Spam Protection

Comment spamming and other types of spamming have become common problems for systems that permit user-submitted information. If you are not familiar with comment spamming, it is when someone repeatedly submits malicious comments into your system. This can be done by someone manually, or if the person is more sophisticated, it can be done using scripts designed to insert hundreds, or even thousands of comments automatically.

ExpressionEngine has several security features aimed at preventing spamming. There is no "silver bullet", as spammers adapt their tactics to new deterrents, but the combination of security features in ExpressionEngine should provide a high degree of safety, particularly against the automated spamming methods.

Secure Form Mode

When this feature is enabled, all forms will contain a hidden field with a random 32 character alpha-numeric encrypted hash. When any form is submitted, the security table is queried to see if the hash exists (and has not expired). If so, the form data is processed normally.

Secure Form Mode prevents automated scripts from repeatedly sending raw POST requests with comment or other form data. A submission is only allowed when a user manually loads a page and submits the form from your site, not when POST data is transmitted through some other channel. And once the form data is received, the user has to manually reload the page before they can submit again.

The setting is located at: Admin > Security and Session Preferences > Process all forms in secure mode


A CAPTCHA is a computer-generated test that humans can pass but computer programs cannot. It's most commonly used to prevent automated Bots from spamming comments, or from signing up for web services. Yahoo, for example, uses a CAPTCHA when you sign up for an account.

ExpressionEngine can optionally use CAPTCHAs for comment submission and member registration. This adds another level of protection from automated spamming attacks.

Deny Duplicate Data

The "Deny Duplicate Data" feature is similar to the one above, but matches the submitted data instead of relying on the existence of a unique hash. This feature will reject any form submission if identical data already exists in the database. A malicious person can't submit the same information twice.

The setting is located at: Admin > Security Settings > Deny Duplicate Data

Comment Time Interval

This setting defines the amount of time that must lapse between comment postings. A malicious user will have to wait until the time has lapsed before being able to post again.

The setting is located at: Admin > Weblog Management > Edit Preferences > Comment Time Interval

Trackback Pings Per Hour

This setting defines the number of Trackback pings you will accept in one hour. Trackback spamming can be a concern as well. By limiting your site to receiving a finite number of trackbacks per hour, this limits the number of malicious trackbacks you can receive.

The setting is located at: Admin > Weblog Management > Edit Preferences > Trackback Pings Per Hour

Site Membership

Although this isn't technically a security feature, requiring your users to be members of your site provides additional safety against spamming since you have better control over the people posting on your site.