Impostercide 1.2
November 21, 2005 2:30pm 17 comments
Impostercide 1.2 is now available!
Thanks to Denis de Bernardy for the motivation to properly deal with multiple accounts using the same email address. For those people using different login names but the same registered email address, you must "sign" your comment using the login name with which you are currently logged in.
Impostercide also now checks all three comment fields (name, email address, and URI) when someone comments to prevent as many spoofing attempts as possible.
Skippy, you do some great work. Thanks for your efforts.
Just wanted to let you know that the link to Impostercide 1.2 is broken: the file is there, but the link is bad.
Tyler
Thanks for the heads-up. The link is fixed.
Hey, Skippy...
We've got a pretty good solution for getting backups for WordPress, and that covers that aspect of WordPress security fairly well. But I think there is a significant hole in what WordPress offers in terms of front-line security.
Impostercide is a good step in that direction. I think Impostercide should be part of a larger security package, though - something that attempts to plug more of the security holes that WordPress has.
(For the casual reader: WordPress isn't insecure, it just doesn't prevent you from doing stupid things with your own security setup.)
I've been thinking about writing such a plugin to cover this type of "prevention" security, and was wondering if you would like to help out, and maybe roll some Impostercide features in. Thoughts?
Owen: Absolutely! Impostercide was written to cover an exposure that was never abused, so I can't even claim that it's an "itch-scratch" solution. But knowing that the exposure was there was enough to prod me into action.
I'd be delighted to collaborate on a more comprehensive plugin.
Skippy,
If I understand your script correctly:
1. People who are not logged in can make comments, as long as none of the following: name, email, or URI match that of any registered user. They are asked to log in and their comment ends fatally.
2. Registered users who make comments & reference any of the above are asked to log in and their comment ends fatally.
I don't see a link anywhere to login or register. Shouldn't your error response link to the login page?
Bob
Bob:
As long as a registered user hasn't logged out (by clicking the "Logout" link inside the admin interface), WordPress should recognize their cookie, and their comment should be approved by Impostercide as legitimate (though other moderation restrictions may still be applied).
There's no login button anywhere here because I'm the only one who needs an account. I don't have guest authors, and I don't require users to be logged in to comment. As such, a login link would be clutter in my design.
I could include a link to the login form, but I don't for two reasons: one) logging in takes the user to their profile page in WordPress, which would mean extra clicking to get back to the post permalink and comment entry form; and two) I want the user to be able to click their browser's back button so that they can copy their comment to their machine's clipboard, so that they aren't required to key it in again.
I see, so even though I have a cookie I do not have an account, nor am I a registered user. That explains something I didn't understand. So Impostercide protects registered users, who, at least in your implementation, are not many (one). I assumed everyone who was commenting had an account, and impostercide could possibly frustrate them if they weren't logged in. Not the case, since the "please log in" message is really only intended for a small cohort of registered users; otherwise it is a disingenous instruction for those who tried to post disingenously!
Bob: correct. WordPress has basically three classes of people: commenters, users and authors. Most people combine users and authors into the same logical group, allowing their users to author posts (often used for things like Free-For-All Friday).
WordPress supports an option to require commenters to be signed-in users. This is one means to prevent comment spam. A nice side-effect of this is that there's no comment spoofing: the signed-in user posts her comment under her account.
Many bloggers want to allow comments from people without requiring them to register on the blog. Some allow completely anonymous commenting; others require that commenters at least provide an email address as a modest anti-spam mechanism. In these scenarios, though, there's nothing in the default WordPress code to prevent an anonymous commenter from supplying the name, email, or URI of a registered user or author, which means that you could write all manner of nasty stuff and make it look as though I wrote it. It doesn't matter that I'd delete it quickly -- the fact that someone might see it and think that I wrote it was motivation enough for me to create Impostercide!
This is a very nice arrangement all around. I like the flexibility WordPress offers, and Impostercide! removes some risk that might otherwise cause an administrator to regretfully require commenters to sign in. As a user I like this because I prefer to register at sites only when absolutely necessary. I do not like giving out my email address, generally. You found a way to please everyone.
Skippy,
You are awesome. Thanks for this plugin. It is EXACTLY what I need. Do you know who I need it from? My own mother.
I once logged a comment on my blog from her computer, and ever since, she has insisted on commenting as me on my blog. She leaves these little comments like "This is just a comment to Paul to say, come fix my computer so it doesn't comment as Paul anymore." --- Its been driving me insane! This plugin is the answer to those troubles!! THANK YOU!!!
[...] Et oui… j’ai osé… Je me suis amusé à ajouter un petit live counter sur le thème principal du blog : cela affiche le nombre de personnes connectées ainsi que le nombre de membres, à la manière des forums. J’ai ajouté d’autres plugins également : Impostericide, pour éviter que certains signent leur commentaire avec le nom de membres enregistrés, Search Everything pour rechercher sur tout le contenu du blog (pages inclues) et EmailShroud pour protéger vos adresses email des spam bots. Enfin, Akismet est désormais activé : vu l’ampleur du spam ces temps-ci (une bonne cinquantaine par jour) cela est devenu nécessaire. Bloody spammers… :-/ [...]
Sounds great! 'tho, soes it works with WP 2.0.X ?
On juvenile commenting behavior....
If you glance over to the “Recent Comments” segment of the sidebar, you may notice a few unusual comments. I’ve had a jackass (or maybe multiple jackasses) attempting to disturb or malign me. It’s one thing to insult me, but i...
I have WP 2.0.X here and your plugin works great with it. :D
The email address you provided belongs to a registered user. Please login to make your comment.
... is the answer when I use my registered email address.
Great work!
[...] On my weblog it is no longer possible for guests to sign comments with an email address which has been registered in my weblog. This little plugin did the trick even in my WordPress 2.0 installation. [...]
[...] I decided to hunt around to see if a solution had been been born, and there was scant code on the WordPress forums from Kaf. A Google search turned up the real solution: Impostercide. [...]
Hi,
Thank you for the gr8 plugin.
I have used it on my new site www.keepreadingus.com and it is working fine on wp v2.0.5
It even works with ajax comments plugin.
Great work.
Thanks