[wp-hackers] XML-RPC anonymous comments wordpress.com

Sat Feb 6 05:44:24 UTC 2010

Yeah, this was a wordpress.com issue.

Does anyone know who/where I would argue my case at?

As far as trackbacks go...they don't have to be automated.  They can be
negotiated manually as well causing spam on blogs (as I found out today).
 To say that spammers won't use trackbacks for spamming just because they
are "suppose" to be automated...well, sort of like saying thieves won't
break into windows.

I like standards, I really do.  But to deny comments because a policy says
that how it is suppose to be and allow trackbacks which provide the same
functionality that a spammer needs....just kind of silly.

On Fri, Feb 5, 2010 at 9:29 PM, Dion Hulse (dd32) <wordpress at dd32.id.au>wrote:

> I completely missed that this was a WordPress.com question specifically..
>
> I'd go back to the .com support thread you've got, and argue your case
> there.
>
> Anonymous commenting via XMLRPC will be disabled on wordpress.com hosting,
> simple as that.
>
> If you host your own blog, you can enable the functionality yourself.
>
>
> On Sat, 06 Feb 2010 16:26:26 +1100, Dion Hulse (dd32) <
> wordpress at dd32.id.au> wrote:
>
>  Looking at the WordPress code will answer your questions.
>>
>> http://core.trac.wordpress.org/browser/trunk/xmlrpc.php#L1235
>>
>> As you can see there, Theres a logic branch there that says:
>>
>> Accept the comment if either
>>  a. You're logged in
>> or
>>  b. The owner of the blog has specifically enabled anonymous commenting
>> via XMLRPC
>>
>> for b, The user would need to place some code like this, in their themes
>> functions.php or a plugin:
>>
>> add_filter('xmlrpc_allow_anonymous_comments',
>> '_theme_allow_xmlrpc_anon_comments');
>> function _theme_allow_xmlrpc_anon_comments() {
>>     return true;
>> }
>>
>> I dont see this changing in WordPress anytime soon, Trackbacks are
>> automated, Comments should not be.
>> Allowing anonymous comments via XMLRPC would allow for bypassing UI-based
>> spam checkers to start with off the top of my head.
>>
>> Cheers
>> Dion Hulse / dd32
>>
>> On Sat, 06 Feb 2010 16:08:36 +1100, Senica Gonzalez <senica at gmail.com>
>> wrote:
>>
>>  Hey there,
>>>
>>> I posted the following on the wordpress.com forums and tbol3 sent me
>>> over to
>>> you guys for help.
>>>
>>> The pretty version of this question is located here:
>>>
>>> http://en.forums.wordpress.com/topic/xml-rpc-anonymous-comments-wordpresscom?replies=3
>>>
>>> I have done tons of research today, but apparently I'm just not getting
>>> the
>>> right answer. Today is my first day using XML-RPC. Piece of cake.
>>>
>>> I was able to do a Trackback, a PingBack, and various XML-RPC calls with
>>> different APIs to my blog. The one thing that I cannot seem to be able to
>>> do
>>> is add an anonymous comment to my blog remotely.
>>>
>>> I have seen where other people have asked this question, and Jonathan has
>>> said that it was covered in the XML-RPC API. Basically, mentioning that
>>> if
>>> you leave the username and password blank, it will work.....It doesn't.
>>> At
>>> least not in my case. I always get:
>>>
>>> faultCode 403 faultString Bad login/pass combination.
>>>
>>> Here is the request I'm sending:
>>>
>>> $request = ' <?xml version="1.0" encoding="utf-8"?> <methodCall>
>>> <methodName>wp.newComment</methodName> <params> <param>
>>> <value><int>11838212</int></value>
>>> <value><string>{username}</string></value>
>>> <value><string>{password}</string></value> <value><int>20</int></value>
>>> <value> <struct> <member> <name>comment_parent</name>
>>> <value><int></int></value> </member> <member> <name>content</name>
>>> <value><string>Test1</string></value> </member> <member>
>>> <name>author</name>
>>> <value><string>Ogglabas</string></value> </member> <member>
>>> <name>author_url</name> <value><string></string></value> </member>
>>> <member>
>>> <name>author_email</name> <value><string>senica at gmail.com
>>> </string></value>
>>> </member> </struct> </value> </param> </params> </methodCall>
>>>
>>>  If I have a username and password in there...it works perfect. The only
>>> problem is, it shows "me" as the poster, whereas I want to allow people
>>> to
>>> post comments to my blog from my other website as well and have "their"
>>> name
>>> show up as the poster.
>>>
>>> As already mentioned, if I take the username and password out....no dice.
>>>
>>>
>>>  Also, I wanted to mention before someone posts on here....Apparently,
>>> there
>>> is a way to enable_anonymous_xml_rpc...or something to that affect, if I
>>> was
>>> running Word Press on my own server.
>>>
>>> This is not the case, and not an option for me.
>>>
>>> And if someone says that it is a security issue....well, seems like
>>> trackbacks wouldn't be allowed either. At least with this, you can make
>>> the
>>> user put in their email address and a name.
>>>
>>> This is an important feature to have if it is not already enabled.
>>>
>>>
>>>
>>> Thanks for the help ahead of time!
>>>
>>
>
> --
> Dion Hulse / dd32
>
> Contact:
>  e: contact at dd32.id.au
>  msn: msn at d32.id.au
>  skype: theonly_dd32
>  Web: http://dd32.id.au/
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>