Support » Everything else WordPress » unregistered users can comment anyway

  • Resolved topsoftbe


    I have the options set: “anyone can register” and “users must be registered and logged in to comment”, but I receive regularly bogus comments and they come from users that are surely NOT registered and thus cannot be logged in either.
    I have version 2.1. If I try it myself, I am unable to comment, so there must be some kind of vulnerability in this version.
    If you want to try it out:
    Is there a way I can find out how they could enter my blog?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Under “E-mail me whenever:” option check both

    * Anyone posts a comment
    * A comment is held for moderation

    and “Before a comment appears:” check both

    * An administrator must always approve the comment
    * Comment author must fill out name and e-mail

    if you want comments to be moderarted before it appears.

    That’s not the problem, all these options are checked. The comment was held back for approval, so that is ok. But the options say clearly: Users must be registered and logged in to comment, so there are 2 possibilities: the wording is completely wrong, or there is a security hole.
    Before you can comment, you should have to register (which was not the case, there is just one user: me) and because nobody logged in, nobody should have been able to comment.

    What you’re seeing is trackback spam.
    I assume Akismet is activated. Install Bad Behavior with it and this stuff will go away.

    Do you mean that I have to install a plugin to get rid of spam that should not have come in in the first place?

    Come on guys, read my topic: I have configured wp 2.1 in such a way that no one should be able to post a comment when he/she is not registered as a user, and even more: when he/she IS registered, he/she must be logged in to be able to post a comment. That is what the options say. That is clear. And it does not work. That is clear also.

    So please tell me how it can happen that I find a comment, waiting for approval, on my blog, when there is no user, apart from me. It simply should be impossible for anybody to post a comment with the configuration I have now.

    Furthermore, when I connect to my blog and do not log in, all works as expected: I can NOT post a comment. So that is good. What is bad, is that someone has found a way to comment in some way. I want to find out how this is possible.

    Definition of Trackback:

    Turn ’em off if you don’t want ’em. It’s a global option under Options -> Discussions (“Allow link notifications from other Weblogs (pingbacks and trackbacks.)”)

    (the rant wasn’t bad, but I kinda tuned out after the first paragraph)

    OK, I have turned this option OFF.
    I am not using WP for a very long time so it is possible that I have made a mistake here and there in the configuration.
    But please clarify me on this: under Options/general you have that option that says that only -logged in- -users- can post a comment. Then you have the option under Options/Discussion that says -Anyone posts a comment- .
    Which one has precedence? I could understand that on a post by post basis you could eventually allow comments, but these 2 options seem contradictory.
    This is not very clear, sorry.
    The first option should, in my opninion, deactivate all kinds of comments (pingbacks, trackbacks, not-logged-in-users, the lot).
    This seems not to be the case.
    Can you agree? Or am I completely wrong?

    Options -> General is asking whether they have to be “logged in” to comment.
    Options -> Discussion is asking whether you want any comment at all.
    Trackbacks are wanted by most of us for various reasons. We don’t want the spam, though, so spam plugins!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘unregistered users can comment anyway’ is closed to new replies.