rcain
Forum Replies Created
-
update: i’ve just opened up the source code & taken a scan over it: nothing suspicious that i can see – no ‘base64’ stuff, no suspicious ‘http”s, no visible trojans or exploits. also, authors details are provided if you want to contact him directly.
i haven’t scanned the images, etc. someone probably should, (i’m hoping wordpress.org have their own inline-upload anti-viral scanners in place on the these plugin repositories – but that is just a hope and would be nice to have confirmed somehow.)
@socialgrower: could it be that your security warning msg from GA was just coincidence, or perhaps related to some other activity happening at that time?
interested to know.
afraid not.
i notice many of the plugins not updated since 2012 no longer seem to work on wp 3.4/5.
btw: take a look at this nearby posting on this same plugin and support forum – http://wordpress.org/support/topic/plugin-web-ninja-google-analytics-warning-do-not-install-security-issue
– most alarming!– i’m going to open up the code and take a look. will post any findings back here.
i wonder if someone from wordpress.org could investigate this further
and if true, please REMOVE this plugin from the repository.eratta: oops: ‘custom categories’ refered to above should reaad ‘custom taxonomies’ and ‘terms’, obviously.
Forum: Plugins
In reply to: [Stop Spammers Classic] Not working to block email domainsGreat news Keith! Nicely done. 🙂
One more idea/requirement I’ve just discoverd:
– Ability to remove individual email’s and/or ip’s from the backlist (cache).
Discoverd that I had one or two false positives in the backlist – either legitimate users who just happend to be using email domains I had previously banned, else had been unfortunate enough to have their (dynamic) IP’s added to a public blacklist through no fault of their own.
At present, I the only way I can see of allowing them access to my site again is either a) to clear the entire blacklist cache and/or b) add them to the whitelist (which gets checked first, iirc).
Unless there is another way of achieving this I am unaware of?
Thanks again for all your brilliant work! 🙂
(btw: on one of our clients sites your plugin has so far pevented 45,247 spammers since 2012/07/04 and counting!.Fantastic! And now no registrations clogging up the db either. I would be very happy to make a donation towards this plugin – I’m sure many other people would also (eg: the buddydev site is currently rammed full of spammer registrations, so are most other BP sites i have come across in the wild – they could sure use your plugin!)).
Rob
Forum: Plugins
In reply to: [Stop Spammers Classic] Not working to block email domainsGreat stuff. Thanks.
re: ‘timeout’ I actually meant to say ‘sleep’ parameter – as you say.
re: ‘extra fields’ maybe some confusion – i didnt mean to suggest adding extra fields, but instead, a filter ie: in function kpg_load_all_check, around line 50-70 rearrange slightly to read eg: ::... $is_a_supported_field = ( array_key_exists('akismet_comment_nonce',$_POST) || array_key_exists('bbp_anonymous_email',$_POST) || ... etc ); $is_a_supported_field = apply_filters('ssr_supported_field', $is_a_supported_field, $_POST); if (!$is_a_supported_field) { $_SESSION['kpg_stop_spammers_time']=time(); return; } ...– plus, similar constructs to set $em and $author variables just after that.
this way, if someone writes a plugin to say ‘upload_my_cv’ – then they can easily add full SSP support for any extra forms they use via a simple invocation of:
add_filter('ssr_supported_field', 'my_new_ssr_support_func', 1, 2); function my_new_ssr_support_func($val, $post_arr) { return( $val || array_key_exists('my_new_post_field_name',$post_arr)); }( + similar filter calls for: ‘ssr_set_em’ and ‘ssr_set_author’ )
– and same can be achieved by theme writers by adding same to functions.php
(in fact dont even need to pass $_POST to the filters since its available globally anyway).
i think this will ultimatelyy reduce downstream maintenance effort associated with your plugin.
make sense?
re: checks on email addresses (vis a vis just ip’s) – please do KEEP the email checks as well – though separate options field would be helpful – since we do get some persistent ones – and in fact people rotate/change ip addresses via proxies just as much as they rotate email addresses – in my experience anyway.
re: overhead of big ip list – yep, agreed. but, so long as its only scanned upon forms POST, rare, relatively speaking, so a small price to pay i think (the remote akismet, SFS, honypot checks, etc are much slower by comparison).
