Retired Documentation:  You are using the documentation for version 1.7.3 which was retired in 2013. Go here for the latest version documentation or check here for your available upgrades to the latest version.

Spam Protection

Comment spamming and other types of spamming have become common problems for systems that permit user-submitted information. If you are not familiar with comment spamming, it is when someone repeatedly submits malicious comments into your system. This can be done by someone manually, or if the person is more sophisticated, it can be done using scripts designed to insert hundreds, or even thousands of comments automatically. The purpose of spam is to increase traffic at the spammer's web site. By leaving comments linking to their site, they increase their position in Search Engine listings.

ExpressionEngine has several security features aimed at preventing spamming. There is no "silver bullet", as spammers adapt their tactics to new deterrents, but the combination of security features in ExpressionEngine will provide a high degree of safety, particularly against the automated spamming methods.


The ExpressionEngine Blacklist/Whitelist Module is an integral part of EE's spam prevention capability. This Module allows you to specify URLs, IP addresses, and user agents that you want to deny (blacklist) or specifically allow (whitelist) from your site.

The blacklist is checks all content that is submitted to your site. ExpressionEngine will compare the submitted content against your blacklist/whitelist and then behave accordingly.


A CAPTCHA is a computer-generated test that humans can pass but computer programs cannot. Since a great deal of spam is generated by automated scripts or "bots", a CAPTCHA can be effective at preventing their use.

When the CAPTCHA is enabled, an image containing a random word appears next to the comment and member registration forms. In order to submit the form, the word must be typed into a form field.

ExpressionEngine can use CAPTCHAs for comment submission and member registration.

Comment Time Interval

This setting defines the amount of time that must lapse between comment postings. A malicious user will have to wait until the time has lapsed before being able to post again.

The setting is located at: Admin > Weblog Administration > Weblog Management > Edit Preferences > Comment Posting Preferences > Comment Re-submission Time Interval

Rank Denial

The primary goal of spammers is to have their sites ranked highly in Search Engines in order to generating more traffic for themselves. They achieve this by posting comments at your site which contain links to their own site. The more links to their site scattered in weblogs across the internet, the higher Search Engines will rank them.

The Rank Denial feature denies a spammer this "ranking" benefit by altering all links submitted by users so that they point to an intermediary "redirect page" at your site first, before being sent to the target destination.

The setting is located at: Admin > System Preferences > Security and Session Preferences > Apply Rank Denial to User-submitted Links?

Secure Form Mode

Secure Form Mode prevents automated scripts (the most common way spam is generated) from repeatedly submitting comments or other form data. A submission is only allowed when a user manually loads a page and submits the form from your site. And once the form data is received, the user has to manually reload the page before they can submit again.

The setting is located at: Admin > System Preferences > Security and Session Preferences > Process all forms in secure mode

Deny Duplicate Data

The "Deny Duplicate Data" feature prevents a comment from being accepted if an identical one already exists in your database. A malicious person can't submit the same information more than once.

The setting is located at: Admin > System Preferences > Security and Session Preferences > Deny Duplicate Data

Trackback Pings Per Hour

This setting defines the number of Trackback pings you will accept in one hour. Trackback spamming can be a concern as well. By limiting your site to receiving a finite number of trackbacks per hour, this limits the number of malicious trackbacks you can receive.

The setting is located at: Admin > Weblog Administration > Weblog Management > Edit Preferences > Trackback Preferences > Trackback Pings Per Hour

Trackback URL Randomizer

The Trackback URL to a given entry is randomized with every page load. And when your site accepts a trackback, that particular URL is no longer accepted. This feature deters automated trackback spam since your trackback page must be loaded before a trackback can be sent.

The setting is located at: >Admin > Weblog Administration > Weblog Management > Edit Preferences > Trackback Preferences > Randomize Trackback URL

Site Membership

Although this isn't technically a security feature, requiring your users to be members of your site provides additional safety against spamming since you have better control over the people posting on your site.

Top of Page