WordPress

---

Spam Prevention

[WordPress Hack: AuthImage?]

Using escape codes to prevent spam

Notice: You can acomplish quite the same with [a certain wordpress plugin], that does quite a bit more. Yeah, it doesn't use the escaping-paranoia but I think that this extra trick won't be needed for a long time. Besides, it is easyer to install :-)

The idea comes from an article (can't remember its name or link) that stated that spambots, while crawling for e-mail addresses didn't caught e-mails that where escape-encoded (using HTML entities and the ASCII value of the char).

Here, what we are doing is inserting a hidden field in the comment post form with it's name and value escape-encoded. Spambots don't parse the HTML code of blogs to extract form information. That is also the reason why just renaming wp-comments-post.php also prevents spams in WordPress. Escape-encoding data in the page here just works as an extra and paranoid precaution.

Please customize the hidden field name and value. The python code bellow should do the trick.

import string
def html_escape2(data):
return string.join([string.join(['&#',str(ord(i)),';'],) for i in data],)

The following patch will add the magic to yours WordPress installation.

diff -ruaN -x *.gif -x *.jpg -x import* /home/tmacam/local/wordpress-current/wp-comments-post.php blog/wp-comments-post.php
--- /home/tmacam/local/wordpress-current/wp-comments-post.php Wed Oct 6 12:55:34 2004
+++ blog/wp-comments-post.php Thu Nov 25 04:16:13 2004
@@ -60,6 +60,10 @@
}





+if ( !isset($_POST['hidden_field']) ||
+ $_POST['hidden_field'] != 'hidden_pass' ){
+ die( "<h2>Or you are using a really buggy browser or you probably are a spammer. I won't take any chance, so I won't accept your comment.</h2>" );
+}
// If we've made it this far, let's post.



if(check_comment($author, $email, $url, $comment, $user_ip)) {

@@ -101,4 +105,4 @@
header("Location: $location");

}


diff -ruaN -x *.gif -x *.jpg -x import* /home/tmacam/local/wordpress-current/wp-comments.php blog/wp-comments.php
--- /home/tmacam/local/wordpress-current/wp-comments.php Tue May 18 21:39:44 2004
+++ blog/wp-comments.php Thu Nov 25 03:53:05 2004
@@ -51,6 +51,8 @@
<p><?php _e("Line and paragraph breaks automatic, e-mail address never displayed, <acronym title=\"Hypertext Markup Language\">HTML</acronym> allowed:"); ?> <code><?php echo allowed_tags(); ?></code></p>

<form action="<?php echo get_settings('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform">
+ <?php // < input type="hidden" name="hidden_field" value="hidden_pass" /> ?>
+ <input type="hidden" name="&#104;&#105;&#100;&#100;&#101;&#110;&#95;&#102;&#105;&#101;&#108;&#100;" value="&#104;&#105;&#100;&#100;&#101;&#110;&#95;&#112;&#97;&#115;&#115;" />
<p>
<input type="text" name="author" id="author" class="textarea" value="<?php echo $comment_author; ?>" size="28" tabindex="1" />
<label for="author"><?php _e("Name"); ?></label> <?php if ($req) _e('(required)'); ?>

Blog Farms

http://climbtothestars.org/archives/2004/09/02/scripts-for-a-wordpress-weblog-farm/
http://weblog.burningbird.net/archives/2004/05/19/survival-guide-to-lamp-unlimited-weblogs/

---

Document last modified Thu, 02 Dec 2004 10:02:00