Support » Requests and Feedback » Comment spam despite “Users must be logged in”

  • In “General Options,” with “Users must be registered and logged in to comment” selected, I’m seeing spams on a daily basis, that are not from the few registered users on the blog. Indeed “Anyone can register” is not checked.

    Now, the comment form does not show on blog posts except for the several users who I have administratively registered. So obviously the spammers are not using the form at all. But merely not showing the form isn’t enough to enforce the requirement that users be logged in to comment. Is there some good reason that the backend code for handling comments doesn’t simply reject any submission from someone who is neither registered nor logged in? Why aren’t credentials being enforced?

    I get to moderate these spam attempts. So the public isn’t seeing them. But it’s wasting my time. What’s the purpose of this hole being left in the code?

Viewing 5 replies - 1 through 5 (of 5 total)
  • I’m seeing the same problem. I just upgraded my blog from 2.2 to 2.6 and I have this option (Users must be registered and logged in to comment) turned on. But I’m still getting spam showing up for moderation. I also have the following security measures in place:

    • modified the .htaccess in my blog directory to block all IP addresses for wp-comments-post.php and wp-commentsrss2.php except for IP addresses in my domain.
    • added a .htaccess file to do the same thing for everything in wp-admin/
    • reCAPTCHA plugin installed and working

    The other weird thing is that the spam that is getting through to show up in my moderation list has external IP addresses so either they are somehow masquerading their IP address or there is some other PHP file that they are using to post these comments.

    Anyone have an idea of what’s going on?

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Those are not comments. They are trackbacks. That’s what most “comment spam” really is.

    Turn off “pings” on the articles. Or install anti-spam plugins like Akismet.

    Thank you so much!! I’ll give those a try. Would IP blocking wp-trackback.php also work? I have pings turned off by default but I don’t author any of the posts on the blog in question and so can’t guarantee that the author of the blog might turn pings back on for a particular post.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Sure, but that’s sorta like cutting off your nose to get rid of the smell in the room. 😉

    There’s better and saner ways to deal with spam than disabling all sorts of useful functionality:

    LOL 🙂 Yeah, well my sense of smell isn’t that great to begin with so I’m not sure I would miss it (except my glasses would fall off my face I guess). Plus I’ve always tried to follow the KISS principle and disable stuff that I (or I should say my author) doesn’t use 🙂

    But maybe I’m being too paranoid – I’ll go check out that link and the Akismet plugin.

    Thank you for all of the very useful info!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Comment spam despite “Users must be logged in”’ is closed to new replies.