Best Akismet Alternatives for Non-WordPress Sites
Akismet was built for WordPress. If you're using Next.js, React, or any modern stack, here are the spam detection APIs that actually make sense.
Best Akismet Alternatives for Non-WordPress Sites
Akismet has been the default spam filter for WordPress since 2005. It works. It’s reliable. But if you’re building with Next.js, React, Astro, Remix, or any other modern JavaScript framework, Akismet feels like trying to fit a square peg into a round hole.
The problem isn’t that Akismet is bad. The problem is that it was designed for a different era. WordPress comment spam. URL-encoded form submissions. PHP-first architecture.
Modern web apps deserve modern spam detection. Let’s look at what’s out there.
Why Akismet Doesn’t Fit Modern Stacks
Before we talk alternatives, let’s be clear about why Akismet struggles outside WordPress.
URL-Encoded API, Not JSON
Akismet’s API expects application/x-www-form-urlencoded requests. You have to URL-encode every parameter and construct query strings manually. In 2024. When every other API accepts JSON.
Here’s what an Akismet request looks like:
// Akismet request - feels like 2005
const body = new URLSearchParams({
blog: 'https://yoursite.com',
user_ip: '203.0.113.42',
comment_author: 'John Smith',
comment_author_email: 'john@example.com',
comment_content: 'Message text here',
});
const response = await fetch('https://YOUR_API_KEY.rest.akismet.com/1.1/comment-check', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: body.toString(),
});
const result = await response.text(); // Returns "true" or "false" as plain textCompare that to a modern JSON API:
// Modern API - just JSON
const response = await fetch('https://api.formshield.com/v1/check', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': 'Bearer YOUR_API_KEY'
},
body: JSON.stringify({
email: 'john@example.com',
name: 'John Smith',
content: 'Message text here',
ip: '203.0.113.42'
}),
});
const result = await response.json();
// { verdict: "ham", score: 2, signals: { ... } }The difference is night and day. JSON is what every JavaScript developer expects. Type safety works. Responses include structured data instead of plain text strings.
No TypeScript SDK
Akismet doesn’t have an official TypeScript SDK. The community packages exist, but they’re wrappers around that URL-encoded API. You’re still dealing with string responses and manual type coercion.
Modern developers want npm install @company/sdk and proper TypeScript types. They want autocompletion and compile-time error checking.
Comment-Centric Design
Akismet was built for blog comments. The API parameters reflect this: comment_author, comment_content, comment_type. When you’re protecting a contact form, signup flow, or checkout page, you’re constantly mapping your domain language to WordPress terminology.
It works. But it’s awkward.
Binary Spam/Ham Response
Akismet returns true (spam) or false (not spam). That’s it. No confidence score. No breakdown of why something was flagged. No signals to help you understand the decision.
Modern spam detection gives you a score (0-10) and detailed signals (IP reputation, email validation results, content analysis). This lets you:
- Set custom thresholds per form
- Route suspicious submissions for review
- Debug false positives without guessing
The Modern Alternatives
Here’s what actually works for non-WordPress sites.
OOPSpam
OOPSpam is probably the most direct Akismet replacement. It’s a JSON API that checks content, IP addresses, and email addresses for spam signals.
What’s good:
- Proper JSON API with detailed responses
- Spam score instead of binary yes/no
- Disposable email detection built-in
- GDPR compliant with no logging by default
- Country and language blocking options
What’s not:
- Pricing gets expensive at scale ($40/month for 100K checks)
- No official TypeScript SDK
- Response time can vary
Example request:
const response = await fetch('https://api.oopspam.com/v1/spamdetection', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-Api-Key': 'YOUR_API_KEY'
},
body: JSON.stringify({
senderIP: '203.0.113.42',
email: 'user@example.com',
content: 'Your message here'
})
});
const result = await response.json();
// { Score: 3, Details: { isIPBlocked: false, isEmailBlocked: false, ... } }OOPSpam is solid if you want a drop-in Akismet replacement with better API design. The score-based approach is a significant improvement over binary responses.
CleanTalk
CleanTalk is the budget option. At $12/year (not a typo), it’s absurdly cheap. They support WordPress, Joomla, Drupal, and have a general API.
