I am currently investigating an issue where users of Bad Behavior on WordPress, who also use WP Super Cache, have readers who are unable to leave comments on certain posts. Bad Behavior may block these requests with a technical support key ending in xxxx-xxxx-b40c-8ddc.
A preliminary investigation shows that this is likely a problem with WP Super Cache not removing expired data from its cache in a timely manner. (The current version 0.9.6.1 was tested.) This issue seems to affect both “full on” and “half on” caching modes. Currently the only known workaround for this issue is for the blog owner to manually delete the contents of the cache at least once every 48 hours.
I will post with further information as soon as I determine more precisely what the conditions are in which this problem can occur and consult with the author of WP Super Cache on possible fixes. For more technical information, you may visit this WordPress.org forum thread.
Update: This was confirmed to be an issue with WP Super Cache. A fix is included in version 0.9.7 of WP Super Cache.
Bad Behavior 2.0.29 has been released. It is a maintenance release and is recommended for all users.
MediaWiki and WordPress users who have not updated in the last year or so should take note of special upgrade instructions below.
Who should upgrade?
All users should upgrade to resolve issues with certain specialized web crawlers being blocked. Users who wish to use OpenID in conjunction with Bad Behavior should also upgrade to resolve authentication issues.
What’s new?
New in this release (since 2.0.28):
- Users authenticating to a Bad Behavior-protected site using a third party OpenID were blocked with a message stating that: “Data may not be posted from offsite forms.” In most circumstances, your site does not want to receive a POST which originated from another site; however, OpenID requires this. A new option, offsite_forms, has been added to Bad Behavior to permit data to be posted to your site from other sites. Enabling this option will allow OpenID to work but may expose your site to spam which was previously blocked. WordPress users will find the option on Bad Behavior’s options page; other platforms should check their platform-specific documentation for how to set options.
- A few specialized web crawlers use an unusual form of the Range: HTTP header in their requests, requesting a range starting with 0. This behavior, while technically permitted by the HTTP specification, is most often seen with malicious crawlers; web browsers and major search engines do not use it. Bad Behavior will now block these requests only when strict mode is enabled.
Support
Thank you to everyone who has chosen to make a financial contribution toward further development of Bad Behavior. Your contributions ensure that I can prioritize Bad Behavior development and make more frequent and timely releases, like this one.
Download
Download Bad Behavior now!
Special Upgrade Instructions
Users of MediaWiki and WordPress upgrading from version 2.0.20 or earlier should follow these special directions (from 2.0.21 or later, upgrade normally):
For MediaWiki: Before installing this version of Bad Behavior, manually remove (e.g. using FTP or ssh) any old versions you may have, including the lines added to LocalSettings.php. Then install the new version fresh, following the installation instructions for MediaWiki.
For WordPress: If updating to this version through the automatic updater fails, manually remove (e.g. using FTP or ssh) any old versions you may have installed. Then upload and install the new version fresh, following the installation instructions for WordPress. After doing so, future automatic updates should proceed normally.
For other platforms: No changes to your upgrade procedures should be necessary.
