Read this.

CSRF (wikipedia), a cross-site request forgery, is one of the most recent and under-publicized attacks on the web. It boils down to a user browsing to a web site, downloading a web page, and unknowingly, submitting requests to other web servers, usually with malicious intent. The example linked above demonstrates a hack where a specially crafted URL is formed that actually changes the settings on a common DSL router used in Mexico (by relying on the fact the user name/password combination is well known and unlikely to have changed).

If you allow user input in a web application our on a web site (even as part of a forum or blog comments), you could be unwittingly providing hackers a friendly spot in which they can inject these well-formed, but malicious URLs to be hosted. Unfortunately, they’re very difficult to track down.

I moderate all comments on my web site so that no unwanted links become published.

But, if you write software — consider all avenues of data entry, etc. Trust NO INPUT. Don’t trust the data that is in your database. Assume that it has been compromised. Assume nothing.

If you need to add comments to your Pages when using WordPress, just add the following line of code to your Page Template:

<?php $postcount++; ?>

<?php if ((‘open’ == $post-> comment_status)) { comments_template(); } ?>

<?php endwhile; ?>

I’m using the “LightBreaker” theme so I only need to edit one file.

Then on the page editor, I can control the comments by changing the advanced setting for “Allow Comments”: