Bad Behavior 2.0.20
July 13th, 2008 by Michael Hampton
Bad Behavior 2.0.20 has been released. It is a security release and is strongly recommended for all users.
Who should upgrade?
All WordPress users should upgrade immediately to resolve security issues identified in previously released versions of Bad Behavior. Users of other platforms may remain at 2.0.19.
What’s new?
New in this release (since 2.0.19):
- The “Show Blocked” option in the WordPress management page did not do anything. It has been fixed
- A security issue was identified in the new management page for WordPress which would have allowed an attacker to compromise the site administrator’s PC through cross-site scripting or malicious code injection. This issue has been fixed.
Support
Bad Behavior aims to make spamming expensive enough that would-be spammers will find honest work instead, and to do so requires a significant amount of time and resources. If you’d like to help make spam a losing proposition and help stop spammers before they start, make a financial contribution to further development of Bad Behavior.
Keith Says
Fantastic work Michael, the new Wordpress Management menu is great; no more picking through the database table to see who’s been attacking the ‘blog
Jul 13th, 2008 at 9:51 am
Andreas Schamanek Says
First of all and once again thank you for the great work on Bad Behavior and for keeping it up.
I just did a fresh install on a Wordpress 2.5.1 installation and found a Warning: Invalid argument supplied for foreach() in /home/web27/web/wp-content/plugins/bad-behavior/bad-behavior-wordpress-admin.php on line 99
Just verified it on another installation: The warning seems to appear whenever the list is empty.
HTH, and thanks again.
Jul 13th, 2008 at 10:33 am
nils Says
Is there a german documentation available or will there ever be a german documentation?
(i wanted to ask in this post, but comments seem to be closed)
Jul 14th, 2008 at 2:50 pm
Michael Hampton Says
You are welcome to translate the documentation if you like. I don’t speak German
Jul 15th, 2008 at 4:03 am
Tania Says
Hi there. It looks like there’s a problem with this plugin and wordpress 2.6
jQuery is not defined.
Jul 15th, 2008 at 6:02 pm
Michael Hampton Says
I don’t see any such error, Tania. Please be more specific about what it is you’re seeing and in what context.
Jul 15th, 2008 at 6:28 pm
Nick B. Says
I’m getting the same javascript error in both firefox and IE7, even with all other plugins disabled.
Happened in 2.6 betas too, after the release of BB 2.0.20 with new checkbox functionality.
Error console in FF says:
Error: jQuery is not defined
Source File: http://www.myblog.com/wp-admin/js/forms.js?ver=20080401
Line: 7
IE7 gives javascript error in lower left, with the much less helpful “object expected in line 8″
It’s something to do with the checkbox, because the “check all plugins box” doesn’t work when BB is enabled.
Hope this helps.
Jul 15th, 2008 at 6:39 pm
Michael Hampton Says
Yes, but where are you seeing this error? I have 2.6 here and I don’t see it anywhere in the admin pages.
Jul 15th, 2008 at 6:56 pm
Nick B. Says
I think I have located the conflict. The errors show up if the “turbo mode” is enabled. That’s the new Google Gears function.
I’m not a programmer, but perhaps there is a variable with the same name or something like that. There is a file in admin/js called wp-gears.js
Jul 15th, 2008 at 8:34 pm
Toby Simmons Says
I’m getting the same error. Running on IIS on Windows 2000 Server. The error is due to what appears to be (according to your comments) a 1.5 kludge on line 163 of bad-behavior-wordpress.php … If I comment out the line
wp_enqueue_script("admin-forms");the error goes away. Something about wp_enqueue_script(“admin-forms”) skews the order of the admin scripts, putting forms.js above jquery.js which breaks it.
Thanks &
cheers,
Toby
Jul 15th, 2008 at 8:40 pm
Toby Simmons Says
FYI, it happens if BB is the only plugin enabled on my blog.
Jul 15th, 2008 at 8:41 pm
Michael Hampton Says
I can’t even test this, since Google Gears doesn’t work on 64-bit Firefox. Somebody should report this as a WordPress bug.
Jul 15th, 2008 at 8:42 pm
Toby Simmons Says
I think it has to do with the fact that you are trying to invoke the admin-forms script before jQuery is loaded. If you comment out line 163, it all seems to work fine and the admin scripts are all loaded in the order they should be … I don’t think it has anything to do with Gears at all. Just my 2 cents.
Jul 15th, 2008 at 8:59 pm
Toby Simmons Says
*sigh* Sorry for the comment spam … or, perhaps you need to add (as plugins.php uses):
wp_enqueue_script('jquery');wp_enqueue_script('admin-forms');
Okay, I think I’m done now.
Jul 15th, 2008 at 9:01 pm
Michael Hampton Says
So, Toby, you get this error even without using Gears?
Jul 15th, 2008 at 9:08 pm
Toby Simmons Says
I have not enabled “Turbo” mode, which installs Gears. I have never installed Gears, in fact. And I still have the problem if I do not comment the line I mentioned above.
Jul 15th, 2008 at 10:22 pm
Nick B. Says
My bad, Gears is a not the problem.
