Avoid Spam from Bots and AI Agents

Article by Jeroen De Dauw. Updated on October 3, 2025

Avoid Spam from Bots and AI Agents

Spam has always been a concern on public wikis. Countering automated spam is becoming more challenging as modern spambots use AI to defeat captions. Find out how to adjust your spam-prevention strategy to keep your MediaWiki spam-free in 2025 and beyond.

Set up Captchas

If you have an open-registration wiki, you need a way to stop spambots from creating user accounts on your wiki. The simplest approach, which we have recommended for a long time, is to use the QuestyCaptcha extension.

If you host your wiki yourself, you'll first have to install and configure this extension, which is easy. Once the extension is installed and enabled, edit LocalSettings.php and add configuration like the below: 

$wgCaptchaQuestions = [
    'What is six times seven' => [ '42', 'forty two', 'fortytwo' ],
    'What is the third character in "awesome"' => [ 'e' ],
];

If your wiki is hosted by Professional Wiki, the extension is already installed, and you can add the captcha questions via the Admin Panel:

Configuration UI for captcha questions

Bot-proof Captcha Questions

Many of the questions people have historically used can now easily be solved by AI-powered bots. The above example questions fall into this category.

When adding a question, consider if a LLM like ChatGPT can easily solve it without having additional context. If yes, then it is a bad question.

Thus, do not ask general knowledge questions like "What is the capital of Germany". Also avoid questions that only need reasoning, such as math questions or doing something else with information you provide in the question.

Instead, ask about your wiki. Example: "What is the 5-digit locomotive number shown in the featured article image on our homepage?". The spambot would need to navigate to your homepage, find and interpret the image. While this is within the capabilities of AI reasoning models, it is sufficient to stop today's spambot attempts. It also works without involving an image.

Stick to a single hard-to-crack question and rotate it if it gets broken. If you have multiple questions, you add more ways for the spambots to get into your wiki, and it'll be difficult to tell which question needs replacing if any spambots do end up getting through.

Prohibit Bot-like Usernames

Adding captchas should be enough. However, if you already got spammed, and observe a pattern in the names of the user accounts the bots created, you could disallow said pattern. For instance, if all bot created accounts contain hyphens in their names, like Window-Replacement-Service, you could disallow the hyphen character in new user accounts.

Configuration via LocalSettings.php: 

$wgInvalidUsernameCharacters = '@:>=-'; // Added '-' to the default to thwart spambots

For wikis hosted by Professional Wiki, configure this via the Signup tab of the Admin Panel:

MediaWiki Admin Panel showing the Signup tab with options to disallow username characters and to define captcha questions

To Go Even Further Beyond

Use extensions like SpamBlacklist and TitleBlacklist, serve your wiki via Cloudflare, set up Web Application Firewall rules, and add Anubis. These are some of the tricks we employ to keep the wikis of our customers safe at Professional Wiki. Want the spam on your wiki to stop? Consider letting us deal with the problem by using our MediaWiki migration services.

Cartoon illustration of the MediaWiki logo fighting a spambot

Participate