Um… I'm pretty sure I have WordPress set up to only allow comments from registered, logged in users. If this is true, howinthehell are spam comments getting posted??
I have Akismet enabled, so they don't actually get to my blog, but still – I don't get it.
It’s just one of those facts of life. So long as they don’t get to my blog, I don’t care. I can’t remember exactly how it was they do it, but they use one of the core files of WP (or any database/php driven site) to plant them on posts. Annoying but unavoidable.
Do you have a pointer to where you’ve seen how they do it? I will fix it.
It is quite avoidable if you know what you’re doing. Apparently the developers of WordPress don’t, or don’t care enough.
I’m pretty sure they were hitting wp-comments-post.php and wp-trackback.php somehow with bots. I deleted my trackback.php, since I don’t use it, and when I was using the last version, I had hacked around in the code and renamed the comments-post.php to something else, which stopped it for a while. I have pretty much always gotten mucho spam daily since I have been using WP, but at least there are some plugins you can use so it doesn’t get on the site. You still sort of have to deal with it though, and as far as I can tell, those spam comments are still sitting in the database.
In fact, at one point, I was seeing comment spam on posts as I made them, implying the bots were dropping spam into the database with future potential post numbers attached.
Wow… that really stinks. :-/
Which means those scripts are as buggy as hell. Dammit, I don’t think I have the time to do a full audit.
Sounds like they don’t validate their parameters on a HTTP POST. That needs to be fixed.