WordPress.org

Ready to get started?Download WordPress

Forums

Please eliminate wp-comments.php! (41 posts)

  1. President McCheese
    Member
    Posted 3 years ago #

    Hello,

    If you want to eliminate the comment spam problem you need to eliminate the static wp-comments.php file and generate a unique version of this file for each visitor.

    It's a simple solution to fix the comment system's Achilles Tendon.

    I wish you would please implement this idea at once to stop the comment spam!

  2. How would that help? A spammer would be a visitor as well, wouldn't it?

    The same logic you'd use to detect if a visitor was a spam-bot OR a real human would suffer the same problems it does if the file exists or not.

  3. President McCheese
    Member
    Posted 3 years ago #

    A spammer which is a human perhaps. Most comment spam is not generated by humans. Bots target wp-comments.php specifically by name. Any security done client-side is pointless when this file exists. Randomize the file name with each visitor and you eliminate the ability to find a specific file on the server.

    I've done it. It eliminated 100% of my spam.

  4. President McCheese
    Member
    Posted 3 years ago #

    However, the comment form's action attribute always reveals the location of the processing script. This is where I use JavaScript and cookies to remedy that issue. I store the location of the comment processing script in a cookie and use javascript to retrieve it. The location is then never revealed in the source code.

  5. President McCheese
    Member
    Posted 3 years ago #

    Actually, the processing script doesn't even have to exist until the form is submitted. This allows you to perform security client-side. Otherwise a bot can simply bypass the form by directly accessing the processing script on the server. You know, all they have to do is @file("http://remotesite.hmm/wp-comments.php") to see if it exists. How secure is that? A spammer can hit it all day long until they find the right crack because the file name is always so easily accessible. That accessibility is a definite weakness.

  6. President McCheese
    Member
    Posted 3 years ago #

    When the button is pressed a new file is generated named [security-hash].[visitor-ip].[timestamp].php. That file is then used for the form action. Once the form is successfully submitted, the file can be deleted.

    In the processing script, use the filename to compare to the visitor's ip.
    If the ip does not match the filename, you know it's a bad visit.
    Use the timestamp to expire the script.

    The file then cannot be re-used by bots. = Happy Admin

  7. President McCheese
    Member
    Posted 3 years ago #

    Achilles’ heel too. >:\

  8. President McCheese
    Member
    Posted 3 years ago #

    I really intended to say wp-comments-post.php , but I think you know what I meant.

  9. Bots target wp-comments.php specifically by name.

    Well sure but it'd be easier to just protect that with .htaccess. If someone comes to that file directly (that is NOT referred by your domain), then they're a spammer.

    I use this to stop splogs. Maybe it could be used for that instead:

    RewriteCond %{REQUEST_METHOD} POST
     RewriteCond %{REQUEST_URI} .wp-signup.php*
     RewriteCond %{HTTP_REFERER} !.*domain.com.* [OR]
     RewriteCond %{HTTP_USER_AGENT} ^$
     RewriteRule (.*) http://lmgtfy.com/?q=spammer [R=301,L]

    From http://www.darcynorman.net/2009/05/20/stopping-spamblog-registration-in-wordpress-multiuser/

    By the way. Next time consider EDITING your post rather than posting over and over so soon :)

  10. President McCheese
    Member
    Posted 3 years ago #

    Whatever. I'm not going to hash it out about efficient ways to do it. Referrer can be spoofed. Point is, something can be done to fix it.

  11. ClaytonJames
    Member
    Posted 3 years ago #

    Whatever. I'm not going to hash it out about efficient ways to do it. Referrer can be spoofed. Point is, something can be done to fix it.

    Sounds like you're the guy... write it up and submit it.

  12. What Clayton said :) If you can code it, please do and submit it to trac.wordpress.org! We'd appreciate it!

  13. President McCheese
    Member
    Posted 3 years ago #

    Sounds like you're the guy... write it up and submit it.

    I only know a little bit about everything. ;)

    Seriously though, I'll work on it.

  14. Yeah, but you said:

    I've done it. It eliminated 100% of my spam.

    So .. y'know, share details on trac. Can't promise they'll pick it up, but y'know, giving back is a wonderful thing. It will save the jungles and bunnies. ;)

  15. President McCheese
    Member
    Posted 3 years ago #

    Honestly, once I changed my website I no longer need any CAPTCHA or similar devices. I'm not saying a human can't manually submit a spam message, but automation is very difficult if not impossible. Banning an individual is much easier than banning a bot which works from multiple IP addresses.

