highfivery / zero-spam-for-wordpress Goto Github PK

Please can you also add support for Ninja Forms (although it already has a honeypot).

i.e. country, state, city, etc.

@creativecatapps

Hi,

There's a problem when the AutoBlock IP setting is enabled if using with Multisite. It will block the IP but not show it in the Multisite settings window log, you have to remove via SQL if it's a false positive. I'm assuming this is because it logs them per site instead of cross-network. It would be good to pull all of the IPs through from all sites and also give the option to block it network wide.

It would also be useful if you could have a timed block instead of permanent.

Cheers,
Ed

https://wordpress.org/support/topic/several-issuessuggestions-for-version-15x

Hello Ben,
Thanks for creating such a wonderful tool, I've been using it from a few weeks and it is superb so far.

But the banner image on the settings page is ~218KB, and more than a minute to load on my internet connection at home. And if we resize the image to 470x152 and compress it using tinypng.com, it becomes ~32KB which is a pretty big difference. So, I would like to recommend to you to resize image to the required dimensions and compress them before using them on web. It makes a lot of difference in page load speeds.

Thanks

There is no need to test for function_exists( [ add_action | remove_action | add_filters ]… they are all present in core.

There's no harm, it's just that it's not necessary and could simplify your code even more.

Add support for the bbpress new topic/reply form.

I have 500,000 rows on spam log table and when I navigate to 'Spammer Log' tab, there's no spam logs but PHP memory leak message appears.

I've found that's because of SQL query that request all rows in table at once.

"src/ZeroSpam/Admin.php:523"
$all_spam = zerospam_get_spam();
=> SELECT * FROM wp_zerospam_log ORDER BY date DESC

Maybe we better parse logs with not PHP but SQL queries and give them some limits and pagination.

Thanks for your great plugin :-)

Hi
I use this plugin on my one site and it works perfectly - no spam.
On my second site it prevents the registration process from completing. Could you possibly help?
Thanks

See: #38

On initial activation with Query Monitor enabled I get the following db errors:

SELECT *
FROM wp_zerospam_blocked_ips Zero_Spam->_ip_check()
Zero_Spam->__construct() Plugin: zero-spam Table '{redacted}_sandbox.wp_zerospam_blocked_ips' doesn't exist
DESCRIBE wp_zerospam_log; Zero_Spam->plugins_loaded()
do_action('plugins_loaded') Plugin: zero-spam Table '{redacted}_sandbox.wp_zerospam_log' doesn't exist
DESCRIBE wp_zerospam_blocked_ips; Zero_Spam->plugins_loaded()
do_action('plugins_loaded') Plugin: zero-spam Table '{redacted}_sandbox.wp_zerospam_blocked_ips' doesn't exist

I see you just released 1.5.1, so maybe this is already fixed but I didn't see it in the changelog...

I started using zero spam on one of my blogs recently. There is one thing which I think could be improved:
When you log in to wordpress via https but your blog address is a simple http address the zero spam buttons (at the bottom of the "Spammer Log" page for going through the history of spam actions try to open the next page via http, only. This may require a new unprotected login.

I suggest that the button links respect https if the present connection to the blog is of https type.

Since 1.5.0, I can't post any replies to comments from within the wp-admin. Frontend replies work fine.

Every comment I try to post gets the "Error processing comment". Based on the settings, it seems that this is happening because they are flagged as spam.

Will you not run into issues using a WP nonce with caching plugins?
https://github.com/bmarshall511/wordpress-zero-spam/blob/develop/lib/zero-spam.class.php#L672

If the page is still cached after the nonce expires ... valid comments and registrations will fail because the nonce will no longer validate since it is expired, right?

Maybe a site validation key like is done by Gravity Forms Zero Spam will be a better option:

<?php

/**
 * Plugin Name:       Gravity Forms Zero Spam
 * Plugin URI:        http://www.gowp.com/plugins/gravityforms-zero-spam
 * Description:       Enhance your Gravity Forms to include anti-spam measures originally based on the work of David Walsh's <a href="http://davidwalsh.name/wordpress-comment-spam">"Zero Spam"</a> technique.
 * Version:           1.0
 * Author:            GoWP
 * Author URI:        http://www.gowp.com
 * License:           GPL-2.0+
 * License URI:       http://www.gnu.org/licenses/gpl-2.0.txt
 */

