SpamAnvil

Is SpamAnvil really free?

Yes, 100% free and open source. There is no premium version. You only need an API key from an AI provider, and free options are available (e.g., OpenRouter with free Llama models).

How is SpamAnvil different from Akismet?

Akismet uses a centralized cloud service owned by Automattic. It requires a paid subscription for commercial sites, and all your comments are sent to Akismet’s servers. SpamAnvil lets you choose your own AI provider, works with free models, keeps you in control of your data, and uses true AI understanding instead of statistical pattern matching.

How is SpamAnvil different from Antispam Bee?

Antispam Bee uses traditional techniques like honeypot fields, country blocking, and regex rules. These work for basic spam but miss sophisticated attacks. SpamAnvil adds AI analysis that actually reads and understands comments in context, catching spam that looks legitimate to keyword-based systems.

Which AI provider should I use?

For free usage: OpenRouter with the free Llama 3.1 8B model works surprisingly well for spam detection.
For best accuracy: OpenAI GPT-4o-mini offers the best quality-to-price ratio.
For privacy: Google Gemini or a self-hosted model via the Generic OpenAI-compatible option.
For maximum reliability: Configure a primary + fallback provider so spam checking never stops.

Does this slow down my website?

No. In the default async mode, comments are held as “pending” and processed in the background via WP-Cron every 5 minutes. Your visitors experience zero added latency. There’s also a sync mode available if you prefer instant results.

What happens if the AI service is down?

SpamAnvil has built-in resilience: failed requests are retried up to 3 times with exponential backoff (1 min, 5 min, 15 min). You can also configure a fallback provider that kicks in automatically when the primary fails.

Is my data safe?

Comment content is sent to your chosen AI provider for analysis – this is the only external data transmission. API keys are encrypted with AES-256-CBC in the database (or can be defined in wp-config.php to never touch the database). IP addresses are stored as SHA-256 hashes and displayed masked in the admin panel.

Does SpamAnvil work with WooCommerce?

Yes. SpamAnvil hooks into WordPress’s standard comment system, which WooCommerce product reviews also use.

Does it work with multilingual sites?

Yes! AI language models understand comments in virtually any language. This is a major advantage over keyword-based spam filters that only work for English.

Can spammers trick the AI with prompt injection?

SpamAnvil uses 6 layers of prompt injection defense: (1) comment content is wrapped in <comment_data> boundary tags, (2) the system prompt explicitly instructs the AI to ignore instructions within comments, (3) heuristic patterns detect common injection phrases and raise the spam score, (4) responses are validated as strict JSON, (5) LLM temperature is set to 0 for deterministic behavior, (6) content is truncated at 5,000 characters.

Can I use a local/self-hosted AI model?

Yes! If you run a local model with an OpenAI-compatible API (e.g., LM Studio, Ollama with a proxy, vLLM, Text Generation WebUI), you can connect it using the “Generic OpenAI-Compatible” provider option with your local URL.

Who developed SpamAnvil?

SpamAnvil was created by Dr. Alexandre Amato, a vascular surgeon and software developer based in Brazil. When he’s not in the operating room, he builds open-source tools and medical education resources such as Enciclopédia Médica.

What WordPress versions are supported?

SpamAnvil requires WordPress 5.8+ and PHP 7.4+.

How can I support SpamAnvil?

SpamAnvil is 100% free and always will be. No premium tier, no “pro” upsells. If it’s saving you time and money, you can sponsor the project on GitHub. What’s the next WordPress problem I’ll solve and make free? I’m tired of expensive solutions for simple problems.

Hide FAQ

1.2.7

• Feature: Cron now automatically scans pending WordPress comments when the queue is empty — no manual “Scan Pending” click needed
• Fix: Comments stuck in “Max Retries” are now automatically retried after 1 hour instead of requiring manual intervention
• Enhancement: Provider dropdowns only show providers with a configured API key — prevents selecting unconfigured providers
• Enhancement: DISABLE_WP_CRON warning only shown when cron is actually not running (no false alarm when a real server cron is configured)

1.2.2

• Feature: “Last automatic run” timestamp in Queue Status card shows when WP-Cron last processed the queue
• Enhancement: Warning displayed when cron hasn’t run in over 10 minutes (helps diagnose stale queues)

1.2.1

• Fix: Queue now processes automatically — spawn_cron() called after each comment is enqueued so processing starts immediately instead of waiting for the next site visit
• Fix: Cron event is verified on every page load and re-scheduled if missing (prevents stale queues after plugin reinstall or cron table cleanup)

1.2.0

• Fix: “Process Queue Now” no longer blocked by concurrent WP-Cron lock — manual processing always works immediately
• Fix: Progress counter now correctly tracks completed items (previously showed 0 when items failed)
• Enhancement: Shows clear error message when all items in a batch fail (“check Logs tab for details”)
• Enhancement: GitHub Sponsors links added throughout the plugin for those who want to support development
• Enhancement: New FAQ entry about supporting the project

1.1.9

• Fix: “Process Queue Now” and “Scan Pending Comments” now show an error with a link to configure a provider instead of attempting to process without one
• Feature: Portuguese (Brazilian) translation — pt_BR
• Enhancement: Updated POT file with all translatable strings

