I'm using the latest WP, v3.0.1 for my blog. In my "Discussion" settings, the following settings are definitely enabled:
- Comment author must fill out name and e-mail
- Users must be registered and logged in to comment
- Comment author must have a previously approved comment
I'm also using the WP-reCAPTCHA and reCAPTCHA Form plugins, which are both fully up to date.
Today, two users who are not and have never been registered on my site have managed to post comments that were immediately surfaced on the front end.
This opens up two questions:
1) If I have the "Users must be registered and logged in to comment" option set, how are to unregistered users able to post comments?
2) Even if they were registered users, given I've got "Comment author must have a previously approved comment" enabled, how were they able to bypass the approval process?
Is this a new unknown security hole, or am I missing something?