So You Got The Akismet Email
You set up a little WordPress blog. You wrote a few posts, slapped a “Buy Me a Coffee” button in the sidebar, and activated Akismet on the free Personal plan because everyone does. Six months later you get the notification: your site is “commercial” and you need to upgrade.
Here’s the thing — Akismet’s catch rate is genuinely excellent. They see spam patterns from millions of WordPress installs in real time, and that fire-hose of signal means their classifier catches things nobody else does. If you run a high-traffic news site, it’s arguably worth the commercial pricing without much debate.
The problem is the line between “personal” and “commercial” is drawn with a razor. A single affiliate link — doesn’t matter how modest. An AdSense banner. A tip jar. An Amazon Associates widget. Any of those flip you into the commercial tier. Open-source projects don’t automatically get an exception unless the site itself is purely non-commercial, not just the project. A GPL plugin hosted on a site that also sells merch? Nope.
So the search for alternatives has become a recurring conversation in every WordPress Slack, Discord, and forum thread since roughly 2023. And in 2026, there are finally enough good options that “just use Akismet” stopped being the only reasonable answer. Let’s talk about them.
Three Categories of Spam Defense
Before diving into the list, it helps to know what problem each tool actually solves. There are three buckets, and most real-world setups combine two of them:
Hosted spam-filter APIs look at the content of a comment or form submission, classify it, and return a verdict — ham, spam, or uncertain. This is the Akismet model. They work after the user has already submitted something, which means you can show meaningful error messages, but it also means you’re shipping data to a third party for analysis.
CAPTCHA and challenge widgets sit in front of the form and gate the submission before it reaches your server. The visitor solves something (or more often, their browser does it invisibly), and only clean submissions get through. No content analysis, no third-party read of your comment text — just a gate at the door.
DIY techniques — honeypots, time traps, IP rules, regex filters — run entirely on your stack with no third-party calls. Free, private, and surprisingly effective on low-traffic sites. Bots are lazy and repetitive; basic traps catch more than you’d expect.
Most setups that work well use two layers: a challenge widget as a cheap front-line filter, and a content API or rule-based filter behind it. The widget drops 80% of automated submissions before they ever reach your spam classifier, which keeps your API call count low and your false-positive rate manageable.
Hosted Spam-Filter APIs
Akismet
The incumbent, and it deserves its reputation for catch rate. The training data is enormous — every WordPress install that runs Akismet feeds pattern data back, so novel spam campaigns get flagged within hours of appearing at scale. The WordPress plugin is a one-click install, and the dashboard actually shows you what it caught and why.
The cost isn’t just money — it’s the licensing nuance. If your site has any commercial activity (affiliate links, ads, tip jars, sponsored posts), you’re on the paid tier. The Plus plan is around $10/month per site at time of writing; the Pro tier targets agencies and multi-site setups. For a content operation where false negatives cost real money, that’s reasonable. For a hobby blog with a Ko-fi link, it’s a tax for not reading the ToS carefully enough.
CleanTalk
No meaningful free tier, but the paid pricing is aggressive — single-digit dollars per site per year, and that hasn’t changed much in a while. It works on WordPress, Joomla, Drupal, MODX, OpenCart, and via direct API, so if you run a heterogeneous stack, one account covers everything. The licensing isn’t weird — commercial use is fine. Catch rate is solid, not Akismet-tier, but genuinely useful.
The privacy tradeoff is the standard hosted-API one: CleanTalk is reading your comment content to classify it, and you’re trusting their data handling. For most sites this is a non-issue; for EU-focused blogs with GDPR-conscious readers, it’s worth noting.
OOPSpam
The “I’d rather not feed my comment section to Automattic” pick. Privacy-focused REST API, no-credit-card signup, and it works anywhere — WordPress plugin, Ghost integration, raw HTTP calls from a serverless form handler on a static site. The free tier is essentially a trial — 40 spam checks total to kick the tires, then paid plans start at $23/mo for 25,000 checks. Not “free forever” the way some folks assume; budget for it if you’re going past the demo. The WordPress plugin is straightforward; the API is clean enough that wiring it up to a custom contact form takes maybe 20 minutes.
The tradeoff is the training data is thinner than Akismet’s. On novel spam patterns — the kind of LLM-generated spam that looks almost human — OOPSpam catches less. It excels at the bulk automated stuff and gets genuinely better as you report misses back.
