That was a surprise. The blog has comments disabled, there’s no way in the UI to create a comment; I presume the attackers were leveraging an API bug. So in addition to confirming the Commenting was disabled, I also restricted the (disabled) commenting to registered users (which would be me). That seems to have fixed the problem.
 Mirrors/archives  my pinboard shares. Current setup is a bit different than 2012:
- Pinboard shares to ADN via Pourover and RSS.
- Pinboard shares to Twitter and WordPress via IFTTT
 I used the Delete All Comments plugin to clear out the 15K — it transiently tied down my database but it worked.
If you have unchecked Allow people to post comments on the article on the Options > Discussion panel, then you have only disabled comments on future posts.
This is the kind of thing that gives open source a bad name -- and it doesn't say much for the tech journalists who praise the WordPress organization either. Looks like a great way to do a DOS attack on a WordPress site -- fill up database storage with spomments.
Happily my workaround works perfectly.