REST API: Turn off unauthed comment write by default
|Reported by:||helen||Owned by:||rmccue|
|Component:||REST API||Keywords:||has-patch has-unit-tests|
Posting anonymous comments is a long-time feature of WordPress, but also one that is much maligned when it comes to spam and the tightly related issue of pingback DDoS-ing. Per my understanding, writing to the comments endpoint does not allow for anything except the default comment type and is subject to the existing flood protections for comment posting, but I think we should turn off unauthed write by default for the following reasons:
- It does not currently present any significant benefit to have it on by default (open to arguments here, of course); however, given the nature of the internet, one can reasonably assume that spam bots will almost immediately adapt to this new availability.
- Assuming that this becomes even a perceived attack vector, hosts will then block access, much like they often do for XML-RPC, rendering it uselessly on by default and an even more frustrating fix for users.
- Spam and DDoS-ing attacks are some of the biggest perception problems we have as a project when it comes to core; it would be foolish to ship something that blithely repeats those same things because "that's how it currently works". We would been seen as idiots who don't care, and rightfully so IMO. This is of particular concern if the REST API is meant to be positioned to appeal to developers who have otherwise avoided WordPress.
No personal opinion on the filter and/or admin UI route. It is probably going to be kind of weird that you have one UI option to require users to be logged in to comment that doesn't apply to the REST API, as it's off by default. But in any case, this is the sort of thing that right now would be enabled by themes and plugins - we can always revisit in the future should third party experiences that involve unauthed commenting proliferate.
Original GitHub discussion: https://github.com/WP-API/WP-API/pull/693