Bots posting comments on pages

In order to add a new comment you really only need a couple of fields and a POST method.

In a typical comment form, requests are submitted to http://www.example.com/wp-comments-post.php which parses the $_POST data and sends it off to wp_handle_comment_submission.

A POST method varies from a GET request in that params are usually sent in a non-visual way. With GET you might see www.example.com?foo=bar but in a POST method the params are sent in addition to the url request so you visually only see www.example.com.

Another thing to note is that the page/post ID can usually be seen as a class in the page’s body section. <body class="page page-id-1234" so in order to submit a comment to a page you would really only need that ID coupled with the wp-comments-post.php url.

Here is an example using POSTMAN to construct the request for PHP:

<?php

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://www.vistex.com/wp-comments-post.php",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_POSTFIELDS => "-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"email-notes\"\r\n\r\nemail-notes-here\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"comment_post_ID\"\r\n\r\n134\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"author\"\r\n\r\n4\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"email\"\r\n\r\[email protected]\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\nhttp://wordpress.stackexchange.com/questions/221084/bots-posting-comments-on-pages\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"comment\"\r\n\r\nspam_from_stackexchange_brandozzzzzzz - http://wordpress.stackexchange.com/users/64789/brandozz - http://wordpress.stackexchange.com/questions/221084/bots-posting-comments-on-pages\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"comment_parent\"\r\n\r\n134\r\n-----011000010111000001101001\r\nContent-Disposition: form-data; name=\"_wp_unfiltered_html_comment\"\r\n\r\n_wp_unfiltered_html_comment\r\n-----011000010111000001101001--",
  CURLOPT_HTTPHEADER => array(
    "cache-control: no-cache",
    "content-type: multipart/form-data; boundary=---011000010111000001101001",
    "postman-token: c34ed3e0-fcc4-2b4b-75bf-d864135cddde"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

And the same request in jQuery:

var form = new FormData();
form.append("email-notes", "email-notes-here");
form.append("comment_post_ID", "134");
form.append("author", "4");
form.append("email", "[email protected]");
form.append("url", "http://wordpress.stackexchange.com/questions/221084/bots-posting-comments-on-pages");
form.append("comment", "spam_from_stackexchange_brandozzzzzzz - http://wordpress.stackexchange.com/users/64789/brandozz - http://wordpress.stackexchange.com/questions/221084/bots-posting-comments-on-pages");
form.append("comment_parent", "134");
form.append("_wp_unfiltered_html_comment", "_wp_unfiltered_html_comment");

var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://www.vistex.com/wp-comments-post.php",
  "method": "POST",
  "headers": {
    "cache-control": "no-cache",
    "postman-token": "a66dc74a-685e-719c-75be-9c81ab69bf5e"
  },
  "processData": false,
  "contentType": false,
  "mimeType": "multipart/form-data",
  "data": form
}

$.ajax(settings).done(function (response) {
  console.log(response);
});

As you can see, all the data is removed from the URL and sent with the data fields. You can also see that a WP front-end isn’t required to send the comment request and that any language can submit a comment from anywhere. Awesome right? 🙁

That being said, when I tried this method on the page you described I got a response back:

<html>...

<p>Sorry, comments are closed for this item.</p>

...</html>

That’s because the simple check to see if the page accepts comments in the first place:

if ( ! comments_open( $comment_post_ID ) ) {

Then throws and error if they aren’t open:

return new WP_Error( 'comment_closed', __( 'Sorry, comments are closed for this item.' ), 403 );

So, in your case, there may be another way or there could be something else running that triggers a new comment:

$commentdata = compact(
    'comment_post_ID',
    'comment_author',
    'comment_author_email',
    'comment_author_url',
    'comment_content',
    'comment_type',
    'comment_parent',
    'user_ID'
);

$comment_id = wp_new_comment( wp_slash( $commentdata ) );

Related Posts:

