See also the announcement for Bad Behavior 1.0.
Security Update: All Bad Behavior users should update to 1.0-rc3 immediately to prevent malicious attacks on your database.
I’ll skip the usual mumbo jumbo and skip right to the important parts:
Fixed in this release:
- A security issue has been identified and fixed which prevents malicious attackers from attempting SQL injection attacks by sending specially crafted data in the HTTP headers. While no exploits are known at this time, all users are urged to update immediately.
- A few more false positives have been fixed.
- A few more spambots are now banned.
- An email address now appears on the error page for people to contact if they are having trouble. You have the option of changing it to your own email address or leaving as the default, in which case email will come here. Keep in mind that email address will be visible to spammers!
Important: Some files in the plugin were renamed in Release Candidate 2. If you are upgrading from Release Candidate 1, you will need to remove the Bad Behavior files from your server, upload the new files, and re-enable the plugin in your WordPress admin panel. You do not need to do this if you are upgrading from Release Candidate 2.
Thank you again to everyone who has tried out Bad Behavior and provided valuable feedback. Both the praise and the trouble reports are greatly appreciated! Please feel free to contact me if you have either.
See also the blog entry announcing 1.0 Release Candidate 3.
Spam, spam, spam, baked beans and spam
On Sunday I announced Bad Behavior 1.0 Release Candidate 1. Go read that page for all the details on what it is.
I was quite pleasantly surprised that the response has been overwhelmingly positive. People from all over have tried out Bad Behavior and reported back that their spam levels have dropped to almost nothing. It’s the “almost” that concerns me. I was going to wait a little longer before doing this, but a few problems did crop up with the first release candidate.
Today I announce Bad Behavior 1.0 Release Candidate 2. Surprisingly, only two problems were found, so barring any new issues that might crop up, this will probably end up being the final 1.0 release.
Fixed in this release:
- PHP Warning for gmdate() in generic mode.
- A few instances of false positive matches were reported. Each one of these has been investigated and fixed.
- A few additional spambots have been identified and blocked.
- Because so many people asked for it, the run time for Bad Behavior is now placed in an XHTML comment in the header of the blog’s pages.
Still to come: Built-in log viewing. (Yep, you still gotta use phpMyAdmin to view the logs for now.)
Important: Some files in the plugin have been renamed in this release. If you are upgrading from Release Candidate 1, you will need to remove the Bad Behavior files from your server, upload the new files, and re-enable the plugin in your WordPress admin panel.
Oh, and to answer one other question: Yes, Bad Behavior runs here. If you’re reading this, it’s working. 
As always, feel free to contact me about Bad Behavior.
See also the blog entry announcing Bad Behavior 1.0-rc2.
Have you got anything without spam?
Gone over your bandwidth quota this month? Had to upgrade your web hosting plan? Who’s visiting your site so much? It’s those pesky spambots. They suck down your web pages repeatedly looking for links to post blog spam to, and email addresses to send conventional spam to. And then they come back the next day for more.
There has been no good way to sort out the spambots from the real users, since most of the spambots pretend to be real users. Until now.
Bad Behavior
Bad Behavior analyzes incoming requests to your server. If they match a profile of a known spambot, the spammer gets a nice error message instead of your blog.
While Bad Behavior has been tested extensively prior to this release, it is possible that there are still bugs. It’s possible that a spambot might slip through the cracks somewhere, and it’s possible that a human might be misidentified as a spambot. (They’ll get an error message explaining the situation and giving possible solutions.) If this happens please let me know so I can fix it!
Installation and Usage
Bad Behavior works as a WordPress plugin. Install it in the usual way: unzip the file and upload the bad-behavior directory to wp-content/plugins. Before running it, you may want to customize some of the variables in bad-behavior/bad-behavior-wordpress-plugin.php.
Bad Behavior can also be customized for other PHP-based software; see the bad-behavior/bad-behavior-generic.php file to get started. It will provide basic spambot blocking out of the box, but it won’t be able to keep logs (or later, some more advanced stuff) unless it’s customized to your particular PHP-based software. Just require_once("bad-behavior/bad-behavior-generic.php"); somewhere in your common PHP code to use it this way.
Thanks!
Special thanks to Mark Jaquith, Firas Durri and many others in #wordpress who assisted greatly in shaking loose and squashing many, many bugs, as well as making the code a little friendlier, before this initial release.