WordPress.org

Ready to get started?Download WordPress

Forums

Impostercide
[resolved] better to have or not to have? (2 posts)

  1. Clifford Paulick
    Member
    Posted 2 years ago #

    I tested the plugin and it works (non-WPMU).

    I'm not sure if it's WP default behavior or because I have 'cookies for comments' plugin activated, but without Impostercide, the spoof comment went to Spam. With it activated, it went to your notification message.

    Unless my blog is set to auto-approve comments, I'm leaning toward thinking it's better to deactivate this plugin because a really clever hacker-type person could figure out which username and/or email address(es) are registered on the blog. Then all they have to figure out is a password.
    I'm not saying it's easy to do that, but I think I'd rather let it go to Spam and not "give them a hint".
    Even if I did auto-approve comments, apparently it would still end up in Spam and not be approved.

    I think the plugin should have a backend configuration that allows the notification message to be edited. Then I would have a bit friendlier message (never using the word Imposter) and wouldn't be as specific about the reason for the error. And, ideally, it would all happen on the same page, but that's not necessary.

    Just sharing some thoughts. Appreciate your work on the plugin.

    http://wordpress.org/extend/plugins/impostercide/

  2. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod
    Plugin Author

    Posted 2 years ago #

    I'll have to see if I can reproduce the spamming. It's not cookies for comments, though. I tested (really fast) on my single site and my 'fake me' post went through.

    Unless my blog is set to auto-approve comments, I'm leaning toward thinking it's better to deactivate this plugin because a really clever hacker-type person could figure out which username and/or email address(es) are registered on the blog. Then all they have to figure out is a password.

    Non-issue (security wise). I can find out you login ID pretty easily on WordPress (if you leave a comment on your own site, it's really easy). And most people's emails are similarly simple to deduce. That's PUBLIC info, though, that you should expect people to know. If 'all' they have to do is figure out your password, get a better password. I don't believe that security through obscurity helps, though, and I'd rather just stop people from pretending to be ME on my own site. I mean, someone posts as "Ipstenu" with my email, then they show up as 'me.' Can't control other sites, but I can protect myself :)

    I think the plugin should have a backend configuration that allows the notification message to be edited. Then I would have a bit friendlier message (never using the word Imposter) and wouldn't be as specific about the reason for the error.

    That's an interesting suggestion :) I'll look into it. It's not hard to do, mind you :)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic