Spam is a layered problem
No single trick stops comment spam. Bots evolve, spammers hire humans, and any one filter eventually leaks. So the goal is not a perfect wall but a stack of cheap checks, each catching a different slice, so that very little reaches your thread and the rest lands in a queue instead of on the page. Gabden takes that layered approach, and it does it without making your readers prove they are human with a puzzle.
The layers
Invisible bot checks
The first layer targets automated posting. Hidden form fields (honeypots) catch bots that fill in every input they find, since a real reader never sees or touches those fields. Timing and behavior checks flag submissions that arrive faster than a person could type. None of this is visible to a genuine reader, so there is nothing to solve and nothing to fail by accident.
Rate limits
The second layer targets volume. A single source trying to post many comments in a short window gets throttled. This blunts the scripted floods that make up a large share of comment spam, and it does it before those comments ever reach a human for review.
Blocked-word filter
The third layer targets content. You maintain a blocked-word list, and comments that match are held or rejected. This is where you handle the specific junk your niche attracts: certain product names, link patterns, or phrases that only ever show up in spam on your site. It is a blunt tool used precisely, because you control the list.
The pending queue
The fourth layer is containment. Anything suspicious that gets past the earlier checks goes to a spam and pending queue rather than straight to the page. You review it on your schedule, approve the false positives, and delete the rest. The important property is that a borderline comment is never live and visible while it waits. Readers see a clean thread; you see the queue.
Moderation modes
The fifth layer is your policy, expressed as a setting. Gabden has four moderation modes:
- Pre-moderate everything, so nothing appears until you approve it. Safest, most work.
- Auto-approve, so comments appear immediately and you clean up after. Least work, most exposure.
- Auto-approve returning verified people, so known good commenters flow through while new and unverified ones wait. This is the setting most blogs settle on, because it rewards regulars and screens strangers.
- Moderate only anonymous users, so signed-in readers post freely and anonymous ones get reviewed, which is where most abuse comes from.
Why no CAPTCHA
CAPTCHAs push the work onto your readers and still lose to modern bots. They add friction exactly at the moment a person decided to contribute, which is the worst time to slow someone down. The layers above do the filtering behind the scenes instead, so a real reader clicks post and it just works. We wrote more about that reasoning in our piece on stopping spam without CAPTCHA.
Identity as a spam signal
How a reader chooses to identify is itself a filter. Anonymous posting is the most open and the most abused, so you can moderate only that group. Guest posting asks for a name and email, which adds a little accountability. Signing in with Google or GitHub raises the bar further. Because Gabden supports all of these, you can tune how much trust each level of identity earns, rather than treating every commenter the same.
What you are left with
Stacked together, these layers mean most spam is dropped silently, borderline cases wait in a queue, and your readers never see a puzzle. You spend your moderation time on genuine judgment calls instead of clearing out obvious junk. If you want to set this up, the modes and the blocked-word list are in the docs, and you can create a site to try the defaults.




Join the discussion