[wp-xmlrpc] Posting comments through XMLRPC
Alex Forrow
alex at fav.or.it
Mon Jul 21 08:20:27 GMT 2008
Hi,
We have written a plugin which integrates into our software to allow
WordPress to receive comments through XMLRPC. The interface we have created
is standard but to avoid spam, unless the user can authenticate, the plugin
will only accept comments received for our site. Assuming we could find a
more general method for avoiding spam, we would like to propose that this
plugin is made generic and integrated into the WordPress codebase.
If a user can authenticate to WordPress (either in the database of the
WordPress installation, or against WordPress.com account for hosted blogs),
this can be used to prove the users identity. Can't see any problems here.
The more tricky situation is where anonymous comments need to be posted. I
see no reason why not to mandate the sending of name and email with the
comment and follow standard comment filtering rules, but ideally we would
have another level of security. One suggestion is to provide a trackback
service, so a trackback url is posted with the comment, which WordPress can
connect back on using some kind of unique identifier, and verify the service
did actually send the comment.
Another, slightly more complicated idea could be based around the principles
of DomainKeys, a technology for email-spam avoidance
(http://en.wikipedia.org/wiki/DomainKeys). The comment sender could sign the
comment using a public/private key pair, the public key being posted in a
DNS TXT record of the domain of the sender. This enables the receiving
XMLRPC to verify that the comment is actually from the domain the sender
says they are in. Unfortunately this doesn't actually solve the spam
problem, it only allows receivers to verify the sender of the comment. This,
however, could be the basis of a another solution which requires sender
verification (e.g. A managed blacklist/whitelist).
The plugin in its current form is available at
http://croc.favsys.net/alex/wp_favorit.zip if anyone would like to take a
look.
We're very keen to hear suggestions and comments from those that may have
some thoughts.
Kind regards,
Alex Forrow
Systems Administrator, Favorit Limited
Blog: http://blog.fav.or.it/
Telephone: 0845 643 0673
Address: favorit Ltd, Building L033, London Road, Reading, RG1 5AQ
This e-mail contains confidential information and is for the exclusive use
of the addressee/s. If you are not the addressee, then any distribution,
copying or use of this e-mail is prohibited. If received in error, please
advise the sender and delete it immediately. We accept no liability for any
loss or damage suffered by any person arising from use of this e-mail.
favorit Limited
Registered No: 06411859 England
Registered Office: Reading Enterprise Hub, University of Reading, Earley
Gate, Reading, Berkshire, RG6 6AU
More information about the wp-xmlrpc
mailing list