As a WordPress expert with years of hands-on experience securing sites from bots, I've seen how allowing HTML tags in comments invites spam. By default, WordPress permits tags like <em> and <strong>. Spam bots exploit this, flooding your site with junk. Disabling HTML in comments strips functionality from these tags, making your site far less appealing to automated attackers.
This method only neutralizes active HTML—users can still type tags like <em><strong>, but they won't render as bold or italicized text. Most bots don't bother with this workaround, as it's inefficient for them.
To implement, open your theme's functions.php file and add this proven code:
function plc_comment_post($incoming_comment) {
// Convert all comment content to display literally
$incoming_comment['comment_content'] = htmlspecialchars($incoming_comment['comment_content']);
// Exception for single quotes, as WordPress flags ' as spam
$incoming_comment['comment_content'] = str_replace("'", ''', $incoming_comment['comment_content']);
return $incoming_comment;
}
function plc_comment_display($comment_to_display) {
// Restore single quotes
$comment_to_display = str_replace(''', "'", $comment_to_display);
return $comment_to_display;
}
add_filter('preprocess_comment', 'plc_comment_post');
add_filter('comment_text', 'plc_comment_display');Prefer a no-code solution? Download and activate Peter's Verbatim Comment Plugin from the original author—it's reliable and avoids manual edits.
Editing core files like wp-includes/kses.php works but is not recommended, as updates will overwrite changes. See the WP Codex for details.