Bad Behavior on WordPress

This page contains the installation guide and usage notes for Bad Behavior on WordPress.

Upgrading from pre-2.0

If you are upgrading from any version prior to the 2.0 release of Bad Behavior, you need to perform the following steps before installation:

First, remove all copies of Bad Behavior 1.x and any pre-release copies of Bad Behavior 2. Then, use phpMyAdmin, the MySQL command line, or another tool to remove any *bad_behavior or *bad_behavior_log tables in your database.

Now you are ready to install Bad Behavior version 2.

Installation

Bad Behavior requires WordPress 1.5 or later. Version 2.5 or later is recommended.

Bad Behavior installs like any other multi-file WordPress plugin. Unzip the bad-behavior.zip file, and you will have a bad-behavior folder containing all the Bad Behavior files.

Upload both the folder and its contents to your wp-content/plugins directory, taking care to use ASCII mode. You should end up with a bad-behavior folder in your plugins folder which contains the Bad Behavior files. Once on the server, activate the plugin from your admin page.

Upgrading

If you have at least version 2.0.0 of Bad Behavior, and version 2.5 or later of WordPress, you can use WordPress to upgrade Bad Behavior automatically. Simply visit your Plugins page and click the link to update automatically.

Usage

After installation you don’t need to do anything! Bad Behavior protects all of your WordPress posts and pages automatically. On WP 1.5.1 or later it will also protect your RSS feeds.

You can configure Bad Behavior from the Settings » Bad Behavior administration screen. The options available are:

Statistics: You can display Bad Behavior statistics in your blog footer. This supersedes the Bad Behavior Stats plugin which was used with 1.x versions of Bad Behavior.

Logging: Turning on verbose mode causes all HTTP requests to be logged. When verbose mode is off, only blocked requests and a few suspicious (but permitted) requests are blocked. Verbose mode is off by default. Using verbose mode is not recommended as it can significantly slow down your site; it exists to capture data from live spammers which are not being blocked. You can also disable logging entirely, but this is not recommended since it will cause additional spam to get through.

Strict: Bad Behavior operates in two blocking modes: normal and strict. In normal mode, some checks which could stop spam, but also block certain types of corporate and government users, are disabled. When strict mode is enabled, spam from these sources is blocked, but those users may be blocked as well. It is up to you whether you want to have the government reading your blog, or keep away the spammers.

Offsite Forms: Bad Behavior normally prevents your site from receiving data posted from forms on other web sites. This prevents spammers from, e.g., using a Google cached version of your web site to send you spam. However, some web applications such as OpenID require that your site be able to receive form data in this way. If you are running OpenID, enable this option.

To view the Bad Behavior log, you will need a copy of phpMyAdmin installed, or some other way to view the database. Most Web hosts include phpMyAdmin as part of the control panel. Bad Behavior stores its log in the bad_behavior table in your WordPress database. Browse or search through it with phpMyAdmin, the MySQL command line, or another tool. At this time Bad Behavior does not come with a built-in log viewer, though this feature is planned.

Whitelisting

On rare occasions you may wish to whitelist a specific user agent or IP address range. To do so, edit the bad-behavior/whitelist.inc.php file, and insert the exact user agent or IP address range desired. Bad Behavior accepts single IP addresses or CIDR format address ranges. If you find something is blocked that should not be, however, please contact me so that I can look into it as well.

WordPress Advanced Cache / Super Cache

Bad Behavior now works with WordPress Advanced Cache 2 and WP Super Cache. If you’re using a previous version of Advanced Cache, or if you’re using Staticize Reloaded or some other plugin, please upgrade. By simply activating the Bad Behavior plugin, you will receive protection from comments and trackbacks, however spambots will still be able to crawl your site. To enable Bad Behavior to protect cached pages, you will need to make a change to Advanced Cache / Super Cache. (When using Super Cache, Bad Behavior cannot protect Super Cached pages, only Cached pages with the change below.)

For WP Super Cache 0.9.7 or later, enable Bad Behavior Support in WP Super Cache’s settings page. For WP Super Cache 0.9.6.1 or prior, follow the directions below. (These directions are included for historical purposes; due to a serious bug you should update to the current release of WP Super Cache.)

Edit the wp-content/plugins/wp-cache/wp-cache-phase1.php or wp-content/plugins/wp-super-cache/wp-cache-phase1.php file and find the following two lines at around line 34 (line 56 in WP Super Cache):

      if (! ($meta = unserialize(@file_get_contents($meta_pathname))) )
        return true;

Immediately after this, insert the following line:

      require_once( ABSPATH . 'wp-content/plugins/bad-behavior/bad-behavior-generic.php');

Then visit your site. Everything should work normally, but spammers will not be able to access your cached pages either.