[wp-hackers] XML-RPC anonymous comments wordpress.com

Dion Hulse (dd32) wordpress at dd32.id.au
Sat Feb 6 05:26:26 UTC 2010

Looking at the WordPress code will answer your questions.


As you can see there, Theres a logic branch there that says:

Accept the comment if either
  a. You're logged in
  b. The owner of the blog has specifically enabled anonymous commenting  

for b, The user would need to place some code like this, in their themes  
functions.php or a plugin:

function _theme_allow_xmlrpc_anon_comments() {
     return true;

I dont see this changing in WordPress anytime soon, Trackbacks are  
automated, Comments should not be.
Allowing anonymous comments via XMLRPC would allow for bypassing UI-based  
spam checkers to start with off the top of my head.

Dion Hulse / dd32

On Sat, 06 Feb 2010 16:08:36 +1100, Senica Gonzalez <senica at gmail.com>  

> Hey there,
> I posted the following on the wordpress.com forums and tbol3 sent me  
> over to
> you guys for help.
> The pretty version of this question is located here:
> http://en.forums.wordpress.com/topic/xml-rpc-anonymous-comments-wordpresscom?replies=3
> I have done tons of research today, but apparently I'm just not getting  
> the
> right answer. Today is my first day using XML-RPC. Piece of cake.
> I was able to do a Trackback, a PingBack, and various XML-RPC calls with
> different APIs to my blog. The one thing that I cannot seem to be able  
> to do
> is add an anonymous comment to my blog remotely.
> I have seen where other people have asked this question, and Jonathan has
> said that it was covered in the XML-RPC API. Basically, mentioning that  
> if
> you leave the username and password blank, it will work.....It doesn't.  
> At
> least not in my case. I always get:
> faultCode 403 faultString Bad login/pass combination.
> Here is the request I'm sending:
> $request = ' <?xml version="1.0" encoding="utf-8"?> <methodCall>
> <methodName>wp.newComment</methodName> <params> <param>
> <value><int>11838212</int></value>
> <value><string>{username}</string></value>
> <value><string>{password}</string></value> <value><int>20</int></value>
> <value> <struct> <member> <name>comment_parent</name>
> <value><int></int></value> </member> <member> <name>content</name>
> <value><string>Test1</string></value> </member> <member>  
> <name>author</name>
> <value><string>Ogglabas</string></value> </member> <member>
> <name>author_url</name> <value><string></string></value> </member>  
> <member>
> <name>author_email</name>  
> <value><string>senica at gmail.com</string></value>
> </member> </struct> </value> </param> </params> </methodCall>
>  If I have a username and password in there...it works perfect. The only
> problem is, it shows "me" as the poster, whereas I want to allow people  
> to
> post comments to my blog from my other website as well and have "their"  
> name
> show up as the poster.
> As already mentioned, if I take the username and password out....no dice.
>  Also, I wanted to mention before someone posts on here....Apparently,  
> there
> is a way to enable_anonymous_xml_rpc...or something to that affect, if I  
> was
> running Word Press on my own server.
> This is not the case, and not an option for me.
> And if someone says that it is a security issue....well, seems like
> trackbacks wouldn't be allowed either. At least with this, you can make  
> the
> user put in their email address and a name.
> This is an important feature to have if it is not already enabled.
> Thanks for the help ahead of time!

More information about the wp-hackers mailing list