Look forward to the next release.
All very best
Rob
Forum: Plugins
In reply to: [Stop Spammers Classic] Not working to block email domainsHi Keith,
No worries, pleased to help.
It would be good to have it confirmed whether this also fixes the original problem of jmorrow and photoman856 above also.
Re: ‘Dictionary Attacks’ – I know what you mean – our BP sites (also WP, in fact our servers generally) are constantly under attack, have been for a long time. (the numbers can get so high in fact that they consttitute as DOS attack in their own right, slowing performance).
Its one of the reasons why I think your plugin is so CRITICAL.
I installed Fail2Ban on our servers a few years ago to help combat SSH, FTP and Mail attacks and it does reduce those numbers greatly – though not altogether. Have been wondering about trying to extend it’s config to cover WP/BP attacks also – since it is pretty efficient.
I am assuming your attackers are mostly using bots/rootkit probes and rotating proxy IP’s?
I am loath to suggest adding an (anti-robot) capture field on ALL WP/BP forms, but it might have to be the next move.
I have also found it necessary to ban all hotmail, gmail, aol, yahoo email addresses also – (as well as the usual .ru and .cn, etc) since these are INVARIABLY (in fact almost exclusively) used by hackers. Luckily our main sites are for professional users only who should have their own legitimate company email domains (we make manual exceptions for VIP’s who insist on using gmail). I realise such a blanket ban is not suitable for other sites aimed at general public.
We have also made it MANDATORY for registrants to fill in additional extended profile fields INCLUDING a special one asking for ‘Reasons why you would like to become a member of this site?’ – which we inspect manually and ONLY if its well written do the users get activated by admin. (Though this doesnt catch all since many SEO blackhat operators employ real humans in Philipines, elsewhere, to mass-register – but it does help at the cost of extra admin)
(Long term i think we need better legal enforcement internationally and stiff sentences for script kiddies/hackers – but i dont see that happenning anytime soon – unless you are the US DOD or Mossad).
Couple of suggestions to improve your plugin perhaps:
1) the ‘time-out’ parameter(s) – could you make these settable via admin options?
2) additional filters or actions to make it possible to add EXTRA fields for validation – this would help future plugin developers utilise your plugin functionality without having to mod the code its self.
3) space for bigger list of blacklisted IP addresses supported – separated from email addresses – including support for wildcards/ip adress ranges – (i have noticed that bot proxies often eventually start to rotate their lists, (within limited time frames), so gives you a fighting chance so long as you keep on top of it).Anyway, sorry about slight thread-drift – maybe we need a new thread for this subject.
All best
Rob
Forum: Plugins
In reply to: [Stop Spammers Classic] Not working to block email domainsFIXED!
after tracing through plugin + buddypress signup the problem was actually quite simple – plugin was NOT recognising the form fields used by my (buddypress) signup form.
Solution is:
file: stop-spammer-registrations.php
function: kpg_load_all_checks
lines: around 56 – add following lines:!array_key_exists('signup_email',$_POST) && !array_key_exists('signup_username',$_POST) &&lines: around 99 – add following lines:
} else if (array_key_exists('signup_username',$_POST)) { $author=$_POST['signup_username'];complete new file (based on V4.1 beta – though would be similar fix for earlier versions), is here:
– see my mod marks ‘mod jrc 171112’
(not sure is the ‘signup_username’ is really required but i added it for completeness/consistency anyway.
All now seems to work fine – proper checks are performed on all new buddypress registrations AND anyone failing those checks does NOT get registerd. HURRAH!
Thanks for a great plugin Keith. Happy days! 🙂
Rob
Forum: Plugins
In reply to: [Stop Spammers Classic] Not working to block email domains‘stream of conciousness programming’ – dont think i wamnt to go there – bad enough when i find myself ‘dreaming code’. simple clases/objects for me any day. small is beautiful.
just tested your latest 4.1 beta downloaded from http://www.blogseye.com/beta-test-plugins/ – repeated test above – same problem i’m afraid: (although rejects it now due to cached badip as expected (so that bit works ok)). but user still gets registerd.
will trace through & see what i can determine.
