[wp-hackers] Best way to 'enhance' wp-comments-post.php
David Chait
davebytes at comcast.net
Thu May 25 19:12:51 GMT 2006
At least one of the comment anti-spam things does exactly that. It was one
of the non-captcha plugins, if I recall correctly.
Unfortunately, trackbacks don't require a form input. ;)
-d
----- Original Message -----
From: "Justin Watt" <justincwatt at gmail.com>
To: <wp-hackers at lists.automattic.com>
Sent: Thursday, May 25, 2006 3:06 PM
Subject: Re: [wp-hackers] Best way to 'enhance' wp-comments-post.php
I curious if anyone has tried this simple javascript strategy:
I'm pretty sure that spammers either blindly hit wp-comments-post.php,
or they grep through an obvious post page and look for the comment
form's action attribute and blindly post to what they find (which
somewhat defeats renaming it). What I don't think they do is fire up a
whole browser instance to parse the page and submit the form. Which
means things like javascript won't get executed. So I've added the
following innocuous line to my comment form:
<script type='text/javascript'>
document.write("<input type='hidden' name='random_number' value='" +
Math.round((Math.random() * 99) + 1) + "' >");
</script>
And then I add this to WP comments post:
if (!isset($_POST['random_number']))
die( __('Error: please type a comment.') );
Results: virtually zero automated spam. Just the occasional vandal.
It'd actually be kind of cool to periodically cycle out the name of
the field.
It sounds like with "preprocess_comment" I could wrap this up into a
simple plugin instead modifying wp-comments-post.php
Justin
http://justinsomnia.org/
On 5/25/06, Eric A. Meyer <eric at meyerweb.com> wrote:
> Hey all,
>
> In order to block a flood of direct-submission comment spam--
> stuff that was just hitting the WP post scripts directly, never
> touching a post or its comment form-- I hacked some measures into
> wp-comments-post.php. These took the basic form of checking to see
> if the submission came from a post comment form, and if not, skipping
> over everything in wp-comments-post.php from the comment "//if the
> user is logged in" to the $location redirect. By preserving the
> redirect, I figured I could fool any scripts that hit the scripts
> directly but also checked to see if they got the post page back as a
> result.
> I'd like to abstract this process out to a plugin, so I don't have
> to re-hack wp-comments-post.php every time I upgrade. So what I'm
> wondering is, what hook should I hang on to start this check? I
> thought about copying one of the hooks Akismet uses, but I didn't
> really know why it was using the ones it was using, so that seemed
> like a fragile solution at best. I also don't really have to start
> where I did with my hack-- it just seemed like a good place.
> Also, should the plugin itself do the redirect part instead of
> trying to somehow jump to the appropriate point in
> wp-comments-post.php? That seems simplest, but I wasn't sure if
> there was a better way.
> Thanks for any help with this.
>
> --
> Eric A. Meyer (eric at meyerweb.com)
> Principal, Complex Spiral Consulting http://complexspiral.com/
> "CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
> "Eric Meyer on CSS," and more http://meyerweb.com/eric/books/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list