WordPress can be a sewer of pain if not secured properly. I decided to give it a shot anyway and threw together a corporate website on WordPress. After configuring the theme, I posted and noticed that the comments were turned on.
I turned them off, and then made another post and verified that the new post had the comments off.
Before I knew what happened, I had over 4,200 spam comments on the first post.
At first I thought I was hacked and I was diligent in securing the box. I couldn’t find anything that even remotely suggest that I had been hacked. I did however see that the spammers were hammering away at wp-comments-post.php.
Even though I disabled comments globally, commenting was still enabled on the single post and the spammer’s scripts found that comments were enabled and the rest is history.
The only sure-fired way to disable comments is to delete or rename wp-comments-post.php.
That leaves the 4000+ comments hawking porn sites, get-rich-quick schemes and viagra. How in the hell was I going to clean that up? You can only delete maybe 50 or so comments from the dashboard. No way.
Most online help was all about deleting comments that were not yet approved or marked as spam. I wanted to delete them ALL.
Here is the magic command:
mysql > DELETE FROM wp_comments ;