After navigating around the admin panel a bit with gears disabled the same error shows up. Basically any admin screen with checkboxes or textboxes triggers it.
Good news: adding the line suggested by Toby seems to fix it, both in IE and FF. No more javascript error and the BB admin screen works.
Another small issue: there is a display problem, in both browsers, where the table class ‘widefat’ is called. The ’show blocked’ text is half hidden by the horizontal bar. I added a quick at line 86 and it now looks good in both browsers.
Jul 16th, 2008 at 2:21 am
Nick B. Says
That should read added a quick line break at line 86 in bad-behavior-wordpress-admin.php
Jul 16th, 2008 at 2:23 am
Ken Nickles Says
Hi,
Just found your link from Barbara Lings site. I’ve downloaded the plugin and will try it on my three blogs.
I’ve read the comments and recently updated my Wordpress blogs to version 2.6 so I’ll report if I have any problems.
Jul 17th, 2008 at 11:55 am
Haid Dasalami Says
Yes, I get the same error with BB activated. I have disabled the plugin for now, and I’m hoping the author issues a quick fix and upgrade, as I would certainly like to continue using the plugin. I’m not too keen on just dumping line 163.
What say?
Jul 18th, 2008 at 2:24 pm
steffen Says
Good job Michael,
I wrote you an email and did not get any response – perhaps wrong adress?
I asked if you’re interested to translate the technotes on your site to german – as well as the messages in bb.
What do you think about?
Jul 19th, 2008 at 9:08 am
Henri Says
I hope this isn’t a dumb question, but what are the check boxes on the admin page for? Also, is there supposed to be a delete button or something that I can’t see. Thanks for you help.
Jul 21st, 2008 at 3:44 pm
Dave Thompson Says
Hi, I wasn’t really sure where this should go so I figured this was as good a place as any.
I am currently creating a custom project for a client and I have decided to give Bad Behavior a go as the client has a fairly popular website and has been prone to a few attacks in the past.
It all works fine and after some initial tests it appears it is blocking fine (judging by the logs in the MySQL table I created).
However I have come across two problems so far.
1. When a bot is blocked I notice the page takes 3 or 4 seconds longer than usual to load. Is this normal behavior?
2. I have created a form and upon form submission I have to wait quite a while (6 – 10 seconds typically) for the page to load (this is on a local test server). I then receive this error when the page does load:
“Notice: Undefined index: X-Forwarded-For in ***/htdocs/bad-behavior/post.inc.php on line 64″
Any ideas on how to solve this? Like I said it only happens (from what I have tested) when a page is submitting a form. A side from that everything seems to be working perfectly.
Jul 22nd, 2008 at 12:57 pm
Ian Parker Says
When using Bad Behavior 2.0.20 and WordPress 2.6, the plug-in is causing an error with the SQL statements when I try to delete a post or a page. It appears to be stripping the “*” and the “table_name” from the delete statement. I don’t believe this is a conflict with any other plug-in as when it is disabled, I do not get the error page.
One thing to note is that the SQL delete query actually does process and remove any posts/pages and revisions related to it, so it looks like Bad Behavior is somehow triggering the error page created by WordPress. The cited files are wp-db.php and pluggable.php. Drop me an e-mail if you need further information for troubleshooting. Thanks in advance for any assistance.
Ian
Jul 23rd, 2008 at 3:40 pm
Michael Hampton Says
Actually you should be e-mailing me those details.
Don’t forget to let me know which other plugin you are using that’s causing the problem.
Jul 23rd, 2008 at 3:58 pm
Ian Parker Says
Michael,
Thanks for the quick response. I did some further testing and found out that the Broken Link Checker plug-in was causing the problem. Since BLC creates its own tables in the database, it wants to cross-reference those on a post delete operation and then pass the deletion along.
When used with Bad Behavior, the table_name and variable gets stripped, most likely because BB is trying to prevent malicious behavior? I’m not too clear on that. In any case, I disabled Broken Link Checker because Bad Behavior is the more valuable plug-in for me at the moment. I think I’ll need to write my own BLC or find another version that works with it.
Apologies for the false alarm, and thanks again.
Ian
Jul 23rd, 2008 at 7:02 pm
Ian Parker Says
Michael,
Thanks for the quick response. I did some further testing and found out that the Broken Link Checker plug-in (http://wordpress.org/extend/plugins/broken-link-checker/) was causing the problem. Since BLC creates its own tables in the database, it wants to cross-reference those on a post delete operation and then pass the deletion along.
When used with Bad Behavior, the table_name and variable gets stripped, most likely because BB is trying to prevent malicious behavior? I’m not too clear on that. In any case, I disabled Broken Link Checker because Bad Behavior is the more valuable plug-in for me at the moment. I think I’ll need to write my own BLC or find another version that works with it.
Apologies for the false alarm, and thanks again.
Ian
Jul 23rd, 2008 at 7:03 pm
Lincoln Says
I’ve also been getting the wp_enqueue_script error at line 163. I tried commenting out the line, which allowed me to activate the plugin, but when i went to the admin page, I got a new error:
Call to undefined function paginate_links() in /home/****/public_html/wp-content/plugins/Bad-Behavior/bad-behavior-wordpress-admin.php on line 69
I’m using the 2.0.11 fork of WP. Could this be the reason for the error?