CAPTCHA / Challenge Widgets
Cloudflare Turnstile
Honestly, this is the answer for most contact forms in 2026. Free, no Google tracking, no “click all the fire hydrants” UX nightmare — most users see nothing, or a single checkbox that resolves in under a second. The verification happens on the client side without shipping your visitor’s data to Google, and it works on any site, not just Cloudflare-proxied ones (though if you’re already on Cloudflare, the setup is even simpler).
Drop-in replacement for reCAPTCHA v2 in most form plugins. If you run a static site with a Netlify/Vercel form handler or a custom serverless function, Turnstile is the first thing I’d reach for. You validate the token server-side with a simple POST to Cloudflare’s siteverify endpoint.
hCaptcha
Privacy-friendlier reCAPTCHA alternative, and their pitch is that they share revenue with publishers for solved challenges — which sounds nice, though in practice the amounts are small. The free tier is fine for low-traffic sites. The puzzles are still puzzles (you will click images), which adds friction compared to Turnstile. Worth considering if Turnstile is somehow problematic for your use case, or if you want to hedge against Cloudflare dependency.
Google reCAPTCHA v2 / v3
Mentioning it because it’s everywhere; not recommending it. reCAPTCHA v2 (“I’m not a robot” plus image grids) trains Google’s vision models for free using your visitors as unpaid labor. reCAPTCHA v3 is worse — it runs invisibly and assigns a score, which sounds great until you realize it quietly fails Tor users, VPN users, privacy extension users, and anyone Google’s model is suspicious of. If your audience skews toward privacy-conscious people — home lab readers, sysadmins, anyone running uBlock Origin — you will see false positives, and those visitors will silently fail to submit your form and you’ll never know.
In 2026 there are better options with no meaningful setup overhead difference. Use Turnstile or hCaptcha instead.
Friendly Captcha
EU-based, GDPR-native, and uses proof-of-work instead of image puzzles — the user’s browser does a small cryptographic computation, they click nothing, and you get a token to verify. This is a paid product, but the free tier is generous enough for small sites, and the compliance story is considerably cleaner than any US-based alternative. Strong pick if your audience is primarily in the EU, you’re subject to GDPR in any meaningful way, and you’d prefer not to have a legal conversation about Cloudflare’s data handling.
mCaptcha
FOSS, self-hosted, proof-of-work. This is the home-lab pick: you run the mCaptcha server on your own infrastructure, no third party ever sees your form submissions or your visitors’ challenge responses. The verification logic is solid, the setup is Docker-friendly, and the admin UI is usable.
The honest caveat: setup overhead is real. This isn’t a “I need spam protection working in 30 minutes” option — it’s the “I have a homelab, I like owning my stack, and I have an afternoon” option. If that’s you, it’s excellent. If you just want a contact form to stop getting spam, start with Turnstile.
DIY Techniques (Free, No Third Party)
Honeypot Fields
The simplest thing that works. Add an <input> field to your form, hide it with CSS (not display: none — use absolute positioning offscreen, or a visually-hidden class), give it a tempting name like website or email2. Real users never see it and never fill it in. Bots that scrape form HTML and fill every field get caught.
<!-- Hidden from real users via CSS, irresistible to bots --><input type="text" name="website" tabindex="-1" autocomplete="off" class="visually-hidden"/>Pair this with a time trap — record the form load time, reject submissions that arrive in under 3 seconds (no human reads and fills a form that fast), and rate-limit per IP. On a low-traffic personal site, this three-part combination stops the overwhelming majority of comment spam at zero cost and zero third-party dependency.
Antispam Bee (WordPress)
GPL-licensed, no third-party calls, configurable rule set: BBCode detection, country-of-origin filtering, comment language matching, regex patterns, spam IP databases. It’s quietly excellent for hobby WordPress blogs — the kind of site where you’re not running enterprise volume but you’re tired of fishing legitimate comments out of a spam queue.
This is the free Akismet replacement you should try first. Genuinely. Install it, spend 10 minutes on the settings, leave it running. Most small site operators report catch rates they’re happy with, and the GPL license means you can use it however you want.
