This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Bad Behavior


Welcome to a whole new way of keeping your blog, forum, guestbook, wiki or
content management system free of link spam. Bad Behavior is a PHP-based
solution for blocking link spam and the robots which deliver it.

Thousands of sites large and small, like SourceForge, GNOME, the U.S.
Department of Education, and many more, trust Bad Behavior to help reduce
incoming link spam and malicious activity.

Bad Behavior complements other link spam solutions by acting as a gatekeeper,
preventing spammers from ever delivering their junk, and in many cases, from
ever reading your site in the first place. This keeps your site’s load down,
makes your site logs cleaner, and can help prevent denial of service
conditions caused by spammers.

Bad Behavior also transcends other link spam solutions by working in a
completely different, unique way. Instead of merely looking at the content of
potential spam, Bad Behavior analyzes the delivery method as well as the
software the spammer is using. In this way, Bad Behavior can stop spam attacks
even when nobody has ever seen the particular spam before.

Bad Behavior is designed to work alongside existing spam prevention services
to increase their effectiveness and efficiency. Whenever possible, you should
run it in combination with a more traditional spam prevention service.

Bad Behavior works on, or can be adapted to, virtually any PHP-based Web
software package. Bad Behavior is available natively for WordPress, MediaWiki,
Drupal, ExpressionEngine, and LifeType, and people have successfully made it
work with Movable Type, phpBB, and many other packages.

Installing and configuring Bad Behavior on most platforms is simple and takes
only a few minutes. In most cases, no configuration at all is needed. Simply
turn it on and stop worrying about spam!

The core of Bad Behavior is free software released under the GNU Lesser General
Public License, version 3, or at your option, any later version.

Release Notes

Bad Behavior 2.2 Known Issues

  • Bad Behavior 2.2 requires MySQL 5.0 or later and PHP 5.2 or later.

  • CloudFlare users must enable the Reverse Proxy option in Bad Behavior’s
    settings. See the documentation for further details.

  • Bad Behavior is unable to protect internally cached pages on MediaWiki.
    Only form submissions will be protected.

  • When upgrading from version 2.0.19 or prior on MediaWiki and WordPress,
    you must remove the old version of Bad Behavior from your system manually
    before manually installing the new version. Other platforms are not
    affected by this issue.

  • Bad Behavior on WordPress requires version 3.1 or later. Users of older
    versions should upgrade WordPress prior to installing Bad Behavior.

  • On WordPress when using WP-Super Cache, Bad Behavior must be enabled in
    WP-Super Cache’s configuration in order to protect PHP Cached or Legacy
    Cached pages. Bad Behavior cannot protect mod_rewrite cached (Super Cached)

  • When using Bad Behavior in conjunction with Spam Karma 2, you may see PHP
    warnings when Spam Karma 2 displays its internally generated CAPTCHA. This
    is a design problem in Spam Karma 2. Contact the author of Spam Karma 2 for
    a fix.


  • Most of the time, only spammers see this. In the rare event a human winds up here, a way out is provided. This may involve removing malicious software from the user's computer, changing firewall settings or other simple fixes which will immediately grant access again.

  • Bad Behavior's built in log viewer (WordPress) shows why requests were blocked and allows you to click on any IP address, user-agent string or block reason to filter results.


Warning: If you are upgrading from a 2.0.x release of Bad Behavior, it is
recommended that you delete the old version from your system before
installing the 2.2.x release, or obsolete files may be left lying around.

Warning: If you are upgrading from a 1.x.x version of Bad Behavior,
you must remove it from your system entirely, and delete all of its
database tables, before installing Bad Behavior 2.2.x or 2.0.x. If you are
upgrading from version 2.0.18 or prior, you must delete all of its files
before upgrading, but do not need to delete the database tables.

Bad Behavior has been designed to install on each host software in the
manner most appropriate to each platform. It’s usually sufficient to
follow the generic instructions for installing any plugin or extension
for your host software.

On MediaWiki, it is necessary to add a second line to LocalSettings.php
when installing the extension. Your LocalSettings.php should include
the following:

` include_once( ‘includes/DatabaseFunctions.php’ );
include( ‘./extensions/Bad-Behavior/bad-behavior-mediawiki.php’ );

For complete documentation and installation instructions, please visit


July 20, 2022
Running WP 6.0 now. Error raised today: An error of type E_ERROR was caused in line 34 of the file /home/*/blog/wp-content/plugins/bad-behavior/bad-behavior/ Error message: Uncaught TypeError: dechex(): Argument #1 ($num) must be of type int, string given in /home/*/blog/wp-content/plugins/bad-behavior/bad-behavior/ Looks like it chokes on IPv6 addresses. As a consequence, I disable and deinstall now the abandoned plugin.
December 4, 2019
I've given this plugin various opportunities throughout my decade of using Wordpress, and while it does work to filter out spam comments for the most part, so do a lot of other plugins. If it wanted to stand out, it needs to not cause problems with my websites themselves. Unfortunately, it's come to my attention that it's not working friendly with PHP version 7.2 which is what my hosting service is recommending me to use at this time. If a plugin is not keeping up to date with basic PHP versioning and giving my site loading problems, I'd be better off with other solutions.
September 12, 2019
Although sometimes it can be tricky if you get a false positive, those are pretty rare (haven't seen one in a couple years). Works well to keep bad actors off your site.
November 7, 2016
I was using Bad Behavior and suddenly my iThemes Sync plugin locked me out of 7 websites. Bad news. After much troubleshooting, I had to log in to all sites individually to whitelist the ips. Don't know why this happened overnight and to all the websites, but if such behavior continues I will have to uninstall Bad Behavior.
September 3, 2016
This has been a "Must have" on every site I build. It cooperates with every plugin that I have used for years and simply works. No fuss at all no conflicts and so easy to set up.
Read all 26 reviews

Contributors & Developers

“Bad Behavior” is open source software. The following people have contributed to this plugin.


Translate “Bad Behavior” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.