Well, apparently I have been attacked by someone who has put comments into the system with a post id referencing a post that doesn’t exist yet. As soon as the post appears, the comment also appears. Clever.
So far I’ve done several things to stop this:
1) enabled built in keyword auto-moderation–if the post contains any of the keywords, the post goes into a moderation queue where I have to approve it before it appears.
2) Altered my .htaccess file so that only requests that have been referrred from my site can validly post. This should prevent anyone from directly calling into the wp-comments-post.php file and bypassing the filter in 1.
If your browser doesn’t pass on referrer headers, you won’t be able to post. (This one is pulled out a discussion on spam at the WordPress support site).
3) Added some code to wp-comments-post.php that prevents you from adding comments to a post that doesn’t exist yet. (This code pulled from a site dedicated to comment spam and WordPress).
4) Hopped into mysql and ran a few “delete from wp_comments where …” commands to remove all the preloaded comments. I hope I won’t have to do this again with the other bits in place.