[wp-xmlrpc] Posting comments through XMLRPC

Thu Jul 24 03:38:03 GMT 2008

On Jul 21, 2008, at 2:20 AM, Alex Forrow wrote:

> We have written a plugin which integrates into our software to allow
> WordPress to receive comments through XMLRPC. The interface we have  
> created
> is standard but to avoid spam, unless the user can authenticate,  
> the plugin
> will only accept comments received for our site. Assuming we could  
> find a
> more general method for avoiding spam, we would like to propose  
> that this
> plugin is made generic and integrated into the WordPress codebase.
>
> If a user can authenticate to WordPress (either in the database of the
> WordPress installation, or against WordPress.com account for hosted  
> blogs),
> this can be used to prove the users identity. Can't see any  
> problems here.

Comments that come with a valid username and password we could  
consider trusted.

> The more tricky situation is where anonymous comments need to be  
> posted. I
> see no reason why not to mandate the sending of name and email with  
> the
> comment and follow standard comment filtering rules, but ideally we  
> would
> have another level of security. One suggestion is to provide a  
> trackback
> service, so a trackback url is posted with the comment, which  
> WordPress can
> connect back on using some kind of unique identifier, and verify  
> the service
> did actually send the comment.

I suppose technically there's no difference between submitting a form  
and providing an API, but it would be nice not to provide one more  
way for spammers to submit junk.

> Another, slightly more complicated idea could be based around the  
> principles
> of DomainKeys, a technology for email-spam avoidance
> (http://en.wikipedia.org/wiki/DomainKeys). The comment sender could  
> sign the
> comment using a public/private key pair, the public key being  
> posted in a
> DNS TXT record of the domain of the sender. This enables the receiving
> XMLRPC to verify that the comment is actually from the domain the  
> sender
> says they are in. Unfortunately this doesn't actually solve the spam
> problem, it only allows receivers to verify the sender of the  
> comment. This,
> however, could be the basis of a another solution which requires  
> sender
> verification (e.g. A managed blacklist/whitelist).
>
> The plugin in its current form is available at
> http://croc.favsys.net/alex/wp_favorit.zip if anyone would like to  
> take a
> look.

I don't think it's worth having two separate methods for this, may as  
well just have one.  Then if the username and password aren't  
provided we treat it as an unauthenticated comment.

--
Joseph Scott
joseph at randomnetworks.com
http://joseph.randomnetworks.com/