New comments showing up in non-live site being built with Local

Support
,
1

What issue or error are you experiencing?

I’m building a website using Local. It is not live, is being “hosted” on my computer (i.e., it is only locally available as far as I can tell), has not been loaded into WP for a site with a URL, and its url ends in .local. Despite this, I am seeing comments show up in the admin page. How worried should I be?

The only other info I can add is that I have the domain and a host, and I didn’t realize that the site was live with my host (with a basic WP theme up and running) until last week, at which point I set it into Maintenance Mode in cPanel.

Is it possible that somehow someone commented on the live site and Local pulled the comments? I’ll add that the dates on those suspicious comments are themselves odd and suspicious: I only grabbed this domain in late 2025. I recognize that you can’t comment on Local since it’s a product from a different company. I’m a novice at this and just trying to figure out what is actually possible and what isn’t.

Additionally I noticed a number of security options that hadn’t been enabled in cPanel (link below). Is it possible that somehow those host-level security options impacted my site even though it’s being developed on a local computer?

Some other info: while I’m building my website, I’m either on my local, password-protected network or on a public network. When I’m on a public network I use a VPN but I have not had macOS’s firewall turned on.

What steps can be taken to replicate the issue? Feel free to include screenshots, videos, etc

Here is CleanShot Cloud link to the comments: CleanShot 2026-05-19 at 16.57.57 · CleanShot Cloud

Here is a link to a screenshot of the security options that had not been enabled: CleanShot 2026-05-19 at 17.39.48 · CleanShot Cloud

System Details

  • Local Version: 10.1.0_6912

  • Operating System (OS) and OS version: macOS 15.7.3

Local Logs

Attach your Local Logs here (Help Doc - Retrieving Local’s Log):

local-lightning-verbose.log (816.8 KB)

Security Reminder
Local does a pretty good job of scrubbing private info from the logs and the errors it produces, however there’s always the possibility that something private can come through. Because these are public forums, always review the screenshots you are sharing to make sure there isn’t private info like passwords being displayed.

2

Your Local site should be safe, but it’s a great idea to protect your device anytime you’re in public using a VPN and Firewall.

From your screenshot, it does look like your settings were for your .com domain - and yes, if the spam/comments happened there and then you imported the site into Local, those would transfer. You should be able to delete them manually but if you have a ton of them you can use a plugin like this: Bulk Delete – WordPress plugin | WordPress.org

For best practices, you should completely remove any comment sections that aren’t needed. For additional protections, you could look into plugins such as these:

3

Hi @Nick-B , I appreciate your guidance! My apologies, I believe I’ve created some confusion: the first screenshot of the comments comes directly from my WP installation in Local. The second screenshot, though, is from my host (and I have not taken any steps to link or sync the WP installation on my host’s server with the installation on my computer).

Additionally, I’ve checked the comments in the WP installation with my host and there is only one (and it’s legit): CleanShot 2026-05-27 at 12.22.42 · CleanShot Cloud

With that in mind I’m still curious how comments could show up on a site being built within WP on Local. Regardless of the answer, I appreciate your suggestion to install an anti spam plugin–I will do that!

Nassim

4

Hi @MeeM33!

If you were using Local/Live Links on an unsecured network, it’s possible the site could be exposed to the type of spam comments you were seeing.

Anytime you’re in public, especially using public Wi-Fi, a good practice would be to ensure the firewall is active and you’re utilizing a VPN.