WordPress.org

Ready to get started?Download WordPress

Forums

Please eliminate wp-comments.php! (41 posts)

  1. President McCheese
    Member
    Posted 3 years ago #

    These are amateurish, low-tech bots that attack WP comments. Nothing special. No "stuxnet for WordPress". This is kid's play for any real hacker.

    If you can eliminate spam-bots' direct access to your processing script, if even by simple means, then you put the ball back in your playing field. You will then gain control of the form submission. Until then, forget it, you're at the mercy of the bot.

  2. President McCheese
    Member
    Posted 3 years ago #

    Another thing is you should verify the sender's real email address or there's no point in even asking for it.

    Really commenting should be a 2 part process even for subscribers.
    1) Verify real email address
    2) Comment

    Never allow comments through without validating the sender's real email address.

    I know, it makes it more difficult to comment, but isn't that the point? When it's easy to comment it's easy to spam. Spammers don't like validating email addresses. It's one more thing that gives you more control over the submission, which is the key.

  3. There's a plugin for that: http://wordpress.org/extend/plugins/comment-email-verify/

    And what the 'point' is of combating spam is actually pretty variable depending on what the 'point' of YOUR site is. Flexibility is key here. What's on-point for you may be off-point for someone else. Also, keeping WordPress small (so it's easy to install, configure etc) is important.

  4. President McCheese
    Member
    Posted 3 years ago #

    3rd-party developers shouldn't be expected to patch WP's holes. I've heard it before ... "There's a plugin for that" ...

    Thanks for kind of making my "point".

    What's on-point for you may be off-point for someone else.

    Options options options. Options anyone? WP comes preloaded with options and lots of 'em. Why not add some that are helpful in reducing spam?

  5. @Jason Lau: Short term wins like your code here do not belong in core.

    The spammers can move faster that our release cycle - that is why it is better to rely on plugins to provide comprehensive protection against comment spam.

    Theses days the best starting solution is Akismet, on top of that you might want to try other things like your code but none of it deserves baking into core at this point.

  6. President McCheese
    Member
    Posted 3 years ago #

    Short term wins like your code here do not belong in core.

    Ah ha! So it IS a win!
    Anyone want to buy a great WP addon? I heard from someone you might need one to help fight your spam. ;) j/k

  7. Ah ha! So it IS a win!

    For a limited time only, for a limited number of sites.

    In the long term it's pretty pointless

  8. President McCheese
    Member
    Posted 3 years ago #

    For a limited time only

    Then I'll wait before I reduce the price.

    it's pretty pointless

    Pointless is doing nothing, Peter. Sorry. No offense intended.

    I understand your dilemma. Balancing ease of use with lack of security is difficult at best. It's not your fault HTML is the way it is. It just is the way it is and you have to deal with it best that you can.

    Thanks for your replies everyone. It's been helpful.

  9. I don't think anyone said it was a bad idea. Incomplete, ineffective in the long run, fraught with the same problems we already have, sure. But bad? No.

    And THIS point is one I vehemently disagree with:

    3rd-party developers shouldn't be expected to patch WP's holes. I've heard it before ... "There's a plugin for that" ...

    The words 'patch' and 'holes' are incorrect usage, IMO. You're not 'patching' WordPress with this 'fix', nor is it a hole. It's a design choice. And third-party developers should totally take advantage of these choices and come up with fantastic methods to customize, tweak, change, alter and otherwise have a hoot with them :) That's kind of why WordPress works. It allows you to do what you want your way, me to do it my way, and Westi-san to do it his way.

    By pointless, I think Westi means that it's just going to put us back exactly where we are today, in a couple years. So why spend all this time and effort with that, when you could do something else. Pointless is a bit harsh, but a valid cautionary usage.

  10. President McCheese
    Member
    Posted 3 years ago #

    I'm really teasing you with some of what I've said.

    However, for the "for what it's worth" department, anyone reading this should follow my steps in my prior post and you wont have any more automated comment spam. Construct your forms with my jquery plugin, jquery.abetterform.js. - converts html objects to form elements. Look it up in jQuery plugins. It's free.

    The same rules can apply to contact forms, etc ...

    Thanks everyone, and Good luck!

  11. rawalex
    Member
    Posted 3 years ago #

    Ineffective in the long run is throwing up your hands and saying there is nothing to be done.

    What Jason proposes is a system that, while it can be defeated, would actually require some effort on the part of spammers to get around. It would eliminate the drive by spam, and it would make wordpress a less tasty target for every script kiddy on the planet.

    I have a couple of blogs that rank very well in google and get tens of thousands of hits. The punishment for ranking well is sometimes thousands of spam comments a week. Askimet fails on about 30% of them. When you have stats like:

    "Akismet has protected your site from 27,921 spam comments already", and 30% got through, you know you have a lot of work to do just to keep spam off your site.

    Spam is a big issue, likely more important than moving columns around in the admin. Why doesn't it get the attention it deserves?

Topic Closed

This topic has been closed to new replies.

About this Topic