Why is my anti-spam plugin missing these?

Because the spam isn’t coming through the comment form. It’s being written into the database directly, either via a plugin vulnerability or stolen credentials. Anti-spam plugins only see traffic that uses the form.

Will my real comments be deleted?

No. We identify the spam batch by author, date range, and link patterns — your real comments stay. The report lists exactly what was removed before we touch anything.

Outbound spam links from your site can hurt your ranking. We remove them, request re-crawling in Search Console, and the impact usually clears within a few weeks.

Why is this happening to old posts?

Older posts have higher PageRank in the eyes of attackers — links injected there pass more authority. Attackers target by post age, not by recency.

// COMMENT SPAM · WORDPRESS · CLEARED

WordPress spam comment cleanup.

When spam ends up on posts where commenting is disabled, the spammer isn’t using your comment form — they’re writing to the database directly. I clean it, find how they got in, and harden the comment system. Flat $279.

Start a cleanup → How attackers bypass the comment system

§ 01 — MECHANISM

If Akismet didn’t see it, Akismet can’t stop it.

Normal spam goes through the comment form, where Akismet and similar plugins can score it. Injected spam skips the form entirely — it’s either written into wp_comments via a vulnerable plugin or appended to post content via stolen credentials.

Both cases need cleanup at the database level. I remove the spam without touching legitimate comments, find the route the attacker used, and harden it so Akismet’s job becomes possible again.

// SQL — find comments that bypassed moderation

01 SELECT comment_ID, comment_author, comment_date
02   FROM wp_comments
03  WHERE comment_approved = 1
04    AND comment_author_url LIKE '%http%'
05  ORDER BY comment_date DESC LIMIT 50;
06
07 // A burst of auto-approved comments with outbound URLs,
08 // during hours your site is normally quiet — investigate.

§ 02 — WHAT WE REMOVE

Every comment, every post, every link.

[ TRIAGE ]

Database scanned for comments that don’t match your moderation rules — auto-approved with links, posted in bursts, attached to closed-comment posts.
[ COMMENTS ]

Injected comments removed in bulk. Legitimate comments preserved. Pingbacks reviewed.
[ POSTS ]

Post content scanned for spam links injected directly into the body. Removed, originals kept.
[ DATABASE ]

wp_commentmeta, wp_postmeta, and related tables audited for hidden persistence.
[ HARDENING ]

Comment endpoints rate-limited. Akismet and Recent Comments plugins audited. Plugin vulnerabilities patched.
[ REPORT ]

Plain-English forensic write-up, count of comments removed, what to do before re-opening comments.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

FLAT · ONE-TIME · PER SITE

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup →

[ SHIELD ]

$29 / mo

PER SITE · CANCEL ANY TIME

Continuous monitoring, hardening, one cleanup per year included.

Get protected →

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Start an engagement.

Send the scope, stack, and timeline. You get a written proposal with a fixed quote.

Contact →