- renumber releases due to typo
- Check the IP address whenever email is checked.
- Checks the user name. Cache failed attempts with option to clear cache. Cleans up after itself when uninstalled.
- fixed a bug where the the admin user was cached in error.
- Improved caching to help stop false rejections.
- Included signup form, that I forgot to add before. Cached data is automatically expired after 24 hours.
- fixed the cache cleanup (again). Changed the name in the titles and menus of the plugin to reflect that it does more than stop registrations.
- Added link to report spam to StopForumSpam.com database.
- Improved the access to StopForumSpam.com database. Fixed white space at end of plugin.
- Stored the StopForumSpam API Key. Fixed a possible security hole on the settings page.
- Changed Evidence field to spam URL or content
- Changes suggested by Paul at StopForumSpam. Fix bug in zero history data. There has been much interest in the plugin so there has been lots of feedback. I am sorry for all the updates, but they are all good stuff.
- Options added. 1) Reject if Accept header not found. Spammers use some kind of lazy approach that does not send the HTTP_ACCEPT header. All real browsers have this header. 2) Check on BL Blacklist. If for some reason the IP and email pass on the StopForumSpam db you can have a second check on Project Honeypot. 3) Added a white list in case there are IPs or emails that have problems. 4) Stopped checking for Usernames because of too many false positives. 4) Made checking for emails optional. Most spammers use bogus or random emails anyway. 5) Ability to recheck comments against the HoneyPot db from the comments admin form.
- Added RoboScout.com spam check to IP address. Added limits to checking to allow know spammers who are not recent spammers or do not have many spam reported. Added a complete list of passed and rejected login attempts. Fixed a bug introduced in 1.15. Fixed check on accept headers that prevented it from working.
- Fixed another bad bug. Added a warning if the host does not allow URL fopens. Reduced memory requirements. Cache less information.
This has some functions partially complete, but I had to release as is to fix the bugs that appear on new install. It's my own fault, because last time I did not test from a clean WP install.
- Made the plugin WPMU aware. Streamlined some of the code. Limited the cached spam sizes to reduce memory overhead. Changed the way that the plugin decides when to check an IP and email. This will help it when working with other plugins. It also checks in multiple places in case the is_email() function is not called. It allows admins to change the minimum requirements for spam, forgiving spammers who have few incidents or have not spammed for a period of time.
- Fixed the way the cache is sorted. Added DNSBL support for spamhaus, dsbl, sorbs, spamcop, ordb, and njabl. These are email spam databases and they get only a small portion of the comment spam, but some is better than none. Added a list of common disposable email sites so that users who use disposable sites can be blocked. The list is only popular sites and is not exhaustive. Real commentators probably won't use the disposable sites, but some bloggers may be nervous about blocking them, so it is optional. Divided the options into a stats and a parameters wp_option array. Something in spam, probably a foreign language character, has been breaking the options causing the blog to "forget" when the stored array is broken. Now, when the stats array breaks, the configuration items will still be available. Rewrote the MU options, although it is not tested on subdomain installations.
- Fixed several networked blog issues. Added a dummy email address so that pingbacks can be reported. Added Multisite Maintenance. Fixed a few minor bugs. Testing use of X-Forwarded-For HTTP IP address when the blog is behind a proxy. I cannot test this because I don't have access to a site behind a proxy. Please report if the X-forwarded-for header handling is broken.
- Restructured the Plugin completely, changing many of the ways it works. Changed the points and places where spam is checked. Spam is now being checked for much earlier. Added an Access denied screen. Optionally block Ubiquity Servers. Use AJAX to report Spam so that there is no need to open a new window.
- Changed access to SFS db to stop false positives
- Added automatic addition of admins to IP white list. Added ability to specify where plugin actions work. Added WP API key update for those who don't use Akismet. Added checks for long names and emails. Added HTTP_REFERER checks. Added a check so users can see if they have access to the StopForumSpam database. Added a long list of known Spam Hosting company IP addresses.
