How is a spam bot or anyone able to post a comment on Wordpress when comments are handled with WP Discourse? There’s no place to even enter data to be accepted as a comment? Much less for it to land in my dashboard.
I really don’t know and I’m totally happy when corrected… but WP Discourse doesn’t override commenting system, it ”just” shows topics of Discourse as comments.
Original commenting system is still there and if you let bots use it via SSH, direct urls, what ever path, it will happend. Similar situation when we hide something using CSS. It doesn’t remove anything but from screen. Of course WP Discourse is not that simple, but the principle is same’ish.
Or I am totally lost and quite soon we will hear how things are really
Fun fact: if a poor admin can use WP-CLI this will close commenting per every post (and takes loooooong time):
wp post list --format=ids | xargs wp post update --comment_status=closed
And quite soon will come a lot of emails that tells something like ” Reason for failure: A 429 response code was returned from Discourse.” Too fast, too soon and have to wait few seconds — API was in the bad mood I reckon.
But wait, there is more as they say on shopping TV. Every post of WordPress that could close commenting and was connected to Discourse, got a boost and flooded /latest.
So — WP-CLI is a wonderful tool, but in this situation… not so much
From my understanding, you still have to enable comments on the specific post you want comments on. Like this…
If I deselect that, and save the WP post, then the “Comment” metadata in Wordpress goes away. Think of the comment count, which doubles as a link that drops you down the page to the Discourse link to the forum. Most people rely on that Comment metadata link at the top of the page to know they can comment, without going to the bottom of the page.
I see, reading carefully, the first screenshot I shared essentially says, posts using WP-Discourse still have the WP comments template. I thought it was replaced. So then, I’ll test out turning on this second setting. That would prevent spam and anyone not logged in from using the hidden WP comment template, but still allowing everything else we want.