« Bad Behavior 1.0-rc2
Bad Behavior 1.0 »

Bad Behavior 1.0-rc3

April 29th, 2005 by Michael Hampton

Bad Behavior Bad Behaviour

See also the announcement for Bad Behavior 1.0.

Security Update: All Bad Behavior users should update to 1.0-rc3 immediately to prevent malicious attacks on your database.

I’ll skip the usual mumbo jumbo and skip right to the important parts:

Fixed in this release:

  • A security issue has been identified and fixed which prevents malicious attackers from attempting SQL injection attacks by sending specially crafted data in the HTTP headers. While no exploits are known at this time, all users are urged to update immediately.
  • A few more false positives have been fixed.
  • A few more spambots are now banned.
  • An email address now appears on the error page for people to contact if they are having trouble. You have the option of changing it to your own email address or leaving as the default, in which case email will come here. Keep in mind that email address will be visible to spammers!

Important: Some files in the plugin were renamed in Release Candidate 2. If you are upgrading from Release Candidate 1, you will need to remove the Bad Behavior files from your server, upload the new files, and re-enable the plugin in your WordPress admin panel. You do not need to do this if you are upgrading from Release Candidate 2.

Thank you again to everyone who has tried out Bad Behavior and provided valuable feedback. Both the praise and the trouble reports are greatly appreciated! Please feel free to contact me if you have either.

14 Responses to “Bad Behavior 1.0-rc3”

  1. 1

    Dmitri Von Klein Says

    I’ve been using your plugin for two days now, over 300 bad behaviors logged thus far! By far the most effective tool against spam after trying mod_rewrite magic. This plugin allows me to sleep at night, and yes I did infact have a nightmare about spam not too long ago =)

    Thank you and great work!

    Apr 29th, 2005 at 1:33 am   

  2. 2

    James Farmer Says

    Thanks for the ping! Nothing got through so far :o )

    Apr 29th, 2005 at 2:51 am   

  3. 3

    David Russell Says

    Why exactly does the ‘banned.php’ contain YOUR spreadfirefox ID?

    Apr 29th, 2005 at 4:33 am   

  4. 4

    MJ Says

    Love your plugin! Up until I installed it, I was moderating up to 40 spamments a day. Now zero! However, I have also noticed that the Google Adsense ads on my site are no longer always related to the content of my site – golf. Could you confirm that the plugin is not effecting their crawler?

    Apr 29th, 2005 at 4:53 am   

  5. 5

    Geof F. Morris Says

    I’m with James: thanks so much for pinging me. :)

    Apr 29th, 2005 at 5:44 am   

  6. 6

    Josiah Says

    Thank you for the trackback. I greatly appreciate it.

    Apr 29th, 2005 at 8:29 am   

  7. 7

    Michael Hampton Says

    David, I wrote it, so I put my spreadfirefox ID in there. Feel free to change it to yours, but since that page is almost always only seen by spammers, don’t expect to get too many points out of it. They don’t like spammers either.

    M J, I don’t interrupt or change what is sent to Google in any way. That includes Mediapartners-Google/2.1. The problem is that Google serves ads based on keywords, and those keywords don’t necessarily have to be the most relevant on your page; they just have to be present on your page. For instance, you have ‘bicycle accident’ on your homepage which I think is causing you to get ads about road safety. This is a very common occurrence with Google AdSense. The only workaround I know of is to lower the number of posts per page.

    Apr 29th, 2005 at 11:50 am   

  8. 8

    Simon Says

    Just to repeat a few people, many thanks for the ping! Still no spam getting through, despite Bad Behaviour being the only anti-spam plugin I’m using. Fantastic work, much appreciated.

    Apr 29th, 2005 at 4:48 pm   

  9. 9

    Denis de Bernardy Says

    I call it from /index.php, via:

    require_once(‘wp-content/plugins/bad-behavior/bad-behavior-generic.php’);

    I get absolutely nothing in my logs. Meaning that I should configure a couple of variables, or just that the generic version does not log anything?

    Apr 29th, 2005 at 6:20 pm   

  10. 10

    Michael Hampton Says

    Denis, the generic version does not log anything, unless you customize it for your particular setup. If you’re just wanting to protect a single WordPress blog, you should probably use it as a WordPress plugin instead. The generic version is intended for people to port Bad Behavior to other PHP-based software, or for special situations (e.g. protecting all vhosts on a server at once).

    Apr 29th, 2005 at 8:14 pm   

  11. 11

    Denis de Bernardy Says

    I’d love to, but wp-cache bypasses the plugin includes. ;) meaning i’ll need to go through your source and customize.

    Apr 30th, 2005 at 9:13 pm   

  12. 12

    Michael Hampton Says

    Heh, Denis, you’re in a special situation all right. Some time soon I’ll set up a test blog and get WP-Cache and Bad Behavior working properly together and work up some kind of official solution.

    May 1st, 2005 at 12:54 am   

  13. 13

    Denis de Bernardy Says

    Well, I couldn’t really see the effect of bad behavior last month, since I merely have cumulative stats from awstats and no logs due to wp-cache. However, for what a day’s worth of awstats is worth, not a single bot that gets through. Thus, I’d say they work together quite well already, as long as you use the generic bad behavior _before_ wp-cache.

    May 2nd, 2005 at 3:19 am   

  1. 1

    Wordpress Plugin Competition Blog » Bad Behavior 1.0-rc3

    Pingback on Apr 29th, 2005 at 1:25 am