WordPress Quickie: Ban Malicious Visitors
Over the past few weeks I have been receiving spam comments from one spammer in Abu Dhabi. The comments were not picked up by Akismet, nor did Akismet learn to recognize them as spam after I flagged them as such. Yesterday I started receiving tons (a few every minute) of the same spam with the guy leaving links to his splog. At first I disabled comments on the current post but then he started spamming huge comments all over the place. Unfortunately WordPress does not currently possess the ability to ban a commenter based on his IP address.
I had attempted to perform a deny with htaccess rules but my foo was lacking and I kept getting Internal Server 500 errors. (Update: The WordPress Codex expands upon denying access via htaccess.) So I decided for a quick, yet effective PHP tactic as follows:
If loaded into a primary WordPress file such as wp-config.php, the spammer won’t even be able to access the site. In place of the site, the spammer receives a lovely message. You can get as creative as you like with the message. For this to work, you must replace 0.0.0.0 with the IP address of the spammer which WordPress provides with every comment. Below is the sample WordPress config file with the ban code in place.
if($_SERVER[‘REMOTE_ADDR’] == ‘0.0.0.0′) { echo ‘Spam is not appreciated!’; exit; }
// ** MySQL settings ** //
define(‘DB_NAME’, ‘wordpress’); // The name of the database
define(‘DB_USER’, ‘username’); // Your MySQL username
define(‘DB_PASSWORD’, ‘password’); // …and password
define(‘DB_HOST’, ‘localhost’); // 99% chance you won’t need to change this value
// You can have multiple installations in one database if you give each a unique prefix
$table_prefix = ‘wp_’; // Only numbers, letters, and underscores please!
// Change this to localize WordPress. A corresponding MO file for the
// chosen language must be installed to wp-includes/languages.
// For example, install de.mo to wp-includes/languages and set WPLANG to ‘de’
// to enable German language support.
define (‘WPLANG’, ”);
/* That’s all, stop editing! Happy blogging. */
define(‘ABSPATH’, dirname(__FILE__).‘/’);
require_once(ABSPATH.‘wp-settings.php’);
?>
If you have multiple IPs to ban just follow the same format except with the code below:
This method of banning visitors obviously only works with static IPs. There’s nothing stopping the spammer/irate kid from coming back in a few days after his dynamic IP has changed. I have yet to find any effective WordPress plugins that can do simple user banning, so if you know of anything please let me know as I bet it’s something on many peoples’ minds. If nothing exists, I might just have to start writing a WP-Ban plugin, heh. Update: This plugin looks promising.
What do you mean your foo was lacking? I had no problems using htaccess to deny IPs for spam reasons when I had a blog. Then I moved to a captcha method instead which instantly removed all spam. Though I forgot what it was called, it was excellent, so much in fact, not all characters were human readable. But of course I like to respond via lynx so i couldnt post back (if i didnt login that is).
But the deny method should work, as I have used it for several months in WP…
this is interesting. Akismet missed it more than one time? It has worked perfectly so far for me. Might want to talk to akismet developers about this. I can see swarms of spammers asking tips from that dude on how he bypasses the system.
WordPress does support IP blocking. Just enter the spammer’s IP address in the blacklist field on the Discussion Option page. I’ve been using that feature for years and have never had a problem.
Oohh. I thought the blacklist was only for words. Well anyways, this method is still useful for making sure that someone can’t even load up your site.
One thing I’ve been having lately is spammers who are leaving comments without registering, which is weird, as I have registration enabled. Askimet stops them nicely but I feel uneasy that there’s a potential security hole there - any experience of this Paul, or anyone else?
Nope, it acts just like the moderation list, except it kills the comments without you knowing. Just make sure you try out anything you add to the blocklist in the moderation list first. You don’t want to be blocking legitimate users’ comments.