// my mother always said to use things as they're intended or not at all

    if ( ! defined( 'WPINC' ) ) {
        die;
    }

// clean up after ourselves

    register_deactivation_hook( __FILE__, array( 'GF_Zero_Spam', 'deactivate' ) );

// main plugin class

    class GF_Zero_Spam {
        public function __construct() { // instantiation (is that a word?)
            add_action( 'wp_footer', array( $this, 'add_key_field' ) ); // add key injection JS to the bottom of the page
            add_filter( 'gform_validation', array( $this, 'check_key_field' ) ); // add our validation check to all forms
        }
        public function deactivate() { // plugin deactivation
            delete_option( 'gf_zero_spam_key' ); // remove the key
        }
        public function get_key() { // retrieve they key, generating if needed
            if ( ! $key = get_option( 'gf_zero_spam_key' ) ) {
                $key = wp_generate_password( 64 );
                update_option( 'gf_zero_spam_key', $key );
            }
            return $key;
        }
        public function add_key_field( $form ) { // inject the hidden field and key into the form at submission
            ?>
            <script type="text/javascript">
                jQuery(document).ready(function($){
                    var gforms = '.gform_wrapper form';
                    $( gforms ).submit(function() {
                        $('<input>').attr( "type", "hidden" )
                                .attr( "name", "gf_zero_spam_key" )
                                .attr( "value", "<?php echo $this->get_key(); ?>" )
                                .appendTo( gforms );
                        return true;
                    });
                });
            </script>
            <?php
        }
        public function check_key_field( $result ) { // check for the key during validation
            if ( ! isset( $_POST['gf_zero_spam_key'] ) || ( $_POST['gf_zero_spam_key'] != $this->get_key() ) ) {
                $result['is_valid'] = false;
            }
            return $result;
        }
    }

// Fire it up

    $gf_zero_spam = new GF_Zero_Spam;

Great plugin! is there a way to get it to work under with Formidable Pro?

With Query Monitor plugin, the following errors are identified.

I have activated the plugin today, and on Spammer Log page in Summary I see this:

Protected
-1 days

Which is strange :)

@afragen Thanks for the review and kind words! I've been trying to figure out how to remove the development specific files like grunt from the SVN repo with no luck. I've tried to manually remove them using:

svn delete http://plugins.svn.wordpress.org/zero-spam/trunk/grunt/ -m "cleanup"

Which seems to work, but when I run the deploy script, it adds them back. Any ideas how I can make SVN ignore those files?

This is a problem. I just heard about this from a user on Twitter and can confirm it.

In zero-spam.class.php, the _plugin_check, load_zerospam_settings methods have no documentation.

The settings_page, field_wp_generator, field_log_spammers, field_spammer_msg_comment, field_spammer_msg_registration, field_spammer_msg_contact_form_7, field_cf7_support, field_gf_support, field_comment_support, field_registration_support methods have typos in their documentation.

Feature Request - When using the auto-block feature, since DHCP exists on the internet and abound, perhaps there should be an user-configurable timeout period to automatically flush entries from the blocked IP table. As far as I can tell unless if I am mistaken, on version 1.5.3, it seems to be an indefinite ban unless if you manually intervene and go in to delete the entries out of the table. The problem being that since IP addresses change every so often, you could possibly be denying valid users access to your site.

This is a great plugin and I don't doubt that this plugin currently works well. But there are two cases where spammers could defeat this plugin. I don't know how likely this is but, what if spammers started using systems that did process JS - such as phantomjs or selenium? Or, what if spammers simply added a new field to their bots "zero-spam"=>1?

There are a couple things that might defeat those techniques. Use javascript to add the hidden field to the form like you do now, not at the time of submission, but 5 seconds after page load. Also, instead of always using the same field name, use a nonce so that the field could not be guessed.

Another idea would be to use the default comment url field ("#url") as a honeypot and insert another field with a different name for the url field. Humans will see the new url field but it would be submitted with an obscure field name. If a spammer tried blindly posting the standard wordpress comment fields, just the presence of a value in the "url" field would indicate that the comment is spam.

Richard here from Rocketgenius (Gravity Forms).

