Hosting Question? Find the Solution - Browse our Guides, Articles, and How-To's

What Cookies are Set with WordPress Comments?

Category: WordPress
Tags: # # #

When someone visits your WordPress comments section, they become commenters. As a commenter, a visitor will get 3 distinct cookies set on their local machine so that with each WordPress comment they don’t have to re-enter their name, email and URL over and over again. The 3 cookies are:

  • comment_author_{HASH}
  • comment_author_email_{HASH}
  • comment_author_url_{HASH}

By default, WordPress comments cookies should last for slightly under one year from when they were set, or until the commenter clears them off their local machine.

How are WordPress Comments Cookies Used for Anti-Spam Protection?

The general flow for WordPress comments cookies and spam protection is:

  1. Person, or bot, arrives on post URL
  2. Cookie is dropped
  3. Comment is submitted

A savvy anti-spam plugin (that can be quite simple really) can check that a browser is humanoid, rather than spam AI, by dropping the cookie and checking to see if it is saved on the local machine [scenario 1].

In instances where the AI is more than just the simplest of scripts, cookies will be saved and returned upon request, defeating any checks for existence. The basic cookie test is just not enough to defeat most spambots.

In scenario 2, the time a cookie is dropped is compared to the time a comment is submitted. Allowing for speedy humans as a best case scenario, the server will diff the two times and compare to a speedy human. In other words, if somehow a name, email, URL and comment text is all submitted faster than a speedy human could possibly do it, it’s obviously a spambot just dumping text as fast as it can.

The only way a spambot can defeat the time measures of scenario 2 is to delay arrival on page and submitting of form fields. While there are some that can overcome this – it’s very, very few.

So how do you implement commenter cookie checking to stop spambots?

Install the Cookies for Comments plugin using our How to Install Plugins procedure here.

Be sure to clear cache (browser, WP plugins and hosting) before testing. However, as a human, you should be able to comment as normal, without feeling any odd pains or inconveniences, while spambots are not.


Have a WordPress website? Check out our Managed WordPress Hosting and see if we are a good fit for you. KnownHost offers 365 days a year, 24 hours a day, all 7 days of the week best in class technical support. A dedicated team ready to help you should you need our assistance. You’re not using KnownHost for the best webhosting experience? Well, why not?