  16. rawalex
    Member
    Posted 3 years ago #

  17. President McCheese
    Member
    Posted 3 years ago #

    @rawalex - I read your ideas, but they really don't get to the core of the problem, which is the ability to automate comment submissions.
    Although your ideas would reduce the amount of spam your website visitors have to look at, they don't stop the spam from being submitted in first place. If you stop the automation you stop 99% of the spam.

    When I have more time I'll clean my comments system up and package it for redistribution. Or if anyone else wants to try my comments system as it is now, let me know. It really just needs a code clean-up. I just don't have time to do it right now because I am on a huge project.

  18. President McCheese
    Member
    Posted 3 years ago #

    You can find my comments system here - https://github.com/jasonlau/Spamless-WordPress-Comments.

  19. rawalex
    Member
    Posted 3 years ago #

    Actually, it would get rid of much of the automated spam, because they almost all use the URL field in their posts to get a link. By automatically declining comments submitted with anything in that field (because you aren't accepting it from your comment form) it would get rid of pretty much all of the direct comment spam (the ones that call wp-comments.php )

    You can also add filters for a href and ahref and other variations as well, which gets rid of a bunch of the stupid ones, and decline anything with more than 2 links in it. That is a big part of your spam issue right there.

    I agree with you, being able to rename the the wp-comments.php to something else would be a good way to stop it as well.

  20. It wouldn't work on BuddyPress sites, or many social networking WP installs, mind you. By default, if I'm logged in on a BP site, my URL becomes a link to my user profile. And clearly turning off the check for logged in users would serve no purpose, since any open-registration site would still have that problem. Also, looking at three sites (a very non-scientific check, I know), regular, legit posters often use their URLs.

    It's a good idea, but it doesn't take into account the myriad ways people use WP, and would cause more harm.

  21. rawalex
    Member
    Posted 3 years ago #

    "It's a good idea, but it doesn't take into account the myriad ways people use WP, and would cause more harm."

    It would only cause harm if it was "disable and never use", which is not the idea. I suggest it as a check mark box in the configuration, defaulting to "disable urls" for the simplest of wordpress installs. Obviously, a site that uses buddy press or other methods could click the box and turn it back on.

    For those who want to deal with those issues, they can still do it. But it would stop a great number of wordpress installs (especially less active ones) from becoming spamhaus sites, which many of them are.

  22. copperblade
    Member
    Posted 3 years ago #

    Sorry, I disagree--if that becomes standard wordpress then it will be automated. It takes nothing for a bot to know how to go to one page before it goes to the next page, just like a human. It got rid of your spam because you're the only one doing it.

  23. President McCheese
    Member
    Posted 3 years ago #

    It takes nothing for a bot to know how to go to one page before it goes to the next page, just like a human.

    Untrue. The bot has to find the file first. If it's name is static, you know, something like wp-comments-post.php, then it's open season for spambots. If it's name is randomized, or if the file doesn't even exist, it can't be found, except only by chance. Having a static file to process comments is a MISTAKE, a weakness, and a security hole. It doesn't take a genius to figure that out. I don't expect WP to begin a "spam fighting" campaign. However, it IS a hole in WP which allows spammers to successfully attack WP websites. How is it not the responsibility of the WP developers to address that lack of security in their own system? Other security holes are fixed. Why not this one? How is this one any different? Spam IS a security problem. WP enables spammers by design; a design that could be fixed. Why would WP even make a comments system if it's not going to be made secure? If it's not going to be secure, then don't include it in the core. If it's included in the core, then plan on people expecting you to fix the security holes without arguing about it. 3rd-party developers shouldn't be expected to patch WP's holes. I've heard it before ... "There's a plugin for that" ... a plugin that patches a core security hole? Why does there even need to be one of those in the first place? Because WP is not secured by the developers. Because the developers rely on 3rd parties to fix a security hole? Apparently so. If I made a program which somehow enabled people (or bots) to successfully attack it, I would damn sure fix it.

    Almost 50% of my search engine traffic is from people who are desperate to stop spam comments on their WP websites. Funny they should have to come to my website to fix a core WP problem.

  24. What copperblade means, I believe, is that any METHOD that can be coded, can be coded around, and that is not incorrect.

    If you end up making the wp-comments.php file named wp-comments-<random>.php, there has to be SOME way of translating that back to the app. If there's a way, it has the potential to be exploited. Randominzing the name only works for as long as it's an uncommon method of prevention. Once it's common, the people who write bots will account for it as best they can.

    Alas :/

  25. President McCheese
    Member
    Posted 3 years ago #

    But ... but .... but ... you're wrong. C'mon guys, think outside of the box.

    Go ahead and ignore the problem. That's a great solution.

    Almost 50% of my search engine traffic is from people who are desperate to stop spam comments on their WP websites. Funny they should have to come to my website to fix a core WP problem.

