In an episode of extreme writing avoidance yesterday, I installed several new plugins for the site. I probably have too many plugins. (First we admitted we were powerless over our plugin habit, and appealed to… oh, never mind.)
I like my plugins, and love how WordPress has so many plugin writers and plugins to choose from. You can tune things endlessly to your liking. But they create additional maintenance overhead. Especially when upgrading the WordPress core. Your plugins may be supported more or less and quickly or slowly over time and new versions of WP.
In addition to things breaking in an obvious way when you upgrade, small things may not work and you might not catch them right away, giving a bad impression of your site to users who find the bugs for you. But still I happily consume them and promote them in turn. Thank you, free software plugin writers!
I’m also trying some new security settings, and in the process of playing with all this stuff I learned more about the (relatively) new Habari blogging platform, and got a glimpse in to some interesting FOSS politics that I hadn’t been aware of. I’ll write briefly (or maybe long-windedly, you never know) about the politics and Habari in another post, and keep this one focused on the plugins.
These plugins are all licensed under the GNU GPL.
Math Comment Spam Protection Plugin
It all started with the Math Comment plugin, by Michael Woehrer. I first saw this at Matt Cutts’s blog, and liked that it’s simpler, easier, and more accessible than image-based CAPTCHAs.
Why did I need something like this at all? I already have the Bad Behavior and Akismet plugins and these do a great job of stopping and catching spam . But I still have to review the spam for false positives, and it becomes tiresome. These spammers are such freaking idiots, and their messages are such a waste of life. So yesterday after deleting some routine disgusting comments that Akismet had caught, I finally decided to try out the math plugin to see if it would help.
I know that the spammers will work around these challenge-response plugins, especially as different methods become more widely used, but I think it will help cut down on a lot of junk from these low-lifes. Think of it as a spam repellent, and just as mosquito repellent helps but doesn’t completely eliminate pests, neither will our spam-fighting sprays be 100% effective. I hope it’s not too onerous for people that want to comment. Since the movingtofreedom.org audience is a particularly bright crowd, I’m thinking that a simple math question won’t be too much to ask.
Go ahead and try commenting with no answer or a wrong answer. See that I put some thought in to these things and try to amuse you in small ways. :-)
Author Comment Highlighting
Then–I’m not sure why–I decided to look for a plugin that highlights my comments as the author of this blog. I’ve seen other sites that do this and like the feature. I found this Author Highlight plugin by Jonathan Leighton and it does the job just fine. It was easy to set up, but then of course I had to spend some time playing around with the CSS styling. Now you can read the comments here and feel secure in knowing when it is I, Scott, King of the Britons that speaketh.
Impostercide
While thinking about author highlighting, I got to further thinking about authenticity. What if someone ever tried commenting as me? The new highlighting feature would help prevent confusion, but it would be nice to further prevent deceptions that might unfortunately occur. (I know, we’re descending in to paranoia now.)
I found this Impostercide plugin by Scott Merrill (Skippy) that attempts to help with this concern. It’s a very simple plugin that prevents non-logged-in users from posting with the login name, email, or URL of a registered user. On this site, I’m the only user who with a login, so I changed the plugin to skip some database lookups and monitor for a few specific things, for example, posting a comment with the name “Scott Carpenter.”
I thought of at least one way to trivially defeat one of the checks, and verified it in tests, but it still serves a purpose so am going to use it and see how it goes. At the minimum, when used in conjunction with the author highlighting, I think it will give you the assurance you crave to know when the authentic voice of Scott Carpenter has spake (spaketh? spaken?). And it shouldn’t be a nuisance to 99.999% of my potential commenters, so why not?
WordPress Security
(The first item on your WordPress Security checklist should be to keep the software up-to-date as exploits are found and patched, but these Apache security tips may help protect you against new and unpatched vulnerabilities.)
Finally, I worked on locking things down a little bit by following instructions for using the Apache .htaccess file to restrict access to the wp-admin, wp-content, and wp-includes directories used by WordPress. I could say a lot more about that but I won’t right now. (Although I should credit Matt Cutts again. I first heard about this idea from his presentation at this year’s WordCamp. When I went searching for specifics, I found Blog Security’s entry among many good pages describing how to do this.)
There is also a plugin that manages password protection using .htaccess. (I first discovered it via Amy Stephen at OpenSourceCommunity.org.) I haven’t tried it, but a lot of people are saying good things. The web page for the plugin looks good, although is a bit hyperbolic for my tastes. I’m not comfortable making such confident pronouncements about anything security-related. I don’t know what the license is for this one. I suspect it’s free, but don’t want to assume anything.
I’m going to stick with manual .htaccess management as much as possible, along with other Apache configuration items as needed. It’s a good learning exercise and good to be aware of how this stuff works. (Although usually in my haste I just scratch the surface enough to get things working.) But I’d try the AskApache plugin if you want to improve the security of your web site without having to monkey around with this stuff that much.
4 Comments
Your Impostercide section made me realized that color-highlight author is not a solution for e.g. blind people or people with color-discerning problems. Aural CSS pops up as a candidate for the rescue in my head.
25 September 2007 at 1:54 pm
That was me making comment #1. Sorry for impersonating you without warning, Scott. I left an extra space between the two words and it passed through.
I also think this will effect blind and vision-impaired people.
P/s: the repellent doesn’t accept 19.0 as 19, you might want to look about your processor’s floating point unit :^)
25 September 2007 at 2:02 pm
I might well look like a spammer by now, but there’s only one space in “Posted by Scott Carpenter on”. Is Impostercide disabled? If so I’m throughoutly embrassed and sorry :)
25 September 2007 at 2:06 pm
Hi — no worries. As I mentioned, it’s not hard to defeat the check, and I figured you were just curious. Impostercide should be working — there are two spaces if you look at the underlying HTML, but only one displayed by the browser. (And I’ve now updated it with a “not” indicator.) :-)
At least with the with same-seeming name, it doesn’t highlight differently since you didn’t match up on that and other fields. You’re right that this highlighting isn’t especially accessible to the blind. In this case there is a different CSS class for author and commenter posts, which maybe could be used to cue some aural hint if desired. Shouldn’t be a problem for color-blindness here, since the difference is in the bordering line placement and thickness.
Finally, for the math plugin, I’m sure they’re probably keeping things simple for us. ;-)
25 September 2007 at 2:19 pm