[wp-hackers] Best way to 'enhance' wp-comments-post.php
Eric A. Meyer
eric at meyerweb.com
Thu May 25 20:40:22 GMT 2006
At 2:13 PM -0400 5/25/06, Austin Matzko wrote:
>How about the filter 'preprocess_comment', called at the start of
>wp_new_comment? That gets it right away.
At 12:19 AM +0530 5/26/06, Rabin Vincent wrote:
>You could hook into "init". This will get you in fairly close to where
>you are with the direct edits. There you could check if the request
>is for wp-comments-post.php, and if so do your stuff.
I considered 'preprocess_comment' since that's what Akismet uses,
but wasn't sure if it was the best choice. Anyone have a compelling
explanation of which would be better, 'preprocess_comment' or 'init'?
Or if there's something even better?
At 2:38 PM -0400 5/25/06, David Chait wrote:
>Having written my own solution (CG-AntiSpam), I can give you one word of
>advice: were I a spammer, I wouldn't necessarily ever check for response
>codes, redirects, etc.
Yeah, I figure that's usually the case. But there may be those
who, with zombienets and such, invest the effort in doing their own
error detection, so they have a more efficient set of zombies. I
mean, if I were a spammer, that's what I'D do. No sense wasting
perfectly good zombies! But maybe I think a little differently than
spammers. (God, I hope so.) So I want to be as low-profile as
possible for those who are being a little smarter than average.
At 12:06 PM -0700 5/25/06, Justin Watt wrote:
That's basically what I'm doing, except my approach doesn't use
WP API key (with a string fallback for those who don't have such a
key). It's slightly less robust than the JS approach, but only for
those spammers who aren't using JS-enabled engines to drive their
spam. One of the other posters mentioned botnets that use IE, which
would use JS. It's also more accessible to those who might be
legitimately commenting with JS-disabled clients. (Yes, they exist,
and yes, I consider such things.)
I realize this means that a spammer who actually uses the comment
form on a post will get past this line of defense, but that's okay: I
have other lines of defense. This one is just meant to deflect all
the direct-submission attackers, which may well be 90% of the spam I
was getting. That's a rectal statistic, I admit, but one that feels
instinctually correct. It may be proven very wrong over the next few
weeks, of course. So far, so good, though!
Eric A. Meyer (eric at meyerweb.com)
Principal, Complex Spiral Consulting http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more http://meyerweb.com/eric/books/
More information about the wp-hackers