I have already discussed the matter of comments two years ago, when I first opened this blog on another domain, so I’m not going to repeat myself further.
For the purpose of this post suffices to know that they’ve been off from the beginning and that I haven’t changed the settings ever since. Beginning last month though I started getting spam messages in the comment moderation queue, even though I don’t have a place to submit comment anywhere.
Comments All | Pending (23) | Approved | Spam (0) | Trash (0)
Ten of those are just trackbacks, but the others are mostly post saying ‘hi’ or ‘check my site’ and such, typical spam comments. The only explanation is that a server somewhere is using the WordPress API:
It seems like it only requires the
$post_ID -> easily obtainable with a scraping bot and the
$site -> site domain and your API Token
($YOUR_API_TOKEN), guess it’s the application token and not a token to log to your site.
As example they provide this:
> PHP >$options = array ( 'http' => array ( 'ignore_errors' => true, 'method' => 'POST', 'header' => array ( 0 => 'authorization: Bearer YOUR_API_TOKEN', 1 => 'Content-Type: application/x-www-form-urlencoded', ), 'content' => http_build_query( array ( 'content' => 'Your reply is very interesting. This is a reply.', ) ), ), ); >$context = stream_context_create( $options ); $response = file_get_contents( 'https://public-api.wordpress.com/rest/v1/sites/30434183/posts/1222/replies/new/', false, $context ); $response = json_decode( $response ); >?>
Edit: The last spam comment in the moderation queue is from “2015/01/31 at 5:57 am” and I haven’t changed anything.
Update 02-01-2015: It got better, there hasn’t been a single new spam comment awaiting moderation for months now, on both site. I guess they got the message that comments are off. Good.
Reminder: If you wanna comment, send me a tweet.
I moved to octopress so I don’t have comments at all anymore, not even though an hidden page / webservice.
Update 2018-02-07: I have comments back on, with limits.