Is it possible to bypass SecureImage?

Any chimp can, with a bit research, craft their OWN page that performs HTTP POSTS to your pages — including your comment pages. Is it WP specific? heck no. Anyone with a form on the web might have similar issues.

Akismet is a good start, but you might want to add Bad Behavior as well: https://www.homelandstupidity.us/software/bad-behavior/ It looks a little deeper and sooner at the http requests coming at your blog.

And I’m not sure what SecureImage is, but from the context I’m guessing it is a Capcha type plugin? Just remember that you’re losing all of your visually impaired potential commenters with that one. For some folks, accessability isn’t a big deal… but for others it matters a lot.

Ebonmuse,

the solution to that problem is rather simple. Ive posted it already, over here: https://www.ads-software.com/support/topic/70606?replies=4

Have a look there. ??

Good stuff, whooami!

HandySolo: Yes, SecureImage is a captcha plugin (see https://dev.wp-plugins.org/wiki/SecureImage). I allow readers to my site to register, which requires only a valid e-mail address, and bypass the captcha entirely from that point on, so I’m not concerned that visually impaired readers are being excluded. I’ll check out Bad Behavior as well, thanks.

whooami: That seems like a good temporary solution, but what happens if someone’s browser doesn’t send referrer strings, or sends them improperly? They won’t be able to comment at all then. Also, this solution could be trivially bypassed by a spambot, simply by setting it up to send referrer strings corresponding to the domain of the site being spammed.

I’m glad I know how the spammers are doing this now, but I’m surprised that SecureImage can be bypassed so easily just by directly invoking wp-comments-post. What’s the point of a captcha that doesn’t hook into that file? It seems to me like the only thing that would do is inconvenience legitimate users. I’m going to give rewriting that file a try so it interfaces more directly with the captcha.

Actually, I just posted a response to whooami’s advice.. ??

Well, I’ve disabled SecureImage for the time being, since it’s really not stopping any spammers as is. I have another solution that doesn’t rely on referrer strings: I’ve renamed wp-comments-post.php to something else, and modified my theme files accordingly. This will help, I think, since automated attacks against standard WordPress blogs will now fail; the spammers would have to parse the code on my site to figure out where to aim their bots.

I dont think I presented it as anything other than the answer to the topic title in the other thread within that other thread. As such, david’s reply ought to have been put here, imo, but no matter.

It is ONE way to block a good deal of spammers — I have never advocated as the only thing a person should do. Obviously, if a script is smart enough to use your domain as the referer it would fail.

And obviously it would fail on a blank referer — guess what, not too many ppl block referers.. and its NOT alot to ask, in my purely philosophical opinion, to except that those leaving comments on MY blog do send a referer.

Thats the breaks in other words.

You mention using a captcha, You essentially block unsighted people. Thats the breaks.

Renaming that file is a great thing to do, btw. Its another one of my most common reccomendations.