Bad Behavior 2.0.22
August 6th, 2008 by Michael Hampton
Bad Behavior 2.0.22 has been released. It is a maintenance release and is recommended for all users.
MediaWiki and WordPress users should take note of special upgrade instructions below.
Who should upgrade?
All users should upgrade to resolve PHP warnings which may prevent some users from posting form data or logging in.
What’s new?
New in this release (since 2.0.21):
- Two logic errors in version 2.0.21 which generated PHP warnings on some server configurations have been fixed. (See the comments on the 2.0.21 release announcement for further details.)
- POST requests are no longer accepted from off-site URLs. A POST request must originate from the same site as the URL to which the form data is being sent. This prevents spammers from posting to your site from scraped copies of your content which reside at other sites such as splogs. (One of the two logic errors was preventing this new feature from working.)
- One additional email harvester has been identified and blocked by user agent.
Support
If Bad Behavior has helped you, please make a financial contribution toward further development. Your contribution ensures that I can prioritize Bad Behavior development. Otherwise I must spend most of my time on other projects which pay the bills. Which is a shame, because I really enjoy making spammers miserable and drying up their revenue streams until it’s more profitable for them to work at McDonald’s than to send spam.
Download
Special Upgrade Instructions
Users of MediaWiki and WordPress upgrading from version 2.0.20 or earlier should follow these special directions:
For MediaWiki: Before installing this version of Bad Behavior, manually remove (e.g. using FTP or ssh) any old versions you may have, including the lines added to LocalSettings.php. Then install the new version fresh, following the installation instructions for MediaWiki.
For WordPress: If updating to this version through the automatic updater fails, manually remove (e.g. using FTP or ssh) any old versions you may have installed. Then upload and install the new version fresh, following the installation instructions for WordPress. After doing so, future automatic updates should proceed normally.
For other platforms: No changes to your upgrade procedures should be necessary.
SuPerRaJJ Says
Yea Michael. The fix that you already Posted and the one I already mentioned about on my Blog. I have installed this new update, v2.0.22, and everything seems to be running fine now but there’s one thing I wanna point out here. I am using The AjaxedWordpress’s customized reCaptcha plugin which lets me integrate Captcha in my comments form. When I tried to post a comment as a guest user, i kept getting this > * ERROR Please press the back button and fill the spam protection form again. (Somewhat similar to this line)
I am using v2.0.22 now. To avoid any issues, I have deactivated reCaptcha for now but I wonder if you can tell me if there’s any incompatibility between the reCaptcha WP plugin and Bad Behavior?? If so, what could be a work around for it?
Aug 6th, 2008 at 9:07 am
Michael Hampton Says
I don’t know of anything in Bad Behavior which would prevent the reCaptcha plugin from working. Though to be honest I hate captcha and I always recommend people find alternative solutions which don’t lock out entire classes of users.
In addition, I can’t even find that error text in the WordPress reCaptcha plugin. So I have no idea what’s going on.
Aug 6th, 2008 at 9:23 am
SuPerRaJJ Says
The only way to find out about this is that I will deactivate BB and then reactivate the reCaptcha module plugin and then try to post a comment. If this doesn’t work then I’ll simply drop the idea of using Captcha on my Blog for the time being!
Aug 6th, 2008 at 11:26 am
Dutch Gecko Says
Everything works again for me. Thanks for the update!
Aug 6th, 2008 at 12:32 pm
Stephen Darlington Says
Thanks for turning around the “header warnings” fix so quickly. I always panic when I see PHP errors flying up the screen…
Aug 6th, 2008 at 3:21 pm
John P. Says
Thank you, Michael!
Aug 6th, 2008 at 3:26 pm
Keith Says
Hi Michael, I just wanted to say thanks for the fantastic turn-around on that update, BB is definitely a must-have plugin!
Aug 6th, 2008 at 5:47 pm
Al E. Says
For what it’s worth, I’m also using reCAPTCHA and I’m NOT seeing the error SuPerRaJJ mentions.
Aug 6th, 2008 at 6:30 pm
Justice Man Says
Hi Michael,
Sorry, I tried the new 20.0.22 release now but I am still getting the empty delimiter error I mentioned before. The difference now however is that the error is occurring on line 170 rather than line 165/166:
Warning: strpos() [function.strpos]: Empty delimiter in /home/…./public_html/wp-content/plugins/bad-behavior/bad-behavior-wordpress-admin.php on line 170
In the meantime I’ve downgraded to 20.0.20.
Aug 6th, 2008 at 7:42 pm
Michael Hampton Says
Justice Man, that doesn’t affect Bad Behavior’s functioning at all (though I’ll suppress it in the next release). You should turn off display_errors in php.ini on your site.
Aug 6th, 2008 at 8:00 pm
Justice Man Says
Michael, I don’t know how to use PHP.ini and the instructions to create one seemed too complicated for me, but as an alternative I found adding a simple code to the top of the bad-behavior-wordpress-admin.php file did the trick:
I think that should suit me just fine till the next release.
