Akismet is pre-installed on every WordPress site but most people never configure it beyond entering an API key. There are a handful of settings that make a real difference to how well it works – and a few things about how it handles data that are worth understanding before you enable it on a site with EU visitors.
How Akismet Actually Works
When a comment, contact form submission, or registration is submitted, Akismet sends it to Automattic’s servers along with the content, the submitter’s IP address, email, name, and user agent. Automattic’s machine learning system compares it against hundreds of millions of previously seen spam submissions and returns a spam or ham (not spam) verdict. This happens in milliseconds and your site acts on the verdict immediately.
The key implication: Akismet is a cloud service. Data leaves your server on every submission. For most sites this is fine – for healthcare, legal, or any site with strict data handling requirements, this is worth noting explicitly in your privacy policy.
Getting an API Key
Go to akismet.com and create a WordPress.com account. The personal plan is free for non-commercial sites. For business sites, Akismet requires a paid plan – the personal/free plan’s terms of service exclude commercial use. “Commercial” means the site sells something, runs ads, or promotes a business. Most WordPress sites qualify as commercial.
Once you have a key, go to Settings -> Akismet Anti-Spam in your WordPress admin and enter it. Akismet validates the key immediately and shows you the plan details.
The Settings That Actually Matter
Go to Settings -> Discussion alongside Akismet settings. There are two Akismet-specific settings worth adjusting:
- Show the number of approved comments beside each commenter’s name – leave this off unless you run a high-traffic community site. It adds a database query per comment row.
- Silently discard the worst and most pervasive spam – this is the important one. When enabled, Akismet permanently deletes spam it is highly confident about rather than putting it in the pending queue. Enable this on established sites. On new sites, leave it off initially so you can review what Akismet catches.
Need help configuring this on your site? Describe your setup and get a free estimate from a vetted WordPress developer.
Checking What Akismet is Catching
Go to Comments -> Spam in WordPress admin. You’ll see everything Akismet has flagged. Scan through periodically – every few weeks on busy sites, monthly on quieter ones. Look for legitimate comments mistakenly flagged (false positives). When you find one, click “Not Spam” – this trains Akismet’s model for your specific site.
The spam queue auto-clears after 15 days by default. You can change this by adding to wp-config.php:
define('AKISMET_DELETE_AFTER', 7); // days before auto-deletionGDPR Considerations
Akismet’s privacy policy states it processes data on Automattic’s servers in the US. Under GDPR, this requires disclosure. Add a note to your privacy policy stating that comments and form submissions are checked against Akismet’s spam database, and link to Akismet’s privacy policy at akismet.com/privacy/.
Akismet also sets a cookie on commenters who check “save my name, email, and website” – this cookie stores their comment author data. If you want to avoid this cookie, you can disable the native WordPress comment author cookie entirely, though this removes a convenience for repeat commenters.
Akismet With Contact Form Plugins
Akismet works natively with WordPress comments. For contact forms, integration varies:
- Contact Form 7 – install the separate “Akismet” module in CF7 settings to enable spam checking on forms
- WPForms – Akismet integration is built into WPForms Pro; free version does not include it
- Gravity Forms – has native Akismet integration in form settings
- Fluent Forms – has built-in Akismet integration
Without form-level integration, Akismet only checks WordPress native comments – contact form spam gets through regardless of Akismet.