Considering the XXS problem in 4.2, this option makes even more sense. If your blog / site does not support comments, it would be nice to have none of that code available for attackers to pick at.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Considering the XXS problem in 4.2, this option makes even more sense.
That really was a one off, and a patch was developed in really quick order. 😉
What you are describing is an edge case. That doesn’t mean some people want that option but it’s not likely to go into the core WordPress. Especially when that’s something that can easily be achieved using a plugin.
https://wordpress.org/plugins/disable-comments/
That one came up in a quick search and appears to even be multisite friendly.
Jan, nice but it doesn’t do the whole thing. It addresses only in disabling comments within the theme and such, but appears to still allow comment spammers to connect to your installation and dump their spam at you – or at bare minimum, start up an instance of wordpress that requires both bandwidth and system resources to deal with – because in order to decide if comments are enabled or disabled, it first must starting up an instance, connect to the database, read the site information, read the setup information, and the process the comment request from there.
The disable comments appears to be good for removing the comment stuff from the pages. Spammers don’t give a crap about what is on your page, they spam directly. Which means they still post directly… and even when they are wrong or comments are closed, they still waste system resources. So having comments not working, not answering, not processings (and perhaps the code not even having to be there at all) would be a big step towards making those sorts of site less of a target.
For what it’s worth, a true CMS for business sites would likely not want to have user accounts, comments, or any other method by which people could access the site, except for very controlled feedback scripts that do not touch or deal with the wordpress core in any manner. A good hunk of security can be achieved by not having legacy services on a site that doesn’t use them.
(@another-guy)
9 years ago
As wordpress moves towards being as much about building interesting sites as it is about straight blogging and discussions, it might be a really good idea to have a “disable comments entirely” option for sites.
This would be a step beyond “comments disabled for this post”, and perhaps could include a new API call similar to wp_comments_enabled () which could return “enabled, disabled, notinuse” so that theme designers could check before displaying anything to do with comments for a given post or page. If comments are “notinuse” then none of the comment code would need to be displayed or checked, and there would be no issues of comments (and comment spam).
It could also be used to handle pingbacks and attempts to add comments to blogs (especially spammers) who would get the door shut in their faces directly “this site does not accept comments”. That would allow sites that are more display oriented to avoid the hassles of handling spam comments and the server load that comes to having spammers fill your pending comments with stuff you will never have on your site.