Comment moderation is a feature in WordPress that allows you to prevent comments from appearing on your site without your express approval. Moderation can be very useful in addressing Comment Spam, but it has more general applications as well. If you would like to learn more about comment spam, see Fighting Comment Spam.
How Moderation Works
WordPress runs a number of tests on each new comment before posting it to your blog. If a comment fails one of these tests, it is not displayed immediately on the site but is placed in a queue for moderation, the process of manual approval or deletion by the blog's administrator.
If you would like every comment to be held for moderation, check the An administrator must approve the comment option, listed under Before a comment appears.
If you would like to send suspicious comments to the moderation queue, while letting innocent comments through, you will need to specify a set of rules for determining which comments are suspicious. These rules are specified in on the Settings → Discussion > Comment Moderation.
The first option is to hold comments for moderation if they contain an unusually large number of hyperlinks. Most normal comments contain at most one or two links while spam comments often have a large number. Look at your own comments and set this to a value that makes sense for your audience. (Note: In version 1.5.2, and possibly others, if you do not put a number in the comment moderation links box, in other words, if this box is completely blank, all anonymous comments (and possibly others) are sent to the Manage Comments SubPanel for moderation, even if the Discussion Options Subpanel has no restrictions set.)
The second option is to specify a set of moderation keys which, if present in any part of the comment, will cause it to be held for moderation. These keys are specified one per line in the large text area, which is blank by default. Moderation keys can include Spam Words, swear words, IP addresses, and Regular Expressions.
When you add a new moderation key, it's a good idea to test its validity by checking previous comments. Simply use the link entitled Check past comments against moderation list, which is located underneath the text box containing moderation keys. This asks WordPress to check previous comments and tell you which ones would be flagged for moderation under your new set of keys.
The box marked Comment blacklist works in exactly the same way as the comment moderation box, except that comments that match these words will be deleted immediately and without notification. So be careful! Genuine comments could be deleted without you ever knowing they were there.
Why Not Blacklisting?
Several weblog programs take a "blacklisting" approach to addressing comment spam. So if you tried to leave a comment that had a word or domain that was on the blacklist, then your comment would be refused.
Why didn't WordPress use this method? In formulating a way to combat the problems that people were having with comments, we made a promise at the beginning, Do no harm.
Weblogs are about communication, and anything that impedes that communication is harmful to the medium. Instead of rejecting a comment that matches a term in the moderation keys (our variation on the blacklist) we simply hold it for review. That way if it was a legitimate comment mistakenly caught by the filters, the weblog author can still see it and respond to the comment.
Of course this means that there may be a lot of comments that you don't want on your site caught in the moderation queue, and in this case we've tried to make it as easy as possible to manage large numbers of comments quickly. See the articles on Fighting Comment Spam for more information and resources.