Support » Plugin: Stop Spammers » Spammers May Have Won

  • I just heard that the good people at believe that the method I use of determining the IP address of a user is not reliable. I have no other way of determining IP addresses. A great many wordpress installations will set _SERVER[“REMOTE_ADDR”] to localhost, their internal network ip, a VPN ip, a Proxy Server IP, their hosting company’s IP or CloudFlare’s ip. I cannot trust the IP addresses, and cannot test them against Stop Forum Spam’s database.

    I white-list the ip addresses of several common services that do call backs to websites. If these ip addresses can be spoofed there is no way to reliably stop spam by IP address.

    I am removing all IP checks from the plugin and I will rely on the other methods that I’ve come up with for detecting robots. None were as effective as SFS, but they are better than nothing.

    I will optionally be doing a compare to the IP address reported by the web server and the ip address reported my the meta data from the request and if they are different I will assume that the user cannot be trusted and will deny them access. This makes the plugin useless to people on proxies when this option is enabled. Many people legitimately rely on proxies to use the internet.

    This information makes IP whitelists, blacklists, and services like StopForumSpam nearly useless as a way of blocking spam without blocking many legitimate users.

    It could be that the spammers have won.


Viewing 3 replies - 1 through 3 (of 3 total)
  • If it were me, I would just go back to the way it was. And just provide protection for traditional setups. Non-traditional setups and using services like CloudFlare are already using methods to try and stop spam.

    You can’t make it work for everyone all of the time. Just make it work for traditional setups and place a warning that if you use a non-traditional setup the plugin may not work for you.

    A new version is coming out very soon,

    I had to tighten up the security, and remove the check for Proxy servers. Those using proxies will be blocked.

    In order to prevent lockouts I added a “Second Chance CAPTCHA”, but I hate captchas and I think that this is going to annoy everyone. Why not just use a captcha to begin with?


    I use cloudflare and their “free” security is minimal. Out of the thousands of spambots a day on my sites it appears that they stop only a few.


Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Spammers May Have Won’ is closed to new replies.