Jul 24th, 2008 at 4:08 am
Lincoln Says
I’ve since commented out line 69 and 118 of the wordpress-admin.php file. The BB admin now seems to load with the latest results, the only difference being since it’s not paginated, the BB log is loaded all on one page.
Jul 24th, 2008 at 4:23 am
Michael Hampton Says
Congratulations, Lincoln, you’ve found a, er, problem. While Bad Behavior itself requires only version 1.5 of WordPress, the recently added Manage screen requires at least version 2.1.
This data in the WordPress plugin repository will be corrected shortly.
In the meantime I’m really not sure what to do about the 2.0 branch. I disagree strongly with Debian’s package release cycle being applied to fast-moving Web applications such as WordPress, though I understand why some people might feel better about WordPress doing this. (It’s quite appropriate for something slow-moving like Drupal, though.) At the same time I want Bad Behavior to be accessible to as many people as possible.
So the question is, to write a replacement function for the missing capabilities in WP 2.0, or to just disable the Manage screen for extremely old versions of WordPress? All comments will be considered, but more weight will be given to comments accompanying a donation.
Jul 24th, 2008 at 5:16 am
Michael Hampton Says
Ian, I tried deleting a post with Broken Link Checker running, and saw no SQL errors. I suspect something is amiss with your specific installation. But since you didn’t actually provide the messages you received, I can’t say anything more. I suggest you contact the author of Broken Link Checker.
Jul 24th, 2008 at 5:33 am
Lincoln Says
Thanks for the reply Michael. I’m surprised that that would be your viewpoint regarding WP, since I think they’re TOO frequent with their releases. Everytime there’s a release it takes a while for plugin developers to catch up, and just when I can start truly enjoying a trouble free plugin enhanced blog they release yet another update which effectively kills some of my favorite plugins all over again. Gahhh. =P
In any event, the admin seems to work as long as the troublesome lines are commented out. If you want to continue supporting 2.0 I would suggest doing whatever requires less work for you, even if that means not being able to use the admin for those of us clinging on to 2.0.X for dear life.
Jul 24th, 2008 at 7:03 pm
Matthew Stublefield Says
Hey, just a heads-up that your download section is currently 403, Forbidden. Was just trying to update Bad Behavior (I finally disabled it last week because it was slowing down my database writes so much, but now my pagerank has gone down and I’m getting a lot more spam) to see how it has improved, and discovered I can’t
Thanks for all your work on this.
Jul 28th, 2008 at 1:37 pm
Michael Hampton Says
Matthew, thanks for posting a comment. This should be fixed.
Jul 28th, 2008 at 4:05 pm
Matthew Stublefield Says
Thanks, I gave it a go. Sadly, it has the same problems the last version I was using (2.0.16 IIRC) had. Anything requiring a write action (posting a comment, making a new category, or publishing a blog entry, etc.) takes significantly longer. Creating a new category, for instance, goes from 1 second to 27 seconds with Bad Behavior enabled.
Maybe, as others have mentioned, its an issue with WordPress-MU rather than with Bad Behavior. I’m disappointed, but I just can’t take the lag anymore.
Jul 28th, 2008 at 4:32 pm
Michael Hampton Says
I agree, 27 seconds is excessive. Though it’s been my experience that such long delays are almost always caused by the web hosting provider. I’ll e-mail you to get further details.
Jul 28th, 2008 at 4:46 pm
Robert Says
One feature suggestion: to see the entrys of the table wp_badbehaviour, I always have to use phpmyadmin which is quite annoying. It would be great, it the entries of this table would be shown directly under Settings / Bad Behaviour
Jul 29th, 2008 at 8:54 am
Paul Herring Says
I don’t run WP Robert, but I rolled my own: http://tinyurl.com/badBehaviour (URL Obfuscated because I’m not too interested in getting that site spidered more than it currently is at the moment)
Do you really need to know any/all of that data over and above the actual number blocked?
Jul 29th, 2008 at 11:21 am
Michael Hampton Says
Robert, Bad Behavior already has this feature! It was added in version 2.0.19.
Jul 29th, 2008 at 2:26 pm
Netmktg Says
My Autoblogging script recently had some signups & new posts blocked by Bad Behaviour and I tried a workaround. Though I’ve only tried on Bad Behavior 2.0.11 till now.
I did a Curl get, regexed the bb2_screener_ value (say as $regexval) and submitted a Curl post request to same page with params as ‘bb2_screener_=urlencode($regexval)’
And I was able to retrieve the “protected” page without any issues. I could code this into my Autoblogger script to check if BadBeahviour is installed; if its installed it will do the above “emulation” technique for every Curl autopost request.
I’ll have to look into the code for your new versions to figure if they can be “emulated” as well
Jul 29th, 2008 at 5:02 pm
Robert Says
Thanx for the info – didnt notice that feature yet
Jul 30th, 2008 at 6:33 am
john Says
How do I set it to allow certain Ip’s as its blocking google keyword tool?
Mar 12th, 2009 at 4:23 pm