I use Spam Karma 2. Since I installed the newest version of Bad Behavior 2, which now also works with the wp-advanced-cache plug-in (small change required in one of the files, everything nicely described in the readme file) Spam Karma only logged 2 spomments anymore in almost 72 hours.
Be careful with Bad Behavior.. Brian told me it almost killed his database. But maybe the new version is different.
I still prefer htaccess
LOL, thanks for the tip ;)
Anyway always backup before installing plug-ins, especially if they make new db-tables. That point were maybe the ‘only’ critic concerning Bad Behavior, although the installations instructions clearly state to delete previous installations. I must admit I didn’t check if the table structure changed in the new version, which would obviously create problems since there is no update version.
What I do know is that BB doesn’t work with GoDaddy, but also that is stated in the guidelines.
Using *looks around* Google’s Web Accelerator there are no problems, unlike with EE.
I tried Bad Behavior once. It thought I was a spammer and it blocked me from my own site. Several of my users also had major problems getting to my site. I would never install that piece of crap again.
Bad Behavior is running smoothly on my page. While I completely support the hard work devs put into public plugins, watch your footer as this plugin is one to insert an extra line of code to pages. Jacked my page up. :( Great plugin though. Akismet was beginning to fall short of expectations and manually blacklisting IPs was becoming way too tedious.
Just like Spam Karma punishes users without javascript, Bad Behavior also checks the signature of browsers. Open proxies might cause problems here, just as too severe security settings.
I guess AOL users might have problems with Bad Behavior.
Derek, the footer message can be unchecked in the Bad Behavior options. ;)
Manually blocking IP’s is good for quick operations like in Paul’s case, although I personally prefer .htaccess. Mid 2003 I started a disallow, deny htaccess, after 3 months I gave up. If I remember well all the rules where 30kB without different mod_rewrites rules. The server performance obviously suffered under this.
Personally I wouldn’t mind to pay for my ISP for an international service maintaining professional lists allowing to block blacklisted IPs immediately at the backbones. Imagine every flatrater pays monthly $0.10 for this. Enough of money to maintain such a service worldwide. And the internet would become faster again.
Yes I noticed the footer option after a little exploring. I would pay for a ISP service to stop bastards at the source.
Hey,
If you have multiple ip’s it’s nicer to use an array in this way. And more easy to add more ipadresses.
$iparray = array(”0.0.0.0″, “1.1.1.1″, “2.2.2.2″);
if (in_array($_SERVER['REMOTE_ADDR'], $iparray))
{
echo “spam isn’t appreciated!”;
exit;
}
Hi, I use boakes akismet htaccess extension and it does just what You need. Give it a try!
Or another nice plugin is: bannage.
Appreciate the linkback. Bannage was started while I was vacationing in Japan. I was getting masses amounts of spam and Akismet was just letting it ride on into the list. I ventured out to write something that would do any good it could.
Although the plugin is still beta, it does its job. It is still under development as individuals have began to post some bugs. None-the-less I appreciate any and all support towards the cause of Bannage.
Try ‘Bannage’, its a wordpress plugin which does the same job pretty easily.
hi
Perfectly idea.
:)
Well Paul,
Bannage Plugin can block visitors using cookies, So this will also block visitors with dynamic IP.
But I use both methods, Just for extra Protection ;)
I keep getting the same thing as Dave Goodman mentioned. I also thought the blacklist was for words only.
Thanks for the feed back.
I’m wondering if anyone can confirm that entering the IP address in the Comment Blacklist field in WordPress actually works in nuking comments from that particular IP address.
I’ve got one particularly persistent spammer. I entered his IP address in the Comment Blacklist field, but the spam from that address keeps ending up in my Akismet spam folder. In other words, despite having his/her IP address in the comment blacklist field, spam from that IP address is getting through.
Is there something obvious that I’m missing? Do we need to preface the IP address with some sort of code?
Bannage has wildcards integrated so you can block entire subnets, domains, and prefixes for names etc.
I appreciate the mention Paul.