WP Armor / Titan Anti-spam & Security
WordPress plugins that bundle honeypots, time traps, and rule-based filters into a single install, and extend beyond comments to login pages, registration forms, and contact forms. Less focused than Antispam Bee, but the broader attack surface coverage is useful if you’re running a public-registration WordPress site and not just a blog.
Neither is as elegant as writing your own honeypot logic, but if you want “install and mostly forget,” they get the job done.
Comparison Table
| Tool | Cost | Self-hostable | Privacy | Works on | User friction | Best for |
|---|---|---|---|---|---|---|
| Akismet | Free/personal; paid commercial | ✗ | Low | WordPress + API | None | High-traffic, non-commercial sites |
| CleanTalk | ~$8/yr/site | ✗ | Medium | WP, Joomla, Drupal, API | None | Commercial WP on a budget |
| OOPSpam | 40-check trial, then $23+/mo | ✗ | Medium-high | WP, Ghost, API | None | Static sites, privacy-conscious |
| Turnstile | Free | ✗ | High | Any (JS widget) | Near-zero | Contact forms, any stack |
| hCaptcha | Free/paid tiers | ✗ | Medium | Any (JS widget) | Low-medium | Turnstile alternative, EU-OK |
| reCAPTCHA v2/v3 | Free | ✗ | Very low | Any | Medium (v2) / Hidden (v3) | Avoid |
| Friendly Captcha | Free/paid tiers | ✗ | Very high | Any (JS widget) | Near-zero | EU audience, GDPR compliance |
| mCaptcha | Free (self-host) | ✓ | Very high | Any (API) | Near-zero | Homelab, full ownership |
| Honeypot + time trap | Free | ✓ | Very high | Any stack | None | Low-traffic DIY setups |
| Antispam Bee | Free (GPL) | ✓ | Very high | WordPress only | None | Hobby WP blogs, GPL-required |
| WP Armor / Titan | Free/paid | ✓ | High | WordPress only | None | WP multi-surface protection |
How to Actually Pick One
-
WordPress hobby blog, no ads or affiliate links — Antispam Bee for comments, Turnstile on the contact form. Free, fast, zero third-party comment analysis. Start here.
-
WordPress with affiliate links, AdSense, or a tip jar — Antispam Bee or CleanTalk. Don’t step into the Akismet commercial tier by accident. CleanTalk is especially worth it if you want hosted catch rate without the licensing headache.
-
Static site with a contact form — Cloudflare Turnstile on the form gets you 99% of the way for free. If you also want content filtering, pipe the submission through OOPSpam’s API in your handler — just know the OOPSpam side starts at $23/mo once you’re past the 40-check trial.
-
Privacy-obsessed or EU-primary audience — Friendly Captcha if you want managed, mCaptcha if you own a homelab and want zero third-party involvement. Either way, skip Turnstile if you need to explain your data flow to a DPO.
-
Full homelab operator who wants to own everything — mCaptcha server plus honeypot fields. No form data ever leaves your infrastructure. The setup investment is maybe two hours; the ongoing maintenance is near-zero.
-
High-traffic content site with a paid moderation team — Akismet Pro or CleanTalk paid tier. At volume, the catch rate difference between best-in-class and second-tier starts to matter. The commercial pricing is real, but false negatives cost moderation time.
The Honest Truth About Spam in 2026
Spam volume is up again, and the new wave is nastier to filter than the old stuff. LLM-generated comment spam — the kind that reads like a real person engaged with the topic, references specific points from your post, and only includes the link in the author URL field — gets past classifiers that were trained on keyword-stuffed garbage. Even Akismet’s catch rate on this category is lower than their headline numbers suggest.
No single layer catches everything. The realistic approach in 2026 is layered: a challenge widget at the form (Turnstile, Friendly Captcha, or a honeypot depending on your stack and audience) plus a content classifier or rule-based filter behind it (Antispam Bee, OOPSpam, or Akismet if your licensing genuinely fits). The widget drops the bulk automated submissions before they ever hit your classifier, which keeps your API costs low and reduces false positives on the filter side.
Akismet isn’t dead. For a site where the licensing actually fits and the budget is there, the data advantage is real. But it stopped being the obvious default answer somewhere around 2024, when Turnstile matured and the alternatives got good enough to be genuinely competitive.
Pick the layer that matches your stack. Combine two. Revisit it in a year — the LLM spam problem is not going to get easier.
