It seems I underestimated the spammers. I also misunderstood the comment posting system in Wordpress: I thought that updating the comment_status field to ‘registered_only’ meant that only registered users could leave comments. That’s not what happens. Values of ‘closed’ and ‘open’ appear to work as I understood, so I’m not sure what the other value was meant to do. The result was spammers could directly access wp-comments-posts.php and freely post their advertisements for online poker sites and viagra.

This evening a modified the Wordpress code to enable the ‘registered_only’ setting in the comment_status field to work as I thought it should. It doesn’t appear to break anything, but I haven’t extensively tested yet. The patches to wp-comments.php and wp-comments-posts.php are on the Pleiades patch pages.