When using the WP Discourse plugin, the endpoint /wp-comments-post.php is still active and can be used to post WordPress comments via POST by mostly bot traffic to spam comments.
Did I miss a setting in the plugin to disable this?
EDIT: For the time being I’ve done the following to stop these requests.
<?php
function disable_wp_comments_post() {
if (basename($_SERVER['PHP_SELF']) === 'wp-comments-post.php') {
status_header(403);
die();
}
}
add_action('init', 'disable_wp_comments_post');
Hey @jordantrizz, could I just confirm you have Discourse comments enabled (i.e. “Enable Discourse Comments” in the “Commenting” section of the WP Discourse admin is checked)?
Hey @jordantrizz thanks for your patience. I wanted to review this again in light of changes made last year.
After reviewing this again, this is in fact a desired aspect of the WP Discourse system, to allow for flexibility in how folks manage native Wordpress and WP Discourse comments (e.g. some people use both at once).
To administer Wordpress comments, including the use of /wp-comments-post.php, please use the native Wordpress settings in Settings > Discussion e.g. “Allow people to submit comments on new posts”.
Thanks, and perhaps this should be documented somewhere because I was under the assumption if you shutdown the WordPress comments that the Discourse widget will not be displayed.