I received an email the other day from my web hosting provider that I received a comment. This had me confused because I deleted the comment section from the template I’m using. I logged in to see what the comment was and it was a shortURL link. Because I am new and unfamiliar with web design in general, I decided to do a little research. A couple things I found out in my initial digging:
A: Comments can be submitted via the back end of a website
B: What exactly a shortURL is and how to test whether the link is safe (this will be a separate blog post, you can find it here).
Back-end Comments
It seems that these comments are generally from spammers/bots and are able to access and post comments directly via the wp-comments-post.php file. If you try to access the comments on my site directly(https://ryansantos.org/wp-comments.php) you just reach a page not found.
Since we already established that we cannot post a comment on the front end, and that bots do this on the backend, then how is it done?
Spammers use scripts that allow bots to perform these actions automatically. Bots use the terminal with the cURL(client URL) command. It is a command line tool that developers use to transfer data to and from a server (developer.ibm.com).
With the use of cURL, bots can receive HTTP POST requests and allows them to bypass the frontend comment section on my site.
However, this to work, bots need a valid postID. This is done by scraping a site’s source code, and we can manually do this through F12, in the developer’s tools.
Now that we have a valid postID, we can write a command that will allow us to post a comment even though there is no comment section on the page. For POC, I’m going to use the spammer’s name and email.
