Well, apparently I have been attacked by someone who has put comments into the system with a post id referencing a post that doesn’t exist yet. As soon as the post appears, the comment also appears. Clever.<\/p>\n
So far I’ve done several things to stop this:<\/p>\n
1) enabled built in keyword auto-moderation–if the post contains any of the keywords, the post goes into a moderation queue where I have to approve it before it appears.<\/p>\n
2) Altered my .htaccess file so that only requests that have been referrred from my site can validly post. This should prevent anyone from directly calling into the wp-comments-post.php file and bypassing the filter in 1.<\/p>\n
If your browser doesn’t pass on referrer headers, you won’t be able to post. (This one is pulled out a discussion on spam at the WordPress support site<\/a>).<\/p>\n 3) Added some code to wp-comments-post.php that prevents you from adding comments to a post that doesn’t exist yet. (This code pulled from a site dedicated to comment spam and WordPress<\/a>).<\/p>\n 4) Hopped into mysql and ran a few “delete from wp_comments where …” commands to remove all the preloaded comments. I hope I won’t have to do this again with the other bits in place.<\/p>\n","protected":false},"excerpt":{"rendered":" Well, apparently I have been attacked by someone who has put comments into the system with a post id referencing a post that doesn’t exist yet. As soon as the post appears, the comment also appears. Clever. So far I’ve done several things to stop this: 1) enabled built in keyword auto-moderation–if the post contains any of the keywords, the… Read more →<\/a><\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-20","post","type-post","status-publish","format-standard","hentry","category-general","xfolkentry"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5UQvw-k","_links":{"self":[{"href":"http:\/\/www.chrismclaren.com\/blog\/wp-json\/wp\/v2\/posts\/20","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.chrismclaren.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.chrismclaren.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.chrismclaren.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"http:\/\/www.chrismclaren.com\/blog\/wp-json\/wp\/v2\/comments?post=20"}],"version-history":[{"count":0,"href":"http:\/\/www.chrismclaren.com\/blog\/wp-json\/wp\/v2\/posts\/20\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.chrismclaren.com\/blog\/wp-json\/wp\/v2\/media?parent=20"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.chrismclaren.com\/blog\/wp-json\/wp\/v2\/categories?post=20"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.chrismclaren.com\/blog\/wp-json\/wp\/v2\/tags?post=20"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}