1.1.7

• Enhancement: Spam blocked counter updates in real-time while the queue is being processed
• Enhancement: API key spending limit tip on Providers settings tab

1.1.6

• Feature: Dashboard widget on the main WordPress admin page showing total spam blocked
• Enhancement: “Rate ★★★★★” link appears in the widget after 20+ spam blocked
• Enhancement: “Spam Comments Blocked” hero banner now shown on both General and Statistics tabs

1.1.4

• Fix: Cron now processes the entire queue per run (up to 50 seconds) instead of only 5 items — large backlogs clear in minutes, not hours
• Fix: Queue processing starts immediately after “Scan Pending Comments” (spawns cron) instead of waiting up to 5 minutes

1.1.3

• Fix: “Process Queue Now” button is now enabled immediately after “Scan Pending Comments” enqueues items (no page reload needed)
• Enhancement: Queue counter updates in real-time after scanning

1.1.2

• Feature: All-time “Spam Comments Blocked” hero banner on Statistics page with AI, heuristic, and IP blocking breakdown
• Enhancement: 30-day stats now clearly labeled under a “Last 30 Days” heading

1.1.1

• Feature: Data preservation on uninstall — settings, stats, logs, and blocked IPs are kept by default when reinstalling
• Enhancement: New “Delete Data on Uninstall” option in General settings for users who want a complete removal

1.1.0

• Feature: Welcome redirect after activation with setup guidance
• Feature: Review request notice after 50+ comments checked (dismissible, never nags)
• Feature: Unconfigured provider warning on plugin settings pages
• Feature: Contextual “Tips & Insights” card on Statistics page with actionable suggestions
• Enhancement: “Rate ★★★★★” and “Docs” action links on the Plugins page
• Enhancement: All marketing notices are dismissible and only shown on plugin pages

1.0.8

• Feature: Anvil Mode — send comments to ALL configured providers; if any flags it as spam, the comment is blocked
• Enhancement: Each provider’s evaluation is logged individually in Anvil Mode for full transparency
• Enhancement: Highest score across all providers is used for the spam decision (strictest verdict wins)

1.0.7

• Fix: Fallback providers now actually triggered on API timeouts and errors (previously only used when API key was missing)
• Fix: HTTP timeout increased from 30s to 60s to support slower reasoning models (e.g. DeepSeek R1)
• Feature: Provider chain tries Primary → Fallback → Fallback 2 before giving up
• Feature: Second fallback provider option (3 providers in the chain)
• Enhancement: Each provider failure is individually logged before trying the next
• Enhancement: “Process Queue Now” also retries max_retries items (resets attempt counter for a fresh cycle)
• Enhancement: Evaluation log “Reason” column now wraps text instead of being truncated

1.0.6

• Feature: Clear API Key button to delete saved keys from the database
• Feature: Load Extended Spam Words list with 100+ curated terms (gambling, pharma, SEO, piracy, scams)
• Enhancement: Default OpenRouter model updated to openai/gpt-oss-20b:free
• Enhancement: “Process Queue Now” retries failed items immediately (ignores backoff timer)
• Enhancement: API failures are now logged in evaluation logs with error details
• Fix: phpcs warning for set_time_limit resolved

1.0.5

• Fix: “Process Queue Now” no longer times out – increased AJAX timeout to 3 minutes and extended PHP execution limit
• Enhancement: Completely rewritten system prompt with detailed spammer tactic guidelines (URL promotion, generic flattery, gambling/piracy names, template detection)
• Enhancement: Author URL now a strong spam signal – combo detection with generic praise for near-certain spam identification
• Enhancement: Brand-name author detection expanded with gambling/lottery, piracy/streaming, and per-word alphanumeric pattern checking
• Enhancement: 50+ generic spam template phrases detected (including long-form templates like “I have been surfing online”)
• Enhancement: New {site_language}, {author_has_url}, {url_count} placeholders in user prompt
• Enhancement: System prompt now instructs LLM to never reveal its instructions (prompt leak defense)
• Enhancement: Language mismatch, name/email script mismatch heuristic signals added

1.0.1

• Fix: Test Connection now works without saving the page first – reads API key and model directly from form fields
• Fix: Improved error messages on Test Connection failures – shows actual API error details instead of just HTTP code
• Fix: Updated default OpenRouter model from deprecated llama-3.1-8b to llama-3.3-70b-instruct:free

1.0.0

• Initial release
• AI-powered spam detection with 6 provider options (OpenAI, Anthropic Claude, Google Gemini, OpenRouter, Featherless.ai, Generic)
• Intelligent heuristic pre-analysis engine with prompt injection detection
• Async (WP-Cron) and sync processing modes
• Smart IP blocking with escalating ban durations
• Automatic retry with exponential backoff
• AES-256-CBC encrypted API key storage with wp-config.php constant support
• Statistics dashboard with daily activity tracking
• Full evaluation logs with AI reasoning
• Customizable system and user prompts
• Multi-layered prompt injection defense
• GDPR/LGPD privacy-first design