    Thanks for the Google Adsense traffic though!!!

  26. President McCheese
    Member
    Posted 3 years ago #

    I suppose the beauty of open-source is, if you don't like how someone else did it, you can always do it correctly yourself.

    Good luck with your spam guys. ;)

  27. We're not wrong, and I never said it was a bad idea (or shouldn't be done). Hell, I was asking you, repeatedly, to please consider SHARING your code on trac.WordPress.com so the devs can look at seriously including it. You keep saying you have this great method, and then when we ask you to share it, you don't. That's not helping anyone.

    But if you think I'm wrong that anything you can code can be coded around, then you're a bit ignorant about how code works. The best way would be to use md5/hash to pull it off. That's, thus far, unHACKED by normal means. But anything can be broken. Thats the beauty of code :)

  28. copperblade
    Member
    Posted 3 years ago #

    If it's name is randomized, or if the file doesn't even exist, it can't be found, except only by chance.

    Then how does a user find it? Take greasemonkey for example--you can just write a script to pretend to be a user anyway. And if you send it to a user's email, well we know that bots already know how to activate themselves.

    Having a static file to process comments is a MISTAKE, a weakness, and a security hole.

    Well maybe. Maybe not. It might be easier to lock down wp-comments.php if it's more isolated. I think that any user that needs to access the comment function needs to have a form that allows them to submit to. (We're still talking about asymmetric web-design, right?) So I think it might be much the same thing.

    I agree with you 100% that spam is a security problem. (But I think you should submit it as a feature request anyway.)

    Ipstenu explained it better than I did. If it's simply a matter of redirection, it's arguably easier to get around than something like a captcha. Captchas (used to) work because it required an extra computer (your brain) which was very fast and good at pattern matching, therefore leveraging something a human can do easily that a machine cannot do easily. As far as I can tell on various software, even captchas aren't working well anymore and if they've actually figured out how to do the pattern matching as well as humans, then I don't know what to do next.

    If it's working for you, then great. But I think this is a case that obscurity is part of your formula--I think part of the reason it's working for you is that no one wants to write the code just to crack your sites (yet?). I think the moment you include it into WP, it'll do little to prevent the spam for everyone, and just make you like the rest of us ;)

    Oh by the way, thanks for sharing it. I'm not trying to knock down your idea. For the people who find your code, I'm sure it will help. My opinion aside, if you file a bug to WP on it, then maybe your idea or something similar can get included: http://core.trac.wordpress.org/

  29. @Jason Lau: Renaming the file is a classic example of the whole "Club vs. Lojack" discussion:

    http://diveintomark.org/archives/2002/10/29/club_vs_lojack_solutions

    Basically, while this might work for you as one of the few people to do it as soon as everyone renames the file the spammers will adapt.

    You have to provide a link to the file from the comment form in order for people to be able to submit comments so it is trivial for a comment spammer's script to find the file before auto-spamming.

    Most scripts already work this way so as to work around a number of other club solutions such as hidden form fields etc.

  30. President McCheese
    Member
    Posted 3 years ago #

    @Peter
    Renaming the file is only part of the process.
    The file isn't simply provided a new name.
    The file is generated from template with a completely randomized name.
    Part of the name is served to a cookie which is unique to the user.
    The other part of the name is only known to WP.
    The form should be coded with no form tag. Wrap the form upon submission and retrieve the file name key from the cookie to insert in the action attribute.

    Basically, here's how it works -

    • User submits form
    • A few submission checks and balances.
    • Processing script is generated on server in a secret location which is created when WP is installed
    • Set the file name key in a cookie
    • Then, $(obj).wrap('<form action="'+$.cookie('action')+'" method="POST"></form>');
    • Submit()
    • Be sure current processing script belongs to current user.
    • Accept or deny submission.
    • Delete processing script.

    That's it. The processing file can no longer be reused or targeted by spammers. That in itself eliminates most spam.

    Where is the file name to be found? No file name even exists in the source, on the server, or even in the cookie for that matter. Only WP knows the real name of the processing script.

    The form requires cookies and js. That's 2 strikes against bots right there. There is no processing script to attack directly ... there's strike 3.
    So, I'm not talking about simply renaming a file. Create a unique processing script for each individual which should only exist for the duration of the submission. This idea works. Use it if you like, ignore if you want, but it does work.

    Really one of the biggest problems with wp-comments-post.php is that it can be reaccessed and reused as many times as a bot needs. Not just one bot, but the entire world's bots can come and visit your copy of wp-comments-post.php because they all know where to find it by name.

    I can create a random file on my server and I challenge anyone to find it. I will even set part of the file name in a cookie on your machine.

Topic Closed

This topic has been closed to new replies.

About this Topic