Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY000]: General error: 145 Table './skippy_skippy/h_sessions' is marked as crashed and should be repaired in system/classes/databaseconnection.php line 269
skippy dot net

Impostercide 1.2 feed icon

Impostercide 1.2 is now available!

Thanks to Denis de Bernardy for the motivation to properly deal with multiple accounts using the same email address. For those people using different login names but the same registered email address, you must "sign" your comment using the login name with which you are currently logged in.

Impostercide also now checks all three comment fields (name, email address, and URI) when someone comments to prevent as many spoofing attempts as possible.

  • tylerwillis
    November 22nd, 2005 at 1:39am
    Skippy, you do some great work. Thanks for your efforts. Just wanted to let you know that the link to Impostercide 1.2 is broken: the file is there, but the link is bad. Tyler
  • skippy
    November 22nd, 2005 at 2:12am
    Thanks for the heads-up. The link is fixed.
  • Owen
    November 22nd, 2005 at 1:50pm
    Hey, Skippy... We've got a pretty good solution for getting backups for WordPress, and that covers that aspect of WordPress security fairly well. But I think there is a significant hole in what WordPress offers in terms of front-line security. Impostercide is a good step in that direction. I think Impostercide should be part of a larger security package, though - something that attempts to plug more of the security holes that WordPress has. (For the casual reader: WordPress isn't insecure, it just doesn't prevent you from doing stupid things with your own security setup.) I've been thinking about writing such a plugin to cover this type of "prevention" security, and was wondering if you would like to help out, and maybe roll some Impostercide features in. Thoughts?
  • skippy
    November 22nd, 2005 at 2:21pm
    Owen: Absolutely! Impostercide was written to cover an exposure that was never abused, so I can't even claim that it's an "itch-scratch" solution. But knowing that the exposure was there was enough to prod me into action. I'd be delighted to collaborate on a more comprehensive plugin.
  • Bob
    November 24th, 2005 at 4:00pm
    Skippy, If I understand your script correctly: 1. People who are not logged in can make comments, as long as none of the following: name, email, or URI match that of any registered user. They are asked to log in and their comment ends fatally. 2. Registered users who make comments & reference any of the above are asked to log in and their comment ends fatally. I don't see a link anywhere to login or register. Shouldn't your error response link to the login page? Bob
  • skippy
    November 24th, 2005 at 4:21pm
    Bob:
    Registered users who make comments & reference any of the above are asked to log in and their comment ends fatally.
    As long as a registered user hasn't logged out (by clicking the "Logout" link inside the admin interface), WordPress should recognize their cookie, and their comment should be approved by Impostercide as legitimate (though other moderation restrictions may still be applied). There's no login button anywhere here because I'm the only one who needs an account. I don't have guest authors, and I don't require users to be logged in to comment. As such, a login link would be clutter in my design. I could include a link to the login form, but I don't for two reasons: one) logging in takes the user to their profile page in WordPress, which would mean extra clicking to get back to the post permalink and comment entry form; and two) I want the user to be able to click their browser's back button so that they can copy their comment to their machine's clipboard, so that they aren't required to key it in again.
  • Bob
    November 24th, 2005 at 5:42pm
    I see, so even though I have a cookie I do not have an account, nor am I a registered user. That explains something I didn't understand. So Impostercide protects registered users, who, at least in your implementation, are not many (one). I assumed everyone who was commenting had an account, and impostercide could possibly frustrate them if they weren't logged in. Not the case, since the "please log in" message is really only intended for a small cohort of registered users; otherwise it is a disingenous instruction for those who tried to post disingenously!
  • skippy
    November 24th, 2005 at 6:10pm
    Bob: correct. WordPress has basically three classes of people: commenters, users and authors. Most people combine users and authors into the same logical group, allowing their users to author posts (often used for things like Free-For-All Friday). WordPress supports an option to require commenters to be signed-in users. This is one means to prevent comment spam. A nice side-effect of this is that there's no comment spoofing: the signed-in user posts her comment under her account. Many bloggers want to allow comments from people without requiring them to register on the blog. Some allow completely anonymous commenting; others require that commenters at least provide an email address as a modest anti-spam mechanism. In these scenarios, though, there's nothing in the default WordPress code to prevent an anonymous commenter from supplying the name, email, or URI of a registered user or author, which means that you could write all manner of nasty stuff and make it look as though I wrote it. It doesn't matter that I'd delete it quickly -- the fact that someone might see it and think that I wrote it was motivation enough for me to create Impostercide!
  • Bob
    November 24th, 2005 at 6:44pm
    This is a very nice arrangement all around. I like the flexibility WordPress offers, and Impostercide! removes some risk that might otherwise cause an administrator to regretfully require commenters to sign in. As a user I like this because I prefer to register at sites only when absolutely necessary. I do not like giving out my email address, generally. You found a way to please everyone.
  • Paul Pehrson
    March 3rd, 2006 at 9:37pm
    Skippy, You are awesome. Thanks for this plugin. It is EXACTLY what I need. Do you know who I need it from? My own mother. I once logged a comment on my blog from her computer, and ever since, she has insisted on commenting as me on my blog. She leaves these little comments like "This is just a comment to Paul to say, come fix my computer so it doesn't comment as Paul anymore." --- Its been driving me insane! This plugin is the answer to those troubles!! THANK YOU!!!
  • Wireless » Blog addi(c)tions .::::::. le blog de SkyMinds
    April 20th, 2006
  • pejcao
    May 24th, 2006 at 7:01pm
    Sounds great! 'tho, soes it works with WP 2.0.X ?
  • Rising Above Mediocrity
    May 24th, 2006
  • Quix0r
    July 16th, 2006 at 1:09pm
    I have WP 2.0.X here and your plugin works great with it. :D The email address you provided belongs to a registered user. Please login to make your comment. ... is the answer when I use my registered email address. Great work!
  • Quix0r’s Personal Weblog » Guests can no longer use email adresses by registered users
    July 16th, 2006
  • no spoofing allowed -- village-idiot.org
    October 23rd, 2006
  • KeepReadingUs
    November 7th, 2006 at 4:07am
    Hi, Thank you for the gr8 plugin. I have used it on my new site www.keepreadingus.com and it is working fine on wp v2.0.5 It even works with ajax comments plugin. Great work. Thanks

About | Policies | skippy.net 

Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY000]: General error: 145 Table './skippy_skippy/h_sessions' is marked as crashed and should be repaired in system/classes/databaseconnection.php line 269

Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY000]: General error: 145 Table './skippy_skippy/h_sessions' is marked as crashed and should be repaired in system/classes/databaseconnection.php line 269