It seems my crappy little unadvertised blog here has finally garnered enough attention from bots to start getting hit with spam. My first step toward world domination has been taken.
Akismet is the go-to WordPress spam protection if for no other reason than it's been included with it for a long time. However, it requires you to sign up for an account, and even in its free tier you don't have any say in or clue as to how it's doing what it's doing.
It's a black box: your site asks it if a given comment is spam and it comes back with a yes or no. Given the trend of the past few years, it's likely powered by or fed data from AI these days, a monolith of math and matrices, and that makes its operation even more of an impenetrable mystery.
Adding to the ick is the recent history of its original author and owner Matt Mullenweg. Avoiding commercial dealings with him is reason enough to look to the open-source community for a solution.
Enter Comment Blocklist for WordPress. It's a (very long) list of naughty words and suspicious non-words meant to be added to the "Disallowed Comment Keys" section of your site's discussion settings.
Since 2011, I have painstakingly identified, compiled, and optimized over 60,000 phrases, patterns, and keywords commonly used by spammers and comment bots in usernames, email addresses, link text, and URIs. As with all compilations, this blocklist is a work in progress and there will always be room for improvement and optimization.
Copy-paste the contents of its blacklist.txt into that box and hit the "Save Changes" settings to instantly protect your site from a lot of nonsense. No accounts, API keys, black boxes whose inner workings are unknowable, or Matts needed.
With 2,464 commits to the project as of writing this sentence, most of which are to update the list, you might be wondering how it's meant to be kept updated. You can of course visit that file on a regular cadence to copy-paste its data anew. Do so every few days, once a week, or even just monthly, and you'll likely be fine.
However, for the lazy among us, there's a number of plugins that will periodically update your on-site disallowed list with that blacklist.txt's content. I glanced at a couple and landed on Comment Blacklist Manager as the one I'd use here due to extra features that sound nice even if I never need them.
With a plugin like that in place, you're good to go. It's a free and set-it-and-forget-it way to protect your blog ⸺ or even business websites. No monthly or yearly payments and no license keys to juggle. Just an open-source plugin using open-source data to create a sieve around your site through which most spam won't pass.
It's the kind of thing the internet should've been about: the free exchange of information rather than the capitalistic hellhole it became in which hatred is promoted because it's good for business and everything is strangled of its value and enshittified over time.