Daily Digest for June 30th

Filed in Lifestream
twitter (feed #7)
Chip Bennett The hypocrisy of liberal feminism: don't report Al Gore's sexual assault, or global warming will destroy the world. http://bit.ly/bD9iHH [chip_bennett].

Daily Digest for June 25th

Filed in Lifestream
twitter (feed #7)
Chip Bennett Daily Digest for June 18th - http://bit.ly/cq2JeC [chip_bennett].
twitter (feed #7)
Chip Bennett Daily Digest for June 21st - http://bit.ly/bteNiY [chip_bennett].
twitter (feed #7)
Chip Bennett Daily Digest for June 22nd - http://bit.ly/c5upu5 [chip_bennett].
twitter (feed #7)
Chip Bennett McChrystal relieved of command, replaced by Petraeus. [chip_bennett].
twitter (feed #7)
Chip Bennett Isner-Mahut 55-55 in the fifth set (6-4,3-6,6-7,7-6,55-55) at Wimbledon. The pair have combined for 181 aces thus far. #longestmatchever [chip_bennett].

Weekly Digest for June 23rd

Filed in Lifestream
netflix (feed #6)
Chip Bennett queued The Wrestler.
netflix (feed #6)
Chip Bennett queued Star Trek.
netflix (feed #6)
Chip Bennett queued X-Men Origins: Wolverine.
netflix (feed #6)
Chip Bennett queued District 9.
netflix (feed #6)
Chip Bennett queued Yes Man.

Daily Digest for June 22nd

Filed in Lifestream
twitter (feed #7)
JR Protection: Anatomy of a Spammy/SEO Plugin - http://bit.ly/avARqR (cc: @mark_r, @markjaquith) [chip_bennett]

JR Protection: Anatomy of a Spammy/SEO Plugin

Filed in Web DevelopmentTags: Plugins, Spam, WordPress

The JR Protection plugin (h/t: WP Jedi) purports to add content-scraping protection to one's blog posts - namely, by using javascript to block right-click and highlight functionality, and by disabling the RSS feed.

Personally, I think the plugin's functionality is ineffective toward its purported objective; but that's not the biggest complaint I have with this plugin. Despite being ineffective, the plugin is an SEO/spam Trojan horse.

Plugin Options Admin Page Spam

First up: spam injected in the plugin's options admin page.

Take a look at Line 280 of the plugin file:

<iframe src="http://www.jakeruston.co.uk/plugins/index.php" width="100%" height="20%">iframe support is required to see this.</iframe>

The contents of the linked page currently displays the following in the plugin's options admin page:

Spammy advertising injected into the JR Protection plugin's options admin page via iframe

And it's a huge banner, too: it takes up 100% of screen width, and 20% of screen height. In other words, on my screen, it takes up about three times the space taken up by the actual options presented on the page.

And that this advertising spam is injected using an iframe, rather than an image bundled with the plugin, presents a huge, potential vector for security threats. For one, the plugin author has complete control over the contents of the URL linked by the iframe. I subscribe to the TNO - Trust No One - security model. Besides, even if the plugin developer has only benevolent intent with this iframe, his site could get hacked, giving the hacker potential access to every site on which the plugin is installed.

wp_footer SEO/Spam Link Injection

Moving on to the even-more-spammy links injected into wp_footer.

The guidelines for hosting a plugin in the wordpress.org plugin repository are quite clear. Here is Restriction #4:

The plugin must not embed external links on the public site (like a "powered by" link) without explicitly asking the user's permission.

In the not-too-distant past, much discussion and argument have taken place around these restrictions, which led Mark Jaquith to clarify and expound upon them. Although his post was written in a somewhat tongue-in-cheek manner, everything he lists will, in fact, result in getting your plugin removed from the wordpress.org plugin repository. Here are two such offenses (#4-6):

  • #4. Insert SEO spam links into people’s blogs (like <a href=”http://example.com/”>video poker</a>).
  • #5. Insert external links (like a credit link, <a href=”http://example.com/”>My Awesome Plugin by Awesome Sauce</a>) into their blog without explicitly asking their permission, or make the default option be to insert the link.
  • #6. Load portions of the code from an external site for no valid reason, or use any other trick to work around #3, #4 and #5.

Loading portions of code from an external site for no valid reason, Inserting SEO spam links

Taking a look at the JR Protection plugin, Line 449:

add_action('wp_footer', 'protection_footer_plugin_support');

So let's take a look at the protection_footer_plugin_support function, on Line 453:

function protection_footer_plugin_support() {
$linkper=utf8_decode(get_option('jr_protection_link_personal'));
...

The plugin goes through a lot of motions to populate jr_protection_link_personal, including pulling a link from the developers website every so often, based on a defined refresh rate. Here's the link, from Line 468:

$content = curl_get_contents("http://www.jakeruston.co.uk/plugins/links.php?url=".$url."&pname=".$pname);

Currently, that URL pulls the following content:

SEO Spam links injected into wp_footer by JR Protection plugin

SEO Spam links injected into wp_footer by JR Protection plugin

But in case the plugin is unable to pull from the above-specified URL, it conveniently hard-codes some similar, fall-back spam links. See Line 109:

$content = "Powered by <a href='http://arcade.xeromi.com'>Free Online Games</a> and <a href='http://directory.xeromi.com'>General Web Directory</a>.";

