smiffy

resist’s samples are very similar to ones that I’ve been getting (or were until I did “update wp-posts set ping_status=’closed'” ??

I was receiving them from all over – USA, Netherlands, China – wonder if it’s a virus that’s sending them.

keep the technique to yourself. if you release it for mass use, spammers will kill it.

Sad, but true. ?? I like to give back to the community, but if it’s the villains that get it…

and coding in perl won’t make your blogging app more secure. movable type is written in perl. spammers have been owning mt for years.

Granted – and ditto even if I wrote it in C. A language is only as secure as the programming technique. My reluctance to use PHP is mainly based on the number of security-related upgrades to PHP itself.

Getting back to your “keep it to yourself” – if every user with PHP knowledge were to add a little “uniqueness” to their WP implementation, maybe it would make things just a little bit more tricky for our eternal foe.

I am writing a “minimalist” blogging software in Perl (I have grave reservations about the security of PHP – all the more after reading the above!) and am looking to use an “occulting” technique in the fight against comment/trackback spam. Your WordPress is like my client’s WordPress is like my WordPress – once you know the base of the URI scheme, you can start POSTing comments/trackbacks anywhere WordPress is found. This goes for most internal anti-spam techniques: once they get popular, someone will code their user agent to get around it.

My technique will involve trackback/comment URIs that change on every page view. It’s a bit database intensive for a server running oodles of ‘blogs, but would have minimal impact on smaller-scale operations, where you only have a small handful of sites per server.

I’ll advise my technique somewhere on the WordPress forum, in case anyone wants to try implementing it in WordPress. Think I’ll leave the Perl to PHP translation to someone else this time though!

And yes, I did read the Sticky and know about Akismet, but I like to keep my solutions in-house. Control freak? Possibly ??

I think that there may be a genuine exploit here, even if the original post title sounds like a general whinge rather than a bug report.

I can confirm that, over the last two days, I (WP 2.0.2) have had a deluge of comment spam that has continued despite requiring commenters to be logged in. Since I set this, I have been checking and no new users have appeared.

My suspicion is that someone is POSTing direct and, by some means, the form processing isn’t actually doing any user validation, or this is being bypassed.

I have my own anti-spam techniques (which I need to port from Perl) that I will be applying to fix the problem, but thought that I should flag a potential vulnerability to the WP developers.

I might even try writing a little Perl user agent to see if it can crack my own supposedly “locked down” ‘blog; will report back to forum if I can find an obvious vulnerability.

Resolved – this was actually an HTML problem with the upload form.

I don’t know how it was done on that page, but you may like to have a look at the PHP reference for str_word_count().

What browse are you using? It looks fine in Firefox. I guess that means that you may have a problem with the CSS stylesheet.

Try putting this around your image element:
<div style="margin:10px;"> .... your image .... </div>

Yep – that’s fine; .jpg is allowed. If I copy and paste the filename into the file selector in WordPress, it works fine.

I thought that I’d left off the file extension, but that’s just the width of my post getting truncated ??

What is the bare minimum fields that the upload can work with?

Thanks – saves me having to think up the code ??

I still think it would be handy to have as a standard feature in quicktags; the requirement for ‘rel’ is less common, but the way that links are used in web log posts, I’d say just about every one needs a title.

Cheers

M