The Insecure Way
You need to change your form so that it includes the ID of the comment you want to delete, e.g.:
<form method="post">
<input type="hidden" name="comment_id" value="<?php echo get_comment_ID(); ?>" />
<input type="submit" name="btn-delete" value="try-delete"/>
</form>
Without this, you have no idea which comment the user wanted to delete.
Then, you need to move the code that deletes the comment to a hook in functions.php
e.g.:
add_action( 'init', 'i_am_not_safe_to_use' );
function i_am_not_safe_to_use() {
if ( is_admin() ) {
return;
}
// only run if we're deleting a comment
if ( empty( $_POST['btn-delete'] ) || empty( $_POST['comment_id'] ) ) {
return;
}
// TODO, security checks
// delete the comment
$comment_id = intval( $_POST['comment_id'] );
wp_delete_comment( $comment_id, true );
}
This will work however it is insecure! Now anybody can delete any comment they want by submitting the form!!!
Security
The code needs to also do the following:
- check that the user has the necessary capability required to delete that comment
- add a nonce to the form
- check the nonce in the hook
At a minimum, you need this check:
if ( current_user_can( 'moderate_comments' ) || current_user_can( 'edit_comment', $comment_id ) ) {
// then the user has permission to delete the comment
} else {
wp_die( 'sneaky hackers! You are not allowed to delete this comment' );
}
The REST API
If you send an authenticated DELETE
request to the comments REST API at yoursite.com/wp-json/wp/v2/comments/<COMMENT ID GOES HERE>
then refresh the page, your comment will be gone.