Aside from the occasional massive spam run, there’s been a fairly regular trickle of spam targeted at the comments on this blog. Dr. Dave’s excellent Spam Karma plugin takes care of nearly all of these using a combination of content filters, blacklists, form checks, signs of proxy use, and more.
On Tuesday I added IO Error’s Bad Behavior. This plugin looks at actual HTTP requests, identifies known spambots and looks for signs of cloaked bots—those that claim to be a browser like MSIE or Mozilla, but don’t act like it—and prevents them from even getting in the door. The advantage here is that you can save processing time and bandwidth on all kinds of bogus requests, not just comment spam, but address harvesting bots, referrer spam, and so on.
Maybe it’s coincidence, but Spam Karma hasn’t seen a single spam attempt since I installed Bad Behavior.
Of course, blocking bots won’t catch the occasional person who posts comment spam the old-fashioned way: by surfing to the page and filling in the form. And eventually bots will do a better job of imitating real visitors, just as phishing attacks have moved from crude, badly-spelled notes to sophisticated forgeries with real logos and disguised links. Spam Karma will still be needed for those.
But the combination looks very promising!
Please, when developing your plugins, be sure to always use the full opening tag for PHP:
<?php code goes here ?>
On some servers—maybe even your own—you can shorten this to just the opening
<?. The following line in php.ini will disable this “feature,” and many web server administrators do so to simplify things like generating XML with PHP:
short_open_tag = Off
When this option is set, PHP will ignore
<? and assume it’s simply part of the template… along with all the code following it. If you’re lucky, it means a bunch of PHP code gets sent to the web browser. If you’re not lucky, it results in invalid syntax, and PHP grinds to a halt, spitting out a blank page and a PHP Parse Error.
So please make sure you always use the full opening tag so that your plugin will be compatible with everyone’s system. If you run your own server, set that option in php.ini so that if you miss one, you can catch it before you post it.
I decided to try out a few WordPress plugins. Here’s the status:
- WayPath for WordPress: List related posts on other blogs. Nice, but cluttered and slows things down. If we keep this, we’ll need to get caching to work. Active, seeking comments.
- Spell Check: Only for posts so far. Unfortunately, it doesn’t seem to actually work. Disabled.
- Link Relationships: Adds next/previous post elements for search engines and browsers that support them. Painless to install, simple and elegant. Active.
- Staticize Reloaded: Cache each page so that the server doesn’t have to regenerate it every single time. Very nice, but unfortunately isn’t compatible with HTTP compression right now. Disabled.
- Live Preview: Add an instant preview to comments. A bit of tweaking to install, though I managed to modify it to play nicer with WP’s plugin API, but very cool! Active.
- Random Posts: Add a list of random posts to the sidebar. Simple and possibly interesting. Active.
- SameCat: List posts in the same category as the current one. Combined with the Related Entries plugin, this provides a good set of links to similar posts. Active.
Other ideas I’m looking at (some of which I’ve seen plugins for):
- Comment threading (Katie suggested this, but the last time I looked for plugins the only one I found required serious database changes)
- Email notifications
- Category and author icons
- True-a-Day sidebar
So, any opinions on the new features? Any suggestions for others? In particular, any thoughts on the WayPath feature? I’m not sure whether it’s worth keeping around or not.