Relocate wp-comment post and other features

  • Here is a suggestion for those doing development, something very powerful and incredibly useful in the fight against comment spammers, ping bots, and other annoyances:

    my suggestion is creating a new folder called wp-interactive and putting things like the wo-comments, wp-trackback, and any other similar code into this folder. The reason and logic is pretty simple:

    htaccess is a common way to control access to a folder and the code within it. From simple restrictions such as denying an IP or range of IPs to using GeoIP software to limit country access, you could quite dramatically limit the amount of comment spam and such coming from certain places. So as an example, one might choose to allow users from places like Russia, Ukraine (two separate countries!), or China to read your blog, but you might block them from posting comments, sending ping backs, or accessing any other things that could create spam or problems on your site.

    You could even conceivably move wp-login to this location, which would again allow for more security in this situation, and make it easier to stop the endless door knocking of people trying to access wordpress blogs.

    In a more fancy version, it might even be worth having an admin page that would allow you to block IP ranges or even go to the extreme of automatically blocking IPs which send spam comments from having access to the comments processing.

    It’s time to take action on these important security issues.

Viewing 16 replies (of 16 total)
  • Thread Starter rawalex

    (@rawalex)

    ” while some may not accept it Automattic is not WordPress”

    Yes, but the official anti-spam tool is Automattic, and is given automatic installation status where nothing else gets it. Anyone operating anything remotely commercial on wordpress is required to pay to get this service. WordPress as it stands is written with Akismet in mind, and not easy of installing any other solutions to counter spam. Everything else has to be something that works AROUND Akismet. So like it or not, you cannot talk about one without the other. Don’t think so? Try suggesting that Akismet shouldn’t be a default install or should be replaced. It quickly turns into a wagon circling event!

    It’s taken 10 years for there even to be a really meaningful discussion on allowing comments to be turned off completely.

    ” WordPress users can and do avail themselves of those plugins.”

    Can you point to some examples? I have seen a few that outrightly replace functions or try to put false doors up, but otherwise, nothing that would allow htaccess, geo_ip, and third party tools (like RBL or other spam services) to be integrated.

    Perhaps I can put this in another way that might make sense to you.

    Let’s say I use wordpress for a company website. The (fictional) company is “South Florida Floor Repairs”. They only server Florida, and nothing more. All of the site owners, operators, webmasters… all in Florida. Would it not be a true benefit for them to be able to say “restrict comments and logins only to people from Florida”? Do you not think that this would get rid of pretty much all of the drive by spam, and at the same time would eliminate almost all of the brute force attackers?

    Let’s say I operate a website that is only in polish. Wouldn’t it be nice to be able to filter by IP, browser, and request language so they only people who could access comments would be in my target area?

    Let’s say I admin a large site with only 2 administators, one in the company office and myself. We both have fixed IPs. Wouldn’t it be nice to be able to say (in a simple manner) restrict logins on these two IPs only? Or for that matter, allowing for a variation of a “door knock” which would shut out everyone from even accessing the login script unless they first do X or Y or Z?

    There are many, many, many security options server side that are very powerful, but most work best on a directory level.

    As wordpress moves more and more towards being a CMS rather than just a blog, and as commercial use grows, you will find that there will be more calls for improving security. In fact, I would say that improving security and cutting down webspam should be a higher priority than redesigning admin page layouts or similar.

    Can you give us some details of steps wordpress have taken since, oh, 3.5 to address webspam?

    [ Don’t bump. ]

Viewing 16 replies (of 16 total)
  • The topic ‘Relocate wp-comment post and other features’ is closed to new replies.