[wp-hackers] Best way to 'enhance' wp-comments-post.php

Justin Watt justincwatt at gmail.com
Thu May 25 19:06:49 GMT 2006


I curious if anyone has tried this simple javascript strategy:

I'm pretty sure that spammers either blindly hit wp-comments-post.php,
or they grep through an obvious post page and look for the comment
form's action attribute and blindly post to what they find (which
somewhat defeats renaming it). What I don't think they do is fire up a
whole browser instance to parse the page and submit the form. Which
means things like javascript won't get executed. So I've added the
following innocuous line to my comment form:

<script type='text/javascript'>
document.write("<input type='hidden' name='random_number' value='" +
Math.round((Math.random() * 99) + 1) + "' >");
</script>

And then I add this to WP comments post:

if (!isset($_POST['random_number']))
	die( __('Error: please type a comment.') );

Results: virtually zero automated spam. Just the occasional vandal.
It'd actually be kind of cool to periodically cycle out the name of
the field.

It sounds like with "preprocess_comment" I could wrap this up into a
simple plugin instead modifying wp-comments-post.php

Justin
http://justinsomnia.org/




On 5/25/06, Eric A. Meyer <eric at meyerweb.com> wrote:
> Hey all,
>
>     In order to block a flood of direct-submission comment spam--
> stuff that was just hitting the WP post scripts directly, never
> touching a post or its comment form-- I hacked some measures into
> wp-comments-post.php.  These took the basic form of checking to see
> if the submission came from a post comment form, and if not, skipping
> over everything in wp-comments-post.php from the comment "//if the
> user is logged in" to the $location redirect.  By preserving the
> redirect, I figured I could fool any scripts that hit the scripts
> directly but also checked to see if they got the post page back as a
> result.
>     I'd like to abstract this process out to a plugin, so I don't have
> to re-hack wp-comments-post.php every time I upgrade.  So what I'm
> wondering is, what hook should I hang on to start this check?  I
> thought about copying one of the hooks Akismet uses, but I didn't
> really know why it was using the ones it was using, so that seemed
> like a fragile solution at best.  I also don't really have to start
> where I did with my hack-- it just seemed like a good place.
>     Also, should the plugin itself do the redirect part instead of
> trying to somehow jump to the appropriate point in
> wp-comments-post.php?  That seems simplest, but I wasn't sure if
> there was a better way.
>     Thanks for any help with this.
>
> --
> Eric A. Meyer  (eric at meyerweb.com)
> Principal, Complex Spiral Consulting   http://complexspiral.com/
> "CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
> "Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list