Rob
Forum: Plugins
In reply to: [Stop Spammers Classic] Not working to block email domainsThanks for the explanation Keith – your code makes much more sense to me now. I’ll give the new 4.1 beta a go and let you know how it fares.
All best
Rob
Forum: Plugins
In reply to: [Stop Spammers Classic] Not working to block email domainsThanks for swift reply Keith,
Will try the 4.1 beta – though suspect it will still not PREVENT Buddpress/Wordpress registrations themselves.
Have been digging through latest Buddypresss code and think I have found the hooks you might need to get that working:
Take a look at:
file: plugins/buddypress/bp-members/bp-members-screens.php
function: bp_core_screen_signup2/3 ways to acheieve it I think – either:
1) completely remove and replace add_action( ‘bp_screens’, ‘bp_core_screen_signup’ ) with your own registration func based on it
OR
2) add_action( ‘bp_signup_validate’, ‘your_func’ ) – this is called in the above func JUST before user regisratation details are saved, etc
OR
3) bp_core_validate_user_signup() func (in bp-members-functions.php) called from above func near top – also has hooks/filters which could be used – eg: apply_filters( ‘bp_core_validate_user_signup’, $result ).Of these options 2 would be my fave. Just need to return your own (spammer) error message in $bp->signup->errors and bp/wp will do rest.
This way, the method of spammer (registration) rejection becomes much more logivcal and inline with existing wp/bp user validation process.
Seems from your code you might need to put some sort of simple switch in/around end of your kpg_sfs_checkfunc – to make sure it plays nice (returns) with wp/bp hook rather than simply dying/redirecting – ubt thats about it i think.
Was literally about to attempt a patch to your plugin myself, but I think you might be able to achieve it much faster/more reliably.
Any chance of sometthing like this? Is it sensible suggestion do you think?
All best
Rob
Forum: Plugins
In reply to: [Stop Spammers Classic] Not working to block email domainsHi Keith
Am using V 4.0 (latest) of your plugin with WP 3.4.2 (latest) + BP 1.6.1 (latest).
Tested (via a proxifier), having added hotmail.com to ‘blacklisted email domains’ in plugin setup.
Can confirm:
– ‘403 Forbidden’ returned from BP registration page upon submit – OK
– NO confirmation email received at my hotmail.com acct – OK
– thus (forbidden) user cannot login – OKBUT – user id is STILL registerd on wp backend (admin, users).
Q: is there any way to get your plugin to PREVENT the actual registration itself – we get shed loads of spammers registering and they clutter up the system making it hard to manage. As currently written, your otherwise excellent plugin doesnt really help.
Any thoughts?
Best regards
Rob
Hi shel.80,
No, sorry didn’t experience such a problem myself. Am assuming you are trying first with just the original (and most recent) Pro version, WITHOUT my mods to start. (nb: my mod will ONLY work with the Pro version, not the std version).
If you are getting ‘white screen of death’, this suggests you may have a missing/badly named/corrupt file, or function.
All I can suggest is that you debug line by line until you isolate the exact line responsible (something invoked in or after the add_widget method). hint: I often end up commenting out/stubbing great lumps of code until things ‘dont break’ anymore, then reintroduce line-by-line until it breaks again, rinse and repeat. Else turn up the error reporting on php.
Sorry I can’t be more help. If you still have probs, suggest contacting the author Aurimas, who is very helpful indeed.
Best of luck.
Forum: Fixing WordPress
In reply to: wp 3.4.1 media library sub-page image view page not foundJust been in contact with the guys at wpml.org – turns out it was indeed a bug in wpml plugin. they very kindly provided me a (pre-release) of the fixed version V2.6.0 – within 8 hours – great response 🙂
Just tested it – bug fixed. Thanks guys.
Hope this helps someone out there.
(Sorry to have posted this in wrong place – should really be under wpml plugin support – not core wp – see also http://wpml.org/forums/topic/media-library-sub-page-image-view-says-page-not-found/ ).
closed.Hi,
I had precisely the same problem.
Evidentially a bug (one of many I have found) in this latest release. Developers – please take note.
My solution – as you – admin, gallery, options, effects – change FROM ‘shutter’ TO ‘lightbox’. Seems to work ok.