Captcha, reCapthca and the like have serious usability issues. And basically anything that requires a user to fill an extra field (other than the comment) each time the user posts a comment, is considered bad usability.
(NOTE: I hope you do realize that users need only enter their name and email address once when it comments on a website, unless he clears the cache.)
So, plugins like Better WordPress reCAPTCHA, WP-reCAPTCHA, Spam Free WordPress, etc. although are extremely good at what they do, are out of the question considering the aforementioned concerns.
Plugins like Bad Behavior, WP-Hashcash Extended (successor of WP-Hashcash), .htaccess rules for preventing recognized spamming techniques and bots, etc. aren’t without false positives.
As I see it, it all boils down to Akismet, Impostercide, and Cookies for Comments anti-spam plugin combo.
(AntiSpamBee, Defensio, and TypePad AntiSpam, among others, are aimed to be Akismet alternatives. While many don’t like Akismet because it’s from a company that believes in open source, but isn’t free, many of us still acknowledge that it’s next to none.)
What else should I do? (rather, should I be doing something else that’s more effective?)
Has anyone tried ZigTrap? How does it compare to others? (Too many false positives is a moderation/spam queue overhead.)
PS: I am sure that there’s no “best for all” solution. But it will help if you can share what works best for you.
TLDR: How do I prevent spam on WordPress comments without requiring manual approval or user login/registration?
Okay, I’ve (probably) done just enough reading since asking this question, and apparently this combo of anti-spam plugins, works to a very appreciable extent in mitigating spam:
Akismet + Cookies for Comments + Impostercide
Knowledgeable people agree:
Alex aka Viper007Bond uses Akismet and Cookies for Comments on his own blog, alongside having Trackbacks disabled. (Source)
The need for the use of “Impostercide” plugin should be obvious, unless the email you administer your blog with is unknown to the world, or you just don’t care even if the spammers post comments on your blog using your Name and Email (and hell if you use Gravatar).
And yes, this setup may not fit everyone. Especially those blogs that want to enforce a stricter set of rules and techniques.