[wp-hackers] More anti-spam ideas
Mark Jaquith
mark.wordpress at txfx.net
Sun Sep 26 07:31:30 UTC 2004
>
>
>Now what if there was a unique hash for each comment to check that the
>posting was coming from wp-comments.php?
>
>In the attached patch, I create a hash by using the list of activated
>plugins joined with the file hash of index.php. This should be
>sufficiently unique across blogs that a spammer couldn't get the hash
>from outside.
>
A hash based on the file hash of index.php and the list of activated
plugins wouldn't change all that often. If you never edit your
index.php or change your plugins, this could stay constant and once a
spammer learns it, he can just hard code it into his spam script for
your site.
This solution came up in #wordpress and it might be better to just
combine the admin password's hash with the day of the year (really, you
could choose any number of things for your "static" part of the hash,
just so long as you have something in there that changes once in a while.)
While a spammer could still read the hidden value, it'd at least
increase the amount of work on their part.
The only problem you'd have is if someone loads your page at 11:59pm and
submits a comment at 12:01am, but you could build some leniency into the
system (say, let yesterday's hash work for 30 minutes past when the new
one is created).
More information about the hackers
mailing list