Im using cformIIs as a form builder and redirecting the action to a script that parses data to a wp_insert_post object.
The goal is to have visitors post to a very specific section of the blog and insert some of that data to a separate, custom DB without granting editor status to users.
Well, it got hacked by a spam bot :(
It seems the spambot is using my script for injection, bypassing the $POST variables and going straight to wp_insert_post. I've used some regex snippets to kill the insert, changed the post status to pending. This had some effects, filtering the content and links from the bot, but it is still able to perform the injection.
I'd really appreciate any help on this, since my coding skills are quite basic.
Thanks for reading