I tried that, but no CAPTCHA image shows up at all. So I got rid of that. A coder friend of mine reckons there is a flaw in the comments system. Basically it goes like this :
User create insecure blog. People spam once with a bot of some kind.
User secures blog, but the comments form system allows continual spam because of form authentication AFTER comment is placed. This means that someone could exploit the blog in this exceptional circumstance.
I am probably going to start from scratch, copy my backup DB, and secure the site BEFORE it goes live.
(Not that I had many *real* comments anyway 🙂 )