- Changed way arrays are searched. It was possible that IP addresses were not found in lists. Added a "Red Herring" bogus comments form that stops a huge amount of spam. Repaired delete option.
- Fixed typo. Although I tested for a week in 5 different sites, this bug didn't come up.
- Fixed issue with some web servers that did not set server variables such as SCRIPT_URI and REQUEST_URI. These were troubling to those with hosting software that ignored these variables. Fixed an issue on saving of parameters. Added a hook to 404 errors so that missed hits on wp-login can be considered malicious. Removed default doubleclick link that was causing problems.
- fixed several bugs in Options page. Reformatted Options page to make it easier to view.
- fixed options page bug with the Check SFS checkbox.
- Fixed blacklist options issue.
- White listed PayPal IPs to stop interference with PayPal callbacks (not optional).
- added ability to reject by TLD in email (users can stop .ru or .cn if they want).
- made options and history options non-autoload to preserve memory usage.
- changed the way the network checkbox works. Users must be able to manage the network to set the feature and see the network options when set. When the network box is checked the only way to admin the network is through the network admin dashboard.
- compensates for a bug in Apple Safari that does not sent HTTP_REFERER from the iPhone and iPad. Disables the HTTP_REFERER check if the user agent appears to be from an iphone or ipad.
- corrected link to options from admin panel (again). I hope I have it right at last.
- Removed functions that caused issues with Buddy Press
- Reorganized and simplified the plugin. It is a more streamlined now. It checks for spam only on form submission (POST) as soon as WP is initialized. It no longer does any checks in the register and login functions so it should be more compatible with other plugins. It only does checks when a form is submitted so it should have less impact on WordPress resources.
- Removed email validation hooks.
- Added a spam event type summary to the history page.
- changed the order of spam checks. Cache check first, then most likely or simple checks, database access last.
- fixed a bug in cache checking.
- added an activation check to see if the current user is reported as a spammer. Plugin will not install unless the user passes all spam tests.
- added a button to the options screen to test if current user appears to be a spammer.
- fixed bug in log file cleanup.
- fixed autoload options issue. Change to autoload=false only happens once.
- added ability to add reason and IP to deny message.
- Removed the "loop_start" hook and replaced it with a before comment form hook. This will mean that some themes will not use the red herring forms if they do not comply with WP standards.
- Made changes to help with bbPress. Use the bbPress fix spam plugin to force this plugin to load before bbPress.
- Fixed bug in the 404 processor.
- Added separate sizes for the email and ip caches.
- Added option for sleep time. That is the time plugin waits after denying a spammer. Default 10 seconds.
- Added option for session timing seconds - default 4.
- Added option for the Good ip cache size - default 2.
- Checking for HTTP-X-FORWARDED-FOR in all cases. Aggressively looks for forwarding headers to resolve real IP.
- Checks for any POST field with EMAIL, USER or LOGIN in field name. This accommodates plugins that use non-standard comment and login/register field names.
- Show password used in spammer login attempts - helps identify dictionary attacks.
- Does not log attacks by DUKANG2004. This idiot was filling up my logs with failed attempts. If total spam appears larger then logs would indicate then blame him. This must be a default value in some badly written root kit.
- Option to disable IP checking - this cripples the plugin, but allows it to continue checking for many types of spam. Not recommended.
- added option check credentials on logins before the plugin does its check. This opens WordPress to dictionary attacks so it should be unchecked as soon as possible.
- added ability to remove individual IP or email addresses from the cache.
- added warning to options page if user name is admin.
- removed main hook to prevent recursion after executing once.
- added routine to log passes. Commented in production. Use to check why some spam still gets through.
- Added checks for accept headers LANGUAGE and ENCODING to monitor if these are good for checking spam.
- Fixed bugs in the stats summary and summary clear.
- Plugin writes to a permanent log file all actions (such as update) and denied spammers. Size can be set in options and viewed and cleared on the history page.
- Fixed Ubiquity Server check.
