rawalex

“It’s a good idea, but it doesn’t take into account the myriad ways people use WP, and would cause more harm.”

It would only cause harm if it was “disable and never use”, which is not the idea. I suggest it as a check mark box in the configuration, defaulting to “disable urls” for the simplest of wordpress installs. Obviously, a site that uses buddy press or other methods could click the box and turn it back on.

For those who want to deal with those issues, they can still do it. But it would stop a great number of wordpress installs (especially less active ones) from becoming spamhaus sites, which many of them are.

In answer to your question, you can read a little bit here:

https://googleblog.blogspot.com/2011/01/google-search-and-search-engine-spam.html

While it doesn’t mention wordpress specifically, the “low quality sites” are often the sites that spam wordpress comments. One of the ways to spot these sites is to discount wordpress sites overall, and wordpress comments in particular.

Actually, it would get rid of much of the automated spam, because they almost all use the URL field in their posts to get a link. By automatically declining comments submitted with anything in that field (because you aren’t accepting it from your comment form) it would get rid of pretty much all of the direct comment spam (the ones that call wp-comments.php )

You can also add filters for a href and ahref and other variations as well, which gets rid of a bunch of the stupid ones, and decline anything with more than 2 links in it. That is a big part of your spam issue right there.

I agree with you, being able to rename the the wp-comments.php to something else would be a good way to stop it as well.

The Google issue is rumblings, including some comments made indirectly by a privare source inside the complex. Their new algo (recent this week) has changed the way much of the comment and link spam is looked at. Things are shifting. While they don’t mention product names specifically, they do look at widely used products and try to address weakenesses in the products that can lead to pollution of the Google SERPs.

Comment spamming is efficient enough (even with no follow tags) that people continue to do it, and the volume appears to be increasing. Google is very aware of the issue, I have been told. I am sorry that I can’t say more than that.

Please see https://www.ads-software.com/support/topic/comment-spam-improvements-needed?replies=3 for my ideas on the subject.

IPstenu, I think you miss part of my points.

The comments should default to “never appoved” as part of the default install package. It doesn’t mean you can’t click on it and disable it for your blog, but rather that this setting would make it harder for spammers to take advantage of blogs that are no maintained or are installed by people who don’t understand the implications of an open comment system. Right now, the defaults make the system too open, which is terrible.

Step 1 and 2 together. It should be an easy option in the discussion settings to say “no URL field on comment form”, and also not to accept comments with anything in the URL field (which is normally sent by bots directly accessing WP comment posting routines). That way not only would you be removing it (by choice) for those people using your comment form, but it would also take care of the vast majority of comment spammers, who are using that very field as their spam methods of choice.

It isn’t about making it the only choice, but rather making it a key part of anti-comment spam techniques on wordpress. At this point, Google appear to be very close to treating any wordpress install as spam or lower grade content, which would significantly lower the value of wordpress as a blog or CMS. Comment spam is the issue that will very likely take wordpress down. Addressing it is key.

Figaro, the problem is that when wordpress does both a security update AND a feature update at the same time (which is common when going from, say, 2.7.x to 2.8.0), then the people on 2.7.x are left with no choice. They can run a buggy and unsupported piece of software, or they can upgrade to features they don’t need.

I don’t suggest that wordpress staff go back and patch every version since the start of time. But there are milestone versions along the way, such as the revised admin, or the auto update, which are milestones which some (many) users don’t seem to want to pass. There are plenty of people running unpatched wordpress installs just to avoid features they don’t want.

So if you go back to each of these major points, and patch those versions appropriately, it can help to secure much of the products out there.

Quite simply, a security patch and a feature patch should NEVER be released together. If your existing version has a security issue, it should be patched. Then the upgrade version (next version number) released from there.

You guys miss the point.

Every version of wordpress (2.x) has major feature upgrades. Almost every time, those “features” and the coding that went around them are the cause of major headaches.

So let’s say 2.8.x is where we are at right now. I liked 2.7.x, except for a security issue. So rather than force me up to 2.8.x (trading one set of security issues for others yet unknown), why not issue a patch also for 2.7 users so there is a 2.7.x+1 that is ONLY a security patch?

For many people, a secure and stable version a couple of steps BELOW the current “wow-whee look at all them features” is more than good enough to do what we do. Having to eat the often unwanted upgrades just to get secure seems like a bit of an issue.

there should be a 2.7. branch that is secured and locked, with any security issues repaied only as that version, without the 2.8 or future upgrades.

The elevator should let you get off at each floor securely.

Steve, I really think that the only way that wordpress really moved forward is for the developers to freeze out at 2.8, and start to work on 3.0 with an entirely new core that is built from the ground up for speed, efficiency, and most importantly to service the readers of blogs, not adding shiny tool for admins to play with.

I don’t see that happening, and I agree that wordpress might dead end at some point.

WordPress has been all about shiny new features and admin layouts, and little about fixing the underlying issues of the software. WordPress is a great program if you have < 100 posts. As soon as you try to scale, you run across all sorts of problems, redundant queries,pages being built dynamically even though there are no changes on them for months at a time, etc.

Again, wordpress works great to a certain extent, but it just doesn’t work past a point (and I have found that point on more then one occassion)

I found one trac on this… check out this query, as an example:

SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND wp_posts.post_type = ‘post’ AND (wp_posts.post_status = ‘publish’ OR wp_posts.post_status = ‘private’) ORDER BY wp_posts.post_date DESC LIMIT 0, 6

SQL_CALC_FOUND_ROWS is a horrible query, no matter what limit you put on it, it has to consider all records in the DB.

Read it all here: https://trac.www.ads-software.com/ticket/7415

The problem is that this has been floating since July. WordPress has had two complete revision to the admin panel in this time, but underlying code keeps getting bumped and milestoned off to the future. This was 2.7 now 2.8 and likely going to end up as 3.0 soon enough.

Testing it all out isn’t hard. Load up a sample WP install with 10,000 posts spread over a period of time. Log all the mysql queries execution time. Click around, visit archive, do searches, etc. The slow queries will show up very quickly indeed.

I will check to see what I can find in the bug tracker.

The answer “others have a problem too” isn’t really a good answer, especially when things can be fixed and made better. ??

This thread qualifies as one of the funniest things I have read in a while. I cannot imagine for the life of me developers not getting the concept. We have all sorts of options in the control panel that most of us never use, and yet something as important as an option that fills your post files with junk posts (aka old revisions) is something that doesn’t need an option setting?

Otto, everything is personal preference. That is why there are options switches, plug ins, and other ways to personalize your blog experience.

Here is a great example: the privacy settings. Why does that not only have an option but a whole seperate section in the admin? What is the justification process for creating a whole new screen for a single option? How hard would it be to rename that “additional options” and add a simple “disable post revisions” on there? I would say that the privacy thing would be better served in the config file, no?

I think the users have spoken clearly here. It’s just a question of it the developers can hear them.

Handy, adding a line is “nice”, but if it is that easy, then it should be a configuration option, not something you have to hack into each version. Remember, that sort of hack disappears on the next upgrade unless you go put it back in.

I got off the elevator at 2.5.1, I think it was just in time.

handy, I think the answer would be the same as the more tag, they discussed it sometime in the past and it isn’t up for discussion in the future, no matter how many people would actually use it.