Still getting comments from unregistered users even with registration required?

You are probably getting trackback spam. Turn off trackback comments or install Akismet and Bad Behavior plugin.

I already have trackbacks disabled, and I do have Akismet installed. It’s catching the spam, but I didn’t think I’d be getting it at all with those options configured..??

do you use some sort of plugin comments? check each page(if you have few pages) if there is a form for comment.

If I go to any post on my site now I get the message that I must be logged in to leave comments. When signed in, that turns into the comments form that I would expect. I don’t have any plugins or anything doing anything unique with comments.

Oh I get you now: Your question is not how to reduce spam but how do spammers submit spam without being registered? My guess would be that spammers don’t use forms, they simply send their spam directly.

They’re coming through as comments in pages and posts, though, so are you saying they’re POSTing directly to a form processor rather than fill out a form?

That would be my guess, too, but I guess I thought The WP form processor for comments would be checking whether or not comments were allowed based on login, etc, and if not, it still wouldn’t process.

Apparently that’s not the case..??

This is really driving me nuts, and I just don’t understand what’s going on here. I’ve obviously got some sort of attacks and spammers and maybe a combination of both going on..??

As it stands now I have the option that users must be registered and signed in to comment enabled, but even though I don’t have any registered users with the site at this point (other than myself) I’m still getting 200 – 300 spam comments a day that hit my inbox, but are waiting for moderation.

What’s interesting is that they don’t show up in WP comments/spam at all. Right this moment I’m looking at roughly 50 recent emails where it’s saying I have new comment that needs approved, but my email client is catching them as spam. Again, though, they don’t show up in WP at all.

Outside of this, I’ve recently installed the BruteProtect plugin, and it’s showing that in the past few weeks it’s blocked 3,350 attacks.

Yet another thing going on was that my site was recently getting brought down by what seemed to be DoS attacks. I worked with my host to figure out that xmlrpc.php was getting slammed, so they helped me get that blocked using .htaccess and/or updating mod_security rules, and that seems to have stopped the xmlrpc.php from getting slammed, but I’m still seeing Brute Force attacks and I’m still seeing lots of comment spam to my inbox.

I’m also seeing general contact emails to my inbox spam, which is interesting, because I used to have a contact page with a form on it on my site, but I removed it awhile back. I’m still getting emails to my spam, though, that are formatted like this contact form would have sent it.

I just don’t understand how all of this is going on and would greatly appreciate any feedback I can get on the matter.

Well, write moron on my forehead. They’re coming from my sandbox site, which was still open. I knew I was missing something stupid.