And here's some more (including the only legitimate credit link the plugin provides), from Lines 118-130:

if (get_option("jr_protection_link_personal")=="") {
$rand=rand(2,2);

switch ($rand) {
case 1:
$anch="Jake Ruston's <a href="http://www.jakeruston.co.uk">Wordpress Plugins</a>";
break;
case 2:
$anch="<a href="http://www.xeromi.net">Cheap Web Hosting</a>";
break;
}

update_option("jr_protection_link_personal", $anch);

Inserting external links without explicitly asking permission, or setting option to display links to default to enabled

And going even further, these wp_footer links are injected by default. Here are the default settings. The key option is "Show Plugin Support?":

wp_footer spam link injection enabled by default in JR Protection plugin

wp_footer spam link injection enabled by default in JR Protection plugin

And especially annoying, when the user clicks the "No" option for "Show Plugin Support?", the plugin displays a nag dialogue:

nag dialogue displayed when user attempts to disable wp_footer links in JR Protection plugin

nag dialogue displayed when user attempts to disable wp_footer links in JR Protection plugin

Now that's just tacky.

An Ineffective Plugin

And here's the kicker: after putting up with all of that, what do you get? A totally ineffective plugin!

Broken Functionality

First, when testing out the plugin, I noted that, while the right-click disable appeared to be working, the text-highlight disable wasn't. I was able to select text both using the mouse to select specific text, and using CTRL-A to select all text.

Faulty Assumptions

But even more problematic are the plugin's faulty assumptions. The plugin assumes that anyone right-clicking or highlighting text on your site is attempting to steal your content, and that anyone using your RSS feed is attempting to scrape your content. In fact, the majority of people right-clicking and highlighting text on your site are doing so in order to link to/comment on your content, and the majority of users of your RSS are doing so for its intended purpose (to read your content).

Use of this plugin will result in the loss of all of your RSS subscribers, and a sharp reduction in people extending the conversation by writing about/commenting on your blog posts.

Gaping Holes

And it still won't do a think to prevent content theft! Due to two especially glaring holes, anyone intent on stealing your content will still be able to do so, despite use of this plugin:

Reliance on Javascript

The plugin relies on javascript to disable right-clicks and text-highlighting. Any user who browses your site with javascript disabled will be completely unaffected by this plugin, with respect to right-clicking and text-highlighting.

Browser Source

The plugin has absolutely no way to disable website visitors from using the view-source functionality built into every web browser. Even with the plugin enabled, one needs merely to invoke the browser's view-source functionality (in Firefox or Chrome, type "CTRL-U"; in Internet Explorer, select "View" from the menu, then "View Source"), which presents the entire contents in text format.

Conclusion

For all the reasons above, I would recommend against using the JR Protection plugin. Further, unless the plugin is modified to address the plugin repository restriction violations listed above, the plugin should be removed from the wordpress.org plugin repository.

Daily Digest for June 21st

Filed in Lifestream
twitter (feed #7)
Fixing Math Comment Spam Protection Plugin in WordPress 3.0 - http://bit.ly/c5dGBe #wordpress [chip_bennett]

Fixing Math Comment Spam Protection Plugin in WordPress 3.0

Filed in Web DevelopmentTags: Math Comment Spam Protection, Plugins, WordPress

Otto has an even better suggestion: use is_user_logged_in(). I have updated the recommended fix accordingly. Thanks, Otto!

As many people have noticed, the Math Comment Spam Protection plugin no longer works in WordPress 3.0. Unfortunately, the plugin appears to be no longer supported by its author, so some people are searching for an alternative plugin.

However, I have some good news: after a bit of trial-and-error, I found the problem with Math Comment Spam Protection. Even better news: the fix is incredibly simple.

Find Line 211 of math-comment-spam-protection.php:

if (  ( !isset($user_ID) ) && ( $comment_data['comment_type'] == '' ) ) { // Do not check if the user is registered & do not check trackbacks/pingbacks

The offending code is this:

( !isset($user_ID ))

Simply change the above to this (note: see update, above):

( ! $user_ID )

( ! is_user_logged_in() )

So that Line 211 looks like the following:

if (  ( ! $user_ID ) && ( $comment_data['comment_type'] == '' ) ) { // Do not check if the user is registered & do not check trackbacks/pingbacks

Voila! The Math Comment Spam Protection plugin will now work again!

This fix is so simple, I don't see any need to fork the code. I'll try to contact the developer, and see if he will patch the original.

Daily Digest for June 18th

Filed in Lifestream
twitter (feed #7)
Developing a plugin to filter #wordpress wp_get_shortlink using bit.ly. Join the discussion @wptavern http://bit.ly/9i5CoB [chip_bennett]
twitter (feed #7)
Obama said the HealthCare mandate wasn't a tax: http://bit.ly/dcDDCa - now DOJ is arguing in court that it *is* a tax: http://bit.ly/caz9hL [chip_bennett]

Daily Digest for June 17th

Filed in Lifestream
twitter (feed #7)
I absolutely love being the father of two Daddy's Girls! An inspiring read: Daddy's Girls Have An Advantage http://bit.ly/blsFLK [chip_bennett]

Daily Digest for June 16th

Filed in Lifestream
twitter (feed #7)
Hopenchange! Obama total disaprv 57% (new high). Aprv Index -20 (24%/44%). Unaffiliated voter Aprv Index -40 (12%/52%) http://bit.ly/rasprez [chip_bennett]
twitter (feed #7)
How the heck am I #410 on this list? How am I even *on* this list? RT: @wpblackbelt Top 1000 WordPress Plugin Authors http://bit.ly/dqBTZI [chip_bennett]