  1. Why do I get comment spam even with Akismet and Captcha?
  2. Removing the “Website” Field from Comments and Replies?
  3. How to deal with small scale comment spam on small commercial sites? [closed]
  4. What’s the easiest way to close comments on media/attachments?
  5. How to remove comment spam in WordPress
  6. How is comment spam received without a comments form?
  7. Allow anonymous comments, but prevent spam [closed]
  8. Is there any advantage to emptying comment spam?
  9. Why do I get email notifications about comments that WordPress has already determined are spam?
  10. Number of External Links in Comments – Moderation Option
  11. Comments screen in backend, how to disable Quick Edit | Edit | History | Spam | for non admins
  12. Strategies for coping with hyperagressive spambots?
  13. How can I automatically delete comments that contain chinese / russian signs?
  14. Comments view limited to 20 results – any way to increase to 50 or 100?
  15. Report spam button
  16. How to make a secure blog that is completely private?
  17. Auto delete comment if Contains
  18. All users/comments suspected as bot? [closed]
  19. Spammers attacking my WordPress Site – Removing URL field from core? [closed]
  20. How to block comments and pings?
  21. Batch approve comments
  22. reCaptcha doesnt appear in comment (manual or plugin)
  23. Make every comment go to the spam folder
  24. Anonymous spam comments when only registered users can comment
  25. Comment moderation
  26. Auto-deleting comments that trigger the blacklist
  27. approve,spam,trash etc. options are not coming on comments in admin panel
  28. comments are going to spam
  29. How to hide and disable URL and email fields from comments?
  30. Add option to disable comments on a per posts basis?
  31. What should I do to make generated avatars different for anonymous comments?
  32. Check If comment author is registered
  33. Success message in comment form
  34. How to allow the reply link to remain on the comment form after I have reached my 10 nested comment limit?
  35. Is there a hook for comment author link?
  36. How can I edit the email sent when a new comment is received?
  37. Change the HTML output of comments
  38. How to Block Access to Standard Login Flow and Comment Flow
  39. Upload images with comment
  40. Prevent Contributor to show comment list
  41. where to modify get_comment_author_link()?
  42. Does Akismet plugin expose any hooks, functions, class that can work with custom code?
  43. How to enable comments options?
  44. WordPress comment count to include attachment comments
  45. Displaying comments with a walker: how to distinguish between parent and child comments
  46. Count parent comments & replies separately?
  47. How to modify comments form using comment_form()?
  48. Capability for allowing user to post own comments without moderation
  49. Comment form problem with comment_author_url and HTML5 input placeholders
  50. How would I count the number of times a comment meta field’s value is in a post’s entire comments?
  51. stackexchange-like submit comment window
  52. How to query comments only for the current post?
  53. WordPress Comments are automatically publishing
  54. save_post action hook for comments
  55. How to handle upvotes and downvotes of disqus comments after importing disqus comments to wordpress?
  56. Only admin can see comments on post or page
  57. Show comments of a user post only when they are login
  58. How to get and use the the number of days since the last comment?
  59. How do I add class to an admin comment?
  60. Best way to tell if a comment is from a user?
  61. Adding SQL source code to comments
  62. How to control size of comments popup window?
  63. How to make comments private for commentor and post author
  64. Name of comment field differs on different sites
  65. WordPress Spam Comment Filter
  66. Which hook do I use to edit pending comment count on wordpress dashboard?
  67. comment button shows only logged in users wordpress
  68. get only one last comment from each post
  69. Applying same style to all the comments on the page
  70. Customise Comment form
  71. stumped on add_action hook to delete_comment – any ideas?
  72. Avoiding calls to theme-compat
  73. Allow tags between shortcode in comments
  74. How to load new posts from wordpress db into wordpress homepage without refreshing the site?
  75. Delete/Spam Comment Button
  76. Who approved a comment, to show up in dashboard
  77. comment just attachment .. reply just text … can I do that?
  78. I have an odd field with a purple background, mentioning HTML-codes to use while leaving comments
  79. No comment Section but still got a Comment
  80. How to prevent users/authors from seing IP/email of new commentators?
  81. Why are my threaded comments not quite working? [closed]
  82. $post->comment_status always returns ‘closed’
  83. Order comments in admin by custom date
  84. edit comments in front end
  85. How to replace anonymous comment form with a registration form on wordpress?
  86. How to get the 5 most recent comments and each comment 5 most recent replies (children)
  87. Redirect first time comments
  88. Posting XML in comment section
  89. comment files and s
  90. Comments – Ensure the correct field is highlighted for nested replies
  91. How to hold all comments for moderation, including author’s comments on own post
  92. Recent comments per tagged post?
  93. Subscribe to a post’s comments without posting a comment yourself
  94. WordPress error when sending comment
  95. WordPress Page Template: Comment Filtering with Querystring
  96. Why default comment fields don’t show up?
  97. How to enable truly anonymous posting in bbPress forums? [closed]
  98. comment awaiting moderation
  99. How do you fetch the authors email or IP from /comments? (REST API)
  100. How can I filter the user avatar displayed in comments? – get_avatar_url filter works everywhere but not in comments
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)