I was reading a post from the Weblog Tools Collection about making a quicktag toolbar for the comment area, and decided to go for it.
It turned out to be a pretty simple task. You can see the results in the comment form at the bottom of this post.
As always, download the plugin from my WordPress hacks page.
I wrote another plugin for WordPress that limits the categories that are displayed on teh edit post page for users who do not have a high enough user level.
What does this mean?
If you are participating in some kind of guest-blogging activity, like Free For All Friday, then you can turn on this plugin and your guests will be able to post only to the categories you specify.
You have to edit the plugin file to specify the categories that you want to limit guests to, set the breaking point for what user level is high enough to see all categories, and specify the option of whether you want to allow subcategories or not.
This plugin isn't comprehensive. Don't get me wrong - it works, but a determined user can work around it. It just makes it obvious what you want them to do with their posts. I still have to do a little work on it to make it perfect, but it's a good start so far.
Download from the hacks section, as usual.
I got some comment spam today in my moderation queue (trapped by OSA 1.1, actually) that pointed to a live blog in addition to the traditional "you may be interested in" spam links. I checked out the blog and found this page, which I thought was quite humorous.
I took a screenshot to share it with you, since they're likely to fix the problem if they're a legit site. I didn't include a link to them since they may yet be affiliated with spamming.
I'm guessing that spammers are starting to add links to random blogs into their spam comments so that it's not easy to slam all of the links from a known spamming IP into a wordlist. That's unfortunate, but there may yet be a way around that, too.
No, it's not anything rabbit related. Steph aka "Bunny" wrote a new plugin for WordPress that I'm taking for a spin. This is the first post I'm writing with it, so I'm not even really sure what it will do. Something about Technorati...
Lots to say about comment spam today...
Have you noticed the new tactic the spammers are using to get spam onto WordPress sites? They're sending comment spam without any URLs. You think that's a good thing and that the spammers are just crazy? I'll explain why you're being lulled into a false sense of security.
There is a toggle in WordPress (this may be a 1.5-only thing - I haven't checked in 1.2) that sends all comments to moderation unless that user has commented before. There are actually a couple of spam plugins that check this, too, automatically whitelisting anyone who has already left an approved comment. This is a good thing, but you have to be careful not to get duped into approving a spammer's unobtrusive comment.
If you did approve one of the many comments that sound like, "Just found your site, and it's exactly what I wanted," then you're likely in for a surprise. The spammer script will notice that the old ocmment was posted, and it will post another comment using the same email address that actually contains URLs. Sneaky, eh?
On the flip side, spam prevention in WordPress 1.5 seems to be improving. Matt recently announced that he's using only the built-in protections to prevent spam and it seems to be working fine. Well, that's pretty swell, but I wonder if anyone has tried to write anything about "Texas-holdem poker" in his comments.
Looking through the WP 1.5 comment code, it seems that the entire comment is checked for the spam search strings. So unless the search strings are uber-regexes, they're going to detect regular text. This means they have the potential for high false-positives.
Fortunately, most people don't have the need to talk about Texas hold'em in their comments, so this issue isn't frequent, but assuming that spammers get more crafty in wording their comments with frequently used acceptable words then this could pose a problem. The immediate alternative to adding would be to add every spamer IP to the spam wordlist. I'm going to guess that this might cause a bit of inefficiency when posting comments.
Keeping this list up to date can also be a hassle, since - at the last CVS revision I saw - there was no way to automate this process.
My thought is that the integrated stuff is good enough at preventing casual spam, but some additional features are necessary to bring it up to the user-friendly standard at which WordPress usually runs.
Only the most recent CVS has changed the Dashboard to not show spam comments. That's good. I had revised my Dashboard to show a count of spam comments like it does the moderated ones. The link goes to the moderation.php page, but with a special querystring that forces the display of spam comments. This allows me to delete them. I'm not sure if the latest CVS has added a way to review spam posts yet, but being able to approve false positives is the main benefit of keeping spam comments, right? It should do this.
I've also been toying a little with captcha code, and I've encountered the trackback issue. Trackbacks can't use captchas. If' you're protecting your blog exclusively with captchas, and you're not blocking trackbacks, you're wide-open and ripe.
I've been devising a scheme to allow a site to authenticate itself when it creates a trackback. This would use the xmlrpc plugin hook in 1.5. Of course, it would only work on WordPress blogs, but it's a start. The interface would be pretty simple, and although it wouldn't be a solution for preventing initial trackback spam, it would keep people from offending repeatedly. This is an idea still in incubation.
Interestingly, the new OSA code is coming along great. I've added a bunch of new features. The best one of the bunch so far is the peer-distributed spam wordlist. You can point your blog at any other OSA-running blog to update your wordlist from theirs. Every entry is accountable to the person who originally added it and can be authenticated. It's pretty slick and it's currently working. Since the spam list builds itself from OSA, any person running it is liable to have a good wordlist. There will soon be complete administration of the blacklist entries, so you can easily weed out the entries from sites you don't trust.
OSA should augment the built-in spam prevention methods nicely.