What’s good:
- Price is unbeatable
- Works across multiple platforms
- Checks IP, email, and content
- Anti-spam database built from millions of sites
What’s not:
- High false positive rate reported by users
- Can be aggressive with blocking
- Support is inconsistent
- API documentation is minimal
If you’re on a tight budget and can tolerate some false positives, CleanTalk works. But be prepared to manually whitelist legitimate submissions that get caught in the crossfire. For business-critical forms (leads, sales inquiries), this tradeoff probably isn’t worth it.
Arcjet
Arcjet takes a different approach. Instead of just spam detection, it’s a full security toolkit: rate limiting, bot detection, email validation, and WAF protection. It’s built specifically for Next.js and modern JavaScript frameworks.
What’s good:
- Native Next.js integration with middleware
- Combines multiple security primitives
- Email validation includes disposable detection
- Bot detection beyond just spam
- Typed SDK with excellent DX
What’s not:
- Does a lot more than spam detection (maybe too much)
- Pricing isn’t public - you have to sign up
- Relatively new, smaller community
Example with Next.js:
import arcjet, { detectBot, validateEmail } from '@arcjet/next';
const aj = arcjet({
key: process.env.ARCJET_KEY!,
rules: [
detectBot({
mode: 'LIVE',
allow: [], // Block all bots
}),
validateEmail({
mode: 'LIVE',
block: ['DISPOSABLE', 'INVALID'],
}),
],
});
export async function POST(req: Request) {
const decision = await aj.protect(req);
if (decision.isDenied()) {
return Response.json({ error: 'Blocked' }, { status: 403 });
}
// Process legitimate request
}Arcjet is interesting if you want an all-in-one security solution. But if you just need spam detection, it might be overkill.
ALTCHA
ALTCHA combines a CAPTCHA alternative with a spam filter API. The spam filter uses NLP and ML to analyze text content.
What’s good:
- Machine learning based content analysis
- Detects spam, profanity, and harmful content
- Privacy-focused (no tracking)
- Proof-of-work CAPTCHA option included
What’s not:
- Smaller company, less battle-tested
- Limited documentation
- No IP reputation checking
ALTCHA is worth considering if content analysis is your primary concern and you want to avoid the big players.
FormShield
FormShield is what we built after getting frustrated with exactly these problems. It’s a single API that combines everything: IP intelligence, email validation, AI content analysis, and behavioral signals.
What’s good:
- JSON API with TypeScript SDK (
@formshield/next) - Score-based (0-10) with configurable thresholds
- Detailed signal breakdown showing why something was flagged
- AI content analysis (fast ML path, advanced AI for uncertain cases)
- Built for modern stacks (Next.js, Remix, Astro)
- Transparent pricing with a free tier
Example integration:
import { FormShield } from '@formshield/next';
const formshield = new FormShield({
apiKey: process.env.FORMSHIELD_API_KEY
});
export async function POST(req: Request) {
const body = await req.json();
const result = await formshield.check({
email: body.email,
name: body.name,
content: body.message,
ip: req.headers.get('x-forwarded-for'),
formId: 'contact-form',
metadata: {
formLoadedAt: body.formLoadedAt,
honeypotField: body.website, // honeypot value
}
});
if (result.verdict === 'spam') {
// Return fake success to not reveal detection
return Response.json({ success: true });
}
// result.signals shows exactly why something was flagged
// { ip: { isVpn: false, threatScore: 0.1 },
// email: { isDisposable: false, mxValid: true },
// content: { spamScore: 0.2 } }
// Process legitimate submission
return Response.json({ success: true });
}We built FormShield because we needed something that worked like Akismet conceptually (easy to integrate, reliable spam detection) but designed for how we actually build software today.
