine Docs

Spam Protection

Comment spamming and other types of spamming have become common problems for systems that permit user-submitted information.

ExpressionEngine has several security features aimed at preventing spamming. There is no “silver bullet”, as spammers adapt their tactics to new deterrents, but the combination of security features in ExpressionEngine will provide a high degree of safety, particularly against the automated spamming methods.

Block lists

The ExpressionEngine Block/Allow Module is an integral part of ExpressionEngine’s spam prevention capability. This Module allows you to specify URLs, IP addresses, and user agents that you want to block or specifically allow from your site.

The module checks all content that is submitted to your site and allows or denies it, according to the rules you have set.


A CAPTCHA is a computer-generated test that humans can pass but computer programs cannot. Since a great deal of spam is generated by automated scripts or “bots”, a CAPTCHA can be effective at preventing their use.

When the CAPTCHA is enabled, an image containing a random word appears next to the comment and member registration forms. In order to submit the form, the word must be typed into a form field.

ExpressionEngine can use CAPTCHAs for comment submission and member registration.

Comment Time Interval

This setting defines the amount of time that must lapse between comment postings. A malicious user will have to wait until the time has lapsed before being able to post again.

The setting is located at: Developer --> Channels in the channel’s Settings tab

Rank Denial

The primary goal of spammers is to have their sites ranked highly in Search Engines in order to generating more traffic for themselves. They achieve this by posting comments at your site which contain links to their own site. The more links to their site scattered in channels across the internet, the higher Search Engines will rank them.

The Rank Denial feature denies a spammer this “ranking” benefit by altering all links submitted by users so that they point to an intermediary “redirect page” at your site first, before being sent to the target destination.

The setting is located at: Settings --> Security & Privacy

Deny Duplicate Data

The “Deny Duplicate Data” feature prevents a comment from being accepted if an identical one already exists in your database. A malicious person can’t submit the same information more than once.

The setting is located at: Settings --> Security & Privacy

Site Membership

Although this isn’t technically a security feature, requiring your users to be members of your site provides additional safety against spamming since you have better control over the people posting on your site.