Akismet Has a Privacy Problem. Here’s the GDPR-Friendly Fix.

by

When you install WordPress, it comes with Akismet already sitting in your plugins list. Most people activate it without thinking twice, because it is the default, it is by Automattic, it must be fine.

Here is the thing: every comment submitted on your blog, including the commenter’s name, email address, IP, browser details, and the comment content itself, gets sent to Automattic’s servers for spam analysis. Not processed locally, but sent out to a third party.

For some people that is an acceptable trade-off. For me it is not, especially when there is a free alternative that does the exact same job entirely on your own server without sending anything anywhere.

The Problem with Default WordPress Comments

Akismet is not a local spam filter. It is a cloud service. Every comment submitted on your site gets sent to Automattic’s servers, analysed there, and a verdict comes back. That means commenter names, email addresses, IP addresses, browser info, and comment content all leave your server on every submission.

Whether that bothers you depends on your perspective. If you are running a blog in the EU it creates a GDPR paper trail you have to manage. But even outside the EU, handing your readers’ data to a third party on every comment is worth at least a conscious decision rather than a default you never questioned.

Step 1. Replace Akismet with Antispam Bee

Antispam Bee is a free plugin maintained by a German team. It does its spam analysis entirely on your own server. No data leaves your infrastructure, no US transfer, no API key required.

  1. Plugins → Add New → search “Antispam Bee” → install and activate
  2. Delete Akismet

Antispam Bee checks comments against several local signals: spam patterns, suspicious IPs, time-on-page (bots submit forms almost instantly), and whether the commenter’s IP has been previously flagged. It blocks the vast majority of spam before it ever reaches your moderation queue.

Recommended settings after installation:

Antispam filter (left column)

  • Trust approved commenters: leave on. Once you manually approve someone once, Antispam Bee stops flagging their future comments as spam. Pairs well with WordPress’s “Comment author must have a previously approved comment” setting.
  • Trust commenters with a Gravatar: leave off. It sends a request to Gravatar to verify the avatar, which is another external data transfer. Not worth it.
  • Consider the comment time: leave off. Checks whether a comment was submitted suspiciously fast, but it does not work reliably with page caching.
  • BBCode links are spam: leave on. Legitimate commenters almost never use BBCode.
  • Use regular expressions: leave on.
  • Look in the local spam database: leave on.
  • Block or allow comments from specific countries: your call. Useful if you notice spam clustering from specific regions, but for a general English-language blog leave it off.

Advanced (middle column)

  • Mark as spam, do not delete: leave on. Caught spam goes to the spam folder rather than being deleted immediately, so you can spot-check for false positives.
  • Spam notification by email: turn off. You already receive an email for every comment that enters the moderation queue. Adding spam notifications on top creates noise.
  • Delete existing spam after X days: set this to 30. Keeps the database clean without any manual effort.
  • Do not check trackbacks/pingbacks: turn on. We already disabled trackbacks and pingbacks in Discussion settings, so there is nothing to check here.

Step 2. Discussion Settings

Go to Settings → Discussion. Here is what to change from the defaults.

Disable these:

  • “Attempt to notify any blogs linked to from the post” sends pingback requests to every external site you link to. Mostly noise, occasionally a spam vector.
  • “Allow link notifications from other blogs (pingbacks and trackbacks)” is essentially dead and used almost exclusively for spam in 2026. Off.

Enable these:

  • “Comment must be manually approved” means every comment goes to the moderation queue first, regardless of Antispam Bee’s verdict. Nothing goes live without you seeing it. Essential for a new blog.
  • “Comment author must have a previously approved comment” means once you approve someone once, their future comments skip the queue. Builds up a trusted commenter list automatically over time.
  • “Show comments cookies opt-in checkbox” adds a checkbox to the comment form asking if the commenter wants their name and email saved in their browser for next time. Required for GDPR compliance.

Should You Automatically Close Comments on Old Posts?

WordPress lets you automatically close comments on posts older than a set number of days. It is worth thinking about rather than blindly enabling.

The case for closing: without it, spam bots target old posts constantly. Even with manual approval, every spam submission gets processed by your server, stored in the database as pending, and triggers an email notification. Over time your moderation queue fills with noise on content nobody is actively reading.

The case for leaving it open: older posts can still attract genuine readers. A well-ranking article from two years ago might get a comment today from someone who found it through search. Closing comments cuts off that conversation permanently.

If you want the community aspect of your blog to stay alive long-term, leave comments open and let Antispam Bee and manual approval handle the noise. If you find the queue filling up on old posts after a few months, revisit the setting then. 180 days is a reasonable starting point.

Step 3. Gravatar

With comments enabled, WordPress sends an MD5 hash of each commenter’s email address to Gravatar (Automattic, US) to fetch a profile picture. This is a third-party data transfer worth being aware of.

Two options:

Option A. Disable avatars entirely. Settings → Discussion → uncheck “Show Avatars”. Clean, simple, no external request.

Option B. Keep avatars, document it. Leave it enabled and make sure your privacy policy mentions it. The privacy policy template in the companion post already includes this.

The Resulting Workflow

With this setup, a comment goes through the following path before anyone sees it:

  1. Commenter submits the form
  2. Antispam Bee runs local checks. Obvious spam is blocked immediately, never stored.
  3. Legitimate-looking comments land in the moderation queue
  4. You get an email, review it, approve or trash
  5. Approved commenter’s future comments skip the queue automatically

The queue stays small. You see everything before it goes live. No data leaves your server for spam analysis.

Related: Impressum & Privacy Policy for Your WordPress Blog in Austria

Leave a Comment