[wp-hackers] Best way to 'enhance' wp-comments-post.php

David Chait davebytes at comcast.net
Thu May 25 18:38:58 GMT 2006

Having written my own solution (CG-AntiSpam), I can give you one word of 
advice: were I a spammer, I wouldn't necessarily ever check for response 
codes, redirects, etc.  That'd just slow the system down, as I'd have to log 
the ones that didn't make it through, what code did it get, etc.  Script 
kiddies just want to spam away and forget it.

Heck, in the early days, I even did the 'tar pit' thing which waited before 
sending a response... of course, that meant I opened myself up to a DOS type 
thing by being slammed with spam and keeping all the connections open for 
extended seconds... bad. ;)

So, my current AntiSpam just detects, sends a quick response code (it's a 
modular system, so depending on which detection mechanism 'hits first', it 
sets the response code to post), and then immediately exits.

If you'd like a look at my latest code and how I approached the problem, 
drop me an email offline and I can zip it up for you.


----- Original Message ----- 
From: "Eric A. Meyer" <eric at meyerweb.com>
To: <wp-hackers at lists.automattic.com>
Sent: Thursday, May 25, 2006 2:06 PM
Subject: [wp-hackers] Best way to 'enhance' wp-comments-post.php

| Hey all,
|    In order to block a flood of direct-submission comment spam-- 
| stuff that was just hitting the WP post scripts directly, never
| touching a post or its comment form-- I hacked some measures into
| wp-comments-post.php.  These took the basic form of checking to see
| if the submission came from a post comment form, and if not, skipping
| over everything in wp-comments-post.php from the comment "//if the
| user is logged in" to the $location redirect.  By preserving the
| redirect, I figured I could fool any scripts that hit the scripts
| directly but also checked to see if they got the post page back as a
| result.
|    I'd like to abstract this process out to a plugin, so I don't have
| to re-hack wp-comments-post.php every time I upgrade.  So what I'm
| wondering is, what hook should I hang on to start this check?  I
| thought about copying one of the hooks Akismet uses, but I didn't
| really know why it was using the ones it was using, so that seemed
| like a fragile solution at best.  I also don't really have to start
| where I did with my hack-- it just seemed like a good place.
|    Also, should the plugin itself do the redirect part instead of
| trying to somehow jump to the appropriate point in
| wp-comments-post.php?  That seems simplest, but I wasn't sure if
| there was a better way.
|    Thanks for any help with this.
| -- 
| Eric A. Meyer  (eric at meyerweb.com)
| Principal, Complex Spiral Consulting   http://complexspiral.com/
| "CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
| "Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
| _______________________________________________
| wp-hackers mailing list
| wp-hackers at lists.automattic.com
| http://lists.automattic.com/mailman/listinfo/wp-hackers 

More information about the wp-hackers mailing list