LiveChat
Support
Blog
Affiliates
WordPress enables comments, pingbacks, and trackbacks by default. If you don't use comments, or if you're getting hammered by spam, disabling them reduces spam, improves security, and saves server resources. This guide covers how to turn them off globally, on existing posts, and at the server level.
Disable Everything in 3 Steps
- ✓ Settings > Discussion > uncheck all boxes under "Default post settings"
- ✓ Bulk edit existing posts to disable comments (see Section 2)
- ✓ Block xmlrpc.php to stop pingback spam (see Section 3)
01. Disable Comments on New Posts
- Go to Settings > Discussion in WordPress admin
- Uncheck these boxes:
- "Attempt to notify any blogs linked to from the post"
- "Allow link notifications from other blogs (pingbacks and trackbacks)"
- "Allow people to submit comments on new posts"
- Click Save Changes
This only affects new posts going forward. Existing posts retain their individual comment settings.
02. Disable Comments on Existing Posts
- Go to Posts > All Posts
- Select all posts - check the top checkbox to select all on the page. If you have many posts, change "Screen Options" to show more per page
- Choose "Edit" from the Bulk Actions dropdown and click Apply
- Set Comments to "Do not allow"
- Set Pings to "Do not allow"
- Click Update
Repeat for Pages (Pages > All Pages) if needed. For sites with hundreds of posts, a plugin like "Disable Comments" by developer developer can turn off comments globally with one click.
03. Disable Pingbacks and Trackbacks
Pingbacks and trackbacks are a WordPress feature that notifies other blogs when you link to them (and vice versa). In practice, they're almost exclusively used for spam. Disabling them in Settings > Discussion (Section 1) stops WordPress from processing new ones, but spammers can still send pingback requests to xmlrpc.php.
Block xmlrpc.php (Recommended)
If you don't use the WordPress mobile app, Jetpack, or any service that requires XML-RPC, you can block it entirely in .htaccess:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>This stops all pingback spam at the server level before WordPress even processes it, saving CPU and database load. See our .htaccess guide for more.
If you use the WordPress mobile app or Jetpack, blocking xmlrpc.php will break them. In that case, leave xmlrpc.php accessible and just disable pingbacks in Settings > Discussion. See our Jetpack guide for more on this.
04. Dealing With Comment Spam
If you want to keep comments enabled but reduce spam:
- Akismet - comes pre-installed with WordPress, catches the majority of spam comments automatically
- Require manual approval - Settings > Discussion > "Comment must be manually approved"
- Close comments on old posts - Settings > Discussion > "Automatically close comments on posts older than X days"
- Require registration - Settings > Discussion > "Users must be registered and logged in to comment"
For WordPress security beyond comments, see our WordPress Security Guide.
Comment Spam Overwhelming Your Site?
If spam comments are causing resource limit errors or filling your database, open a ticket. We can help clean up the database and block the spam sources.
Open a Support TicketQuick Recap
- Settings > Discussion - uncheck all three default post settings
- Bulk edit existing posts - set Comments and Pings to "Do not allow"
- Block xmlrpc.php - in .htaccess to stop pingback spam at the server level
- Keep Akismet active - if you leave comments enabled
- Close comments on old posts - to reduce the spam surface area
Last updated March 2026 · Browse all WordPress articles