We are getting a lot of support tickets from users experiencing form validation failures but no fields are marked as having failed validation. It appears you are running your integration via the gform_validation hook, for a spam check we would actually recommend using the gform_entry_is_spam hook. The submission will appear to complete successfully but will be marked as spam preventing notifications from being sent. It will also be recorded in the core log when the Gravity Forms Logging add-on is in use.

add_filter( 'gform_entry_is_spam', 'custom_spam_check', 10, 3 );
function custom_spam_check( $is_spam, $form, $entry ) {
    // perform your check and update $is_spam
    return $is_spam;
}

I've been working on this and I've got it working so if the user has Zero Spam network enabled then settings for all sites in the multisite can be set under the Network Admin. It still works in a single site install. My problem is if the plugin is not network enabled the settings aren't saving in the subsites.

I'm still working on this.

In the spammer log i get:

Fatal error: Maximum execution time of 30 seconds exceeded in /data/vhosts/mte90.net/httpdocs/wp-content/plugins/zero-spam/lib/zero-spam.class.php on line 519

I want to clean the log but is impossible :-/

Theoretically every option could be unchecked and the plugin would do nothing. The raison d'être for the plugin is zero spam, I'd remove options to enable function in comments, forms and registration. A poll might be in order, but decisions, not options. 😉

Hi

I noticed that when using Zero Spam with WP Rocket (on multisite), if I didn't exlude the zero-spam.min.js from being minified, users were unable to leave comments. Excluding the file in WP Rocket fixes it.

It leads to https://github.com/bmarshall511/wordpress-zero-spam/fork, which returns 404 if user is logged out. And that is frustrating.
Is it better to provide the link just to the repo? https://github.com/bmarshall511/wordpress-zero-spam

Hey there,

Looking at the issue queue a lot of people need integration into their own forms. One thing that would be amazing is to simply provide a function or hook that brings zero-spam into any form you wish.

Looking at the code it shouldn't be much different than how's it already implemented for Gravity Forms.

Simply document the process of what is required for zero-spam to do what's needed. Add a function that can pull the required js onto the form page and whatever else is required to be triggered during POST.

This would be huge.

All the best.

Hi Ben,

Thanks for the great work with version 2 (added the hook to a Mailchimp form successfully).
However, was testing something and it looks like there might be some issue with Contact Form 7 now.

On form submission I am getting an ajax error:
"Unexpected token T"

And infinite spinning icon.

However, if I click submit a second time, the form submits.

All the best.

Feature request via email:

Thanks for the amazing Wordpress plugin (Zero Span). I've been using it with great results on a bunch of sites and the multi-site support is fantastic. One thing I wish it had is Mailchimp form integration. Was going to try and code this, but thought I should perhaps reach out to you first.

After looking at how Zero Spam it is added to gravity forms I think adding to Mailchimp should be straightforward as well. Here are the relevant Chimp hooks:

add_filter('mc4wp_form_before_fields', )
add_filter('mc4wp_valid_form_request',)

Hope you decide it's worth implementing. Let me know if there is anything I can do to help.

Thanks again,
Vassili Z.

The latest version (v1.4.11) of Sunny provides support for Zero Spam.
Sunny tells CloudFlare to ban an IP if Zero Spam blocks a spammy comment or spammy registration.

Do you think it is good to include a notice about Sunny in the README file?

Sometime before 1.5 is pushed, let me know so I can go through and fix per WP guidelines. Tabs at beginning of lines, spaces in middle of lines, etc.

hi,

Zero Spam seems to work with Contact Form 7 as long as I keep the standard form with name, email, subject and text. But when I add optional used text fields for example for the address of the sender Zero Spam does no longer allow to send the mail. As soon I deactivate the Zero Spam plugin or just the Contact Form 7 support does it work and the mail is sent.

I think there are some files missing.

https://github.com/bmarshall511/wordpress-zero-spam/blob/develop/lib/zero-spam.class.php#L182-L186

Hi,

I downloaded your plugin from wordpress.org and am evaluating it to be used on our site. I noticed an obvious error. In your zero-spam.class.php, you are including the non-minified JS file if WP_DEBUG is TRUE. However that file is not included in your Grunt build. Please see the screenshot below.

It's not a big deal for a Wordpress developer as it's easy to identify. But it might for non-devloers. Thanks for fixing.

I can't imagine it necessary to have two tables per blog in Multisite. Imagine the amount of additional tables in a network enabled site with thousands of blogs.

If the tables are necessary I think a global _log and _ip table would suffice.