I got caught with this trick once so I decided to share this with other web masters who don’t know this already.
In WordPress the default settings for comments (Settings->Discussion) are set as the following:
So the requirements for a comment to appear are:
- Comment author must fill out name and e-mail.
- Comment author must have a previously approved comment .
This is all good until someone decides to be all nice about your site and make a true nice comment so you approve it and then becomes a spammer. Since you already approved one of his comments before so now he can post a spam comment with links everywhere without your permission.
This is how this trick works:
- Someone comes to your site and makes an honest nice comment about a post.
- You do the only reasonable thing to do which is to approve that comment.
- Now that the person has an approved comment, he meets both the criteria for a comment to appear without the webmaster having to approve it!
- He comes in and posts spam comments with links left right and center on your site!
To protect yourself from this, tick the “An administrator must always approve the comment” from the settings (Settings->Discussion).