php - Submitting comments to Wordpress without SSL /OAuth


I want to let android/iPhone users submit comments anonymously (without registering to the blog) to a self-hosted Wordpress blog.

Is there a simple, secure way to do that?

What I researched so far:

JSON API Plugin -> Works well, but no security.

WP-API -> Doesn't have Submit Comment method implemented + no security.




Well you can just use nonces to avoid XSS attacks, other then that you will obviously need your users to be logged in. Here is a simple way to do that.

EDIT: If you just need to be able to post the comment with their name and email address. Use it as below, but make sure you enable "Respond controller" from the api settings[email protected]&content=comment

2nd Edit: For securing the comments you can use nonces, if its not a built in functionality into the plugin you will have to add this functionality inside the submit_comment controller. But it would be a bit hard to generate the nonces from your android application though. A simple solution would be to wrap the existing code in a condition. Something like a base64 encoded time token.

  $token = base64_decode($_GET['token']);
  $current_time = time();
  $difference = round(abs($current_time - $token) / 60,2);//difference in minutes
  if($difference < 5){
      // Run the code thats already in submit_comment controller.

Then in the REST api you can send something like[email protected]&content=comment&token=BASE64_ENCODED_TIMESTAMP

People are also looking for solutions to the problem: php - Cakephp Validate uniqueness of name field w.r.t other field of same table


Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.