API Comparison
Let’s compare the technical details:
| Feature | Akismet | OOPSpam | CleanTalk | Arcjet | FormShield |
|---|---|---|---|---|---|
| API Format | URL-encoded | JSON | JSON | SDK | JSON + SDK |
| TypeScript SDK | No | No | No | Yes | Yes |
| Response Type | Text | JSON | JSON | Object | JSON |
| Spam Score | No | Yes (0-6) | Yes | N/A | Yes (0-10) |
| Signal Breakdown | No | Basic | Basic | Yes | Detailed |
| IP Intelligence | Basic | Yes | Yes | Yes | Yes |
| Email Validation | No | Yes | Yes | Yes | Yes |
| AI Content Analysis | No | No | No | No | Yes |
| Behavioral Signals | No | No | No | Limited | Yes |
Pricing Comparison
| Service | Free Tier | Starter | Growth |
|---|---|---|---|
| Akismet | Personal use only | $9.95/mo | $49.95/mo |
| OOPSpam | None | $20/mo (20K) | $40/mo (100K) |
| CleanTalk | 7-day trial | $12/year | $24/year |
| Arcjet | Yes | Contact sales | Contact sales |
| FormShield | 1,000 req/mo | $5/mo (30K) | $60/mo (100K) |
Akismet’s pricing is actually reasonable for personal blogs. But notice the jump to $49.95/mo for their Business tier, which only includes 5,000 spam checks. At scale, it gets expensive fast.
CleanTalk is the budget winner if you can handle the false positives. FormShield hits the middle ground with transparent pricing and a generous paid tier structure.
What About Building Your Own?
You might be thinking: why not just build spam detection yourself?
You can. We have a guide to DIY spam protection in Next.js covering honeypot fields, timing analysis, and server-side validation. These techniques work and cost nothing.
But there’s a reason spam detection services exist:
- IP reputation databases require constant maintenance. New VPNs, datacenters, and proxies appear daily.
- Disposable email lists change constantly. New throwaway email services launch every week.
- Content patterns evolve. Spammers adapt when detection improves.
- ML models need training data and infrastructure.
Building a honeypot takes 5 minutes. Building production-grade spam detection that catches 99% of spam while minimizing false positives takes months.
Most teams are better served using a specialized API and focusing their engineering time elsewhere.
Migration from Akismet
If you’re currently using Akismet and want to switch, here’s the mapping:
| Akismet Parameter | FormShield Equivalent |
|---|---|
comment_author | name |
comment_author_email | email |
comment_content | content |
user_ip | ip |
blog | (not needed) |
comment_type | formId |
The migration is straightforward. Replace your Akismet API calls with FormShield (or your chosen alternative), map the parameters, and update how you handle responses.
The biggest change is handling the richer response format. Instead of checking result === 'true', you’re now working with:
if (result.verdict === 'spam') {
// Blocked
} else if (result.verdict === 'review') {
// Flag for manual review
} else {
// Allow through
}This three-way classification (spam/review/ham) gives you more control over edge cases.
Common Mistakes When Switching
A few things to watch out for when migrating away from Akismet:
Don’t forget silent failures. Akismet (and most spam services) return success even when blocking spam. This prevents spammers from learning your detection rules. Make sure your new integration does the same. Never return a 403 or error message that reveals “you were detected as spam.”
Test with real spam. Before going live, find some actual spam submissions from your logs. Run them through your new API and verify they get flagged. It’s easy to get excited about a new integration that passes all your legitimate test cases but fails on actual spam patterns.
Monitor false positives closely. The first week after switching, review your spam queue manually. Every service has different thresholds and edge cases. You might find legitimate submissions getting flagged that Akismet let through (or vice versa).
Keep Akismet running in parallel initially. Some teams run both systems for a week or two, comparing results. This catches discrepancies before they become customer complaints.
Which Should You Choose?
Here’s my quick take:
- On a budget? CleanTalk at $12/year is hard to beat, but expect false positives.
- Want drop-in Akismet replacement? OOPSpam is the closest equivalent with better API design.
- Building with Next.js and want security broadly? Arcjet bundles spam detection with rate limiting and bot protection.
- Want the best developer experience and detailed signals? FormShield gives you a TypeScript SDK, score-based detection, and AI content analysis.
The Akismet era isn’t over for WordPress sites. It still works fine there. But for modern JavaScript applications, you deserve a modern API. Pick one of these alternatives and move on.
Ready to upgrade from Akismet? Try FormShield free with 1,000 requests/month - no credit card required.