Aug 6th, 2008 at 9:53 pm
Robert@PNG Says
Thanks!
I also had issues when upgrading to 2.0.21. With 2.0.22 the PHP error messages have disappeared and all is back to normal.
Thanks for responding so quickly to the issue. It’s a great plugin!
R
Aug 6th, 2008 at 11:35 pm
Robert@PNG Says
Thanks!
I also had issues when upgrading to 2.0.21. With 2.0.22 the PHP error messages have disappeared and all is back to normal.
Thanks for responding so quickly to the issue. It’s a great plugin!
R
NB: There is still the issue of not being able to activate the account with Honeypot – for some reason the activation email never arrives.
Aug 6th, 2008 at 11:37 pm
Michael Hampton Says
Unfortunately I can’t do anything about Project Honey Pot not sending you an activation email. You might try contacting them.
Aug 6th, 2008 at 11:43 pm
Justice Man Says
Update:
The admin errors are gone, but I’ve noticed any attempt to publish a post or make changes or deactivate plugins, results in a blank page being shown. The action still goes through, but WP no longer returns me to the previous page as it should after the action has been completed. When I removed Bad Behavior this problem went away, so I’m pretty sure it’s related.
Aug 7th, 2008 at 12:18 am
Justice Man Says
Disregard the last comment, apparently the PHP trick I tried to use to eliminate the errors was causing the blank page loads. Well that sucks.
Do you happen to know any idiot’s guide to using PHP.ini? =D
Aug 7th, 2008 at 12:22 am
Michael Hampton Says
I suggest contacting your webmaster. Or just reading the nice documentation.
Aug 7th, 2008 at 12:34 am
SuPerRaJJ Says
Hi Al E.!
I Checked by deactivating BB and activating reCaptcha again and it worked fine. I then reactivated BB and this time both are working fine now.
I couldn’t find out the root of the issue but atleast: “All’s Well that Ends Well”
Aug 7th, 2008 at 1:03 pm
Mark Says
I installed the new version and it is working fine for me, thanks for the quick update!
You said that BB now incorporates honeypot data, should we remove the http: BL plugin and the controloffer.php file? Or is controloffer.php needed by BB?
Aug 8th, 2008 at 7:46 pm
Michael Hampton Says
You no longer need the http:BL plugin if you’re using Bad Behavior.
But you still need to keep your randomly named .php file around; that’s your honeypot!
Aug 8th, 2008 at 8:15 pm
Susann Says
Thanks for this great plugin !
I just upgraded to Bad Behavior v.2.0.22 and noticed the http Bl feature.
As soon as I activeted it I get blocked.
So if your IP is already in the project honeypot database listen you need to chance the threat level to a higher number to get again access to your site.
Aug 12th, 2008 at 3:46 pm
R. Richard Hobbs Says
well, since I upgraded BB from 2.019 to 2.022 and added the honeypot key google cant verify my site and feedburner cant retrieve my feed everything is timing out. not sure if is related to BB but definitely curious, seems awfully coincidental not too much else changed during this period.
Aug 13th, 2008 at 3:13 am
Michael Hampton Says
Richard, your web site redirects somewhere else. This is probably the primary cause of your problems. Bad Behavior affects neither Google nor FeedBurner.
Aug 13th, 2008 at 8:26 am
Peter Says
Hi,
in the last couple of days Bad Behavior has blocked several access attempts from machines that appear to belong to Google Inc., e. g. IPs 74.125.16.2, 66.249.84.11, 72.14.195.33. Bad Behavior says the cause is that the “Required header ‘Accept’ [is] missing”. The User Agent String is “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)”.
It’s a bit scary that Google should be blocked. Are you sure that these aren’t legitimate attempts by Google to check that pages are accessible to ordinary users? Or does this have something to do with someone using some Google service (like Web Accelerator) as a proxy?
I also got one blocked visit today where BB says “User-Agent claimed to be Googlebot, claim appears to be false.” The User Agent is “DoCoMo/1.0/N505i/c20/TB/W20H10 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)” and the IP No. is 72.14.199.23, which seems to be Google.
Thanks in advance for helping. (And for the plugin of course.)
Aug 23rd, 2008 at 12:16 pm
Michael Hampton Says
Peter,
With regard to your first issue, the requests coming from those IP addresses are people (or bots) using services such as Google Web Accelerator, Language Tools, Google’s WAP proxy, and other such services. Such requests are not normally blocked, as Google’s proxies don’t mangle any of the necessary headers or do anything unusual.
You got lucky and spotted a few unusual ones, it seems. These requests would have been blocked even if if the user had connected directly to your site, and the user (if they are indeed human beings) should follow the same instructions to solve the problem.
The second issue is a bug in Bad Behavior and will be fixed in the next release.
Aug 24th, 2008 at 12:34 am
Peter Says
Great! Version 2.0.23 successfully installed. Thanks a lot, Michael.
Aug 24th, 2008 at 11:24 am