Spam Comments Cleaner Security & Risk Analysis
wordpress.org/plugins/spam-comments-cleanerDelete all the SPAM comments of your WordPress site in a regular time interval. To start the scheduled script this plugin using wp_cron hook.
Is Spam Comments Cleaner Safe to Use in 2026?
Generally Safe
Score 85/100Spam Comments Cleaner has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "spam-comments-cleaner" v1.3 plugin exhibits a mixed security posture. On the positive side, its attack surface appears minimal, with no apparent AJAX handlers, REST API routes, or shortcodes exposed without proper authentication or permission checks. The absence of known CVEs and a clean vulnerability history also suggest a history of relatively secure development. However, significant concerns arise from the static analysis of its code. A substantial portion of its SQL queries are not utilizing prepared statements, which is a critical vulnerability that can lead to SQL injection attacks. Furthermore, none of the output operations are properly escaped, leaving the plugin susceptible to cross-site scripting (XSS) vulnerabilities.
While the plugin has a good track record regarding historical vulnerabilities and a small attack surface, the current static analysis reveals fundamental security flaws in data handling. The lack of prepared statements for SQL queries and the absence of output escaping are serious oversights that introduce considerable risk. The presence of a nonce check and a capability check is positive, but these do not mitigate the risks associated with unsanitized SQL and output. The overall conclusion is that while the plugin has a seemingly clean past, its current implementation contains critical vulnerabilities that require immediate attention.
Key Concerns
- SQL queries not using prepared statements
- Output not properly escaped
Spam Comments Cleaner Security Vulnerabilities
Spam Comments Cleaner Code Analysis
SQL Query Safety
Output Escaping
Spam Comments Cleaner Attack Surface
WordPress Hooks 3
Scheduled Events 1
Maintenance & Trust
Spam Comments Cleaner Maintenance & Trust
Maintenance Signals
Community Trust
Spam Comments Cleaner Alternatives
![Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]](https://ps.w.org/disable-comments/assets/icon-128x128.png){kind=icon}
Disable Comments – Remove Comments & Stop Spam [Multi-Site Support]
disable-comments
Allows administrators to globally disable comments on their site. Comments can be disabled according to post type. Multisite friendly.
WP Comment Cleaner – Delete All Comments, Disable Comments, Bulk Delete & Remove Comments
delete-all-comments-of-website
Delete comments, disable comments, and remove comments in one click. Bulk delete spam and all comments to optimize your WordPress database easily.
Delete Pending Comments
delete-pending-comments
A quick way to delete all pending and spam comments. Useful for victims of spammer attacks.
Social comments by WpDevArt
comments-from-facebook
This plugin will help you display Facebook Comments on your website. You can use it on your pages/posts.
Disable Comments & Delete All Comments
comments-plus
Disable comments globally on all posts or certain post types. Delete all comments at once, by post type or comment status. Manage links in comments.
Spam Comments Cleaner Developer Profile
3 plugins · 3K total installs
How We Detect Spam Comments Cleaner
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/spam-comments-cleaner/spam-comments-cleaner.cssspam-comments-cleaner/spam-comments-cleaner.css?ver=HTML / DOM Fingerprints
scc-form-buttonsleft-form-section<!-- ... -->id="delete_spam_now_button"id="delete_spam_hourly_button"id="delete_spam_daily_button"id="delete_spam_twice_button"id="delete_spam_weekly"id="delete_spam_twiceweekly"+12 more