- Removed activation hook to check IP. Now, after activation, it checks to see if your IP address is valid the first time the options page is visited. The plugin reloads the IP address into the white list on every activation.
- Fixed bad bugs in Project Honeypot and DNSBL lookup. Removed slow DNSBL databases.
- Created a test page where users can check to see if an IP address results in spam detection. I does a few of the database lookups and checks headers. URL: http://www.blogseye.com/checkspam/
- Every upgrade or re-activation forces IP into the white list.
- fixed bug in network version deleting log file.
- Changed the default actions log file behavior to not write a log. Must be selected.
- Moved location of actions log to plugin home directory.
- Removed checks on wp-cron.php. There is too much chance of a user being blacklisted by accident.
- Added the ability to use Akismet to check non-login or non-registration events. Akismet is better for comments because it marks comments as spam. This option allows you to prevent comments by blocking them with Stop Spammers, but you lose the spam queue (unless the akismet plugin fires first).
- Added option to disable checks on plugin forms. This looks for the plugins folder in the URL. This could potentially prevent blocking of eCommerce functions that use a custom php file to process orders. It may help those with ecommerce solutions, but most plugins work by hooking init or other events rather than posting directly to a custom PHP file.
- changed names of written files to have a "dot" in the beginning to hide them and prevent apache from serving them. Also added a chmod to the log file to add an extra layer of security since the file contains login ID information.
- Fixed issue with options not saving.
- Added an option to disable the plugin when executing forms in the wp_content/plugins folder to prevent interfering with some ecommerce systems.
- Changed formatting of Red Herring forms to try to prevent threading failure on bbpress and some themes. This may reduce the effectiveness of red herring forms, but will prevent threading from breaking.
- fixed issue with non-admins logging in. No longer throws an error.
- Removed "buy the book" nag messages in widget and settings.
- Fixed a bug in determining the ip address of pages forwarded by a proxy server.
- Modified IP code to work correctly with Opera Turbo.
- added a check for dictionary attacks against admin.
- broke out common code to a separate include file.
- fixed a bug on the settings page.
- rewrote the MU detection and loading code.
- added a white list request form to the deny message. White list request will be shown on the statistics page and the "Right Now" section of the main admin page.
- added a check for email "email@example.com" that allows users to check if the spam detection is working without black listing themselves. Try to leave a message using "firstname.lastname@example.org" and you'll be able to see what spammers see.
- rewrote list lookups so that the wild card '' can be used. Now 238.3. ip address can be white listed or black listed. The wild card only works for the end of emails and ips. '*.dn' will not work.
- fixed TLD block list. Many reports that it did not work. I rewrote and tested on different installations.
- I changed the name of the plugin to Stop Spammers. We'll see if it breaks WordPress. I think this is the most dangerous thing I've tried.
- changed how logging works. Now, by default there is no log at all.
- Added poison links.
- Added email notifications on white list requests.
- Removed bbpress loading code because of conflicts. Not all checks will work on bbpress. Plugin might not stop bbpress registrations.
- Moved good cache tests to just before db lookups to prevent false negatives.
- Changed session so as not to restart the timer on subsequent checks. This prevents some redirections from appearing to be spam robots.
- Added new header checks for finding real IP. It now works with more proxy servers.
- Reorganized the way the plugin loads (again) to reduce overhead. Lazy loading works better now.
- Fixed bugs in email domain checks.
- Relaxed checks for http_referer so as not to fire when switching from https to http and back.
- Changed the way Red Herring forms are checked, has its own action now.
- Added IP lookup for CloudFlare.com.
- Ran code through a formatting program. Pretty code will not last long, though, since my IDE is notepad.
- Added a function that can be called by other plugins who wish to check for spam.
- " if (function_exists('stop_spam_check')) stop_spam_check(); "
- Added liker.profile checks - if request has liker.profile and poison is checked then the spammer goes to bad ip cache.
- Might work with Gravity Forms. I made changes, but Gravity Forms is a pay plugin so I don't have access to test it.
* Fixed typo on spammer history page. Deleted links. Will add back in next version.