Bad Behavior 2.1.1 and 2.0.36 Security Release
December 21st, 2009 by Michael Hampton
Bad Behavior 2.1.1 and 2.0.36 have been released. These are a security release and affected sites should upgrade as soon as is practical. This security issue was fixed in both the 2.1 development series and the 2.0 stable series, resulting in today’s simultaneous release.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
WordPress users should upgrade to prevent internal data from leaking to the web browser when the database encounters an error. Users of other platforms are not affected.
What’s new?
New in this release (since 2.1.0 and 2.0.35):
- Due to recent changes in the WordPress database code, any database errors that may occur because of WordPress, other plugins, or server trouble may be inappropriately displayed in the web browser. This could result in the leakage of information useful to attackers. This issue has been fixed. Thanks to Andrew Zhang for reporting this issue.
Download
The 2.1 development releases will not be offered through the WordPress automatic upgrade facility.
Download the 2.0.36 stable or 2.1.1 development release of Bad Behavior now!
Support
This release would not have been possible without the support of people like you who find Bad Behavior valuable enough to make a financial contribution to ensure its further development.
Your contributions ensure that I can continue to devote time to bringing you the features you want, as well as continuing work on making spammers’ lives hell.
If you haven’t already done so, consider setting up a recurring contribution for as little as $5 per year, or make your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Ipstenu Says
Out of curiosity, will 2.1 ever show up on WordPress and, if not, why?
What I really want to know is if you’re dumping WordPress support or not 0:)
Dec 21st, 2009 at 1:52 pm
Michael Hampton Says
Huh? Where did I ever say anything about dropping WordPress support?
The 2.1 release will never be on the WordPress automatic upgrade facility because it’s a development series, not a stable series.
Dec 21st, 2009 at 1:54 pm
Ipstenu Says
You didn’t say you were dropping WP support, but you said “The 2.1 development releases will not be offered through the WordPress automatic upgrade facility.” and I figured that would either be because 2.1 as a whole wasn’t going to work on WP, or you just didn’t want dev versions on WP. Happily it’s the latter.
My WP would cry without you
Dec 23rd, 2009 at 9:24 pm
Michael Hampton Says
Ah, OK. The WordPress upgrade facility will follow the 2.0 stable series.
Dec 25th, 2009 at 7:49 pm
Álvaro Degives-Más Says
Any downside to the `whitelist.ini` file being world-readable in a vanilla WP installation?
Dec 28th, 2009 at 8:43 am
Michael Hampton Says
The PHP process has to be able to read it, of course. But the web server does not need to serve it directly.
Dec 28th, 2009 at 8:07 pm
Peter Says
I have an issue with bad behaviour I would like to report.
When using the plugin with a caching plugin, such as super cache, if a bad bot or user gets blocked by bad behaviour then sometimes a blank page is cached and served to other users instead of the actual article page.
Is there any way to prevent this from occuring?
p.s. You may want to check your page source code, i just had a look and found this error at the bottom
<!– File not cached! Super Cache Couldn't write to: …
Feb 5th, 2010 at 10:16 am
Michael Hampton Says
Peter, you haven’t reported enough specifics to determine whether there is even a real problem.
Feb 5th, 2010 at 6:18 pm
Nat Budin Says
The Bad Behavior 2.0.36 WordPress plugin seems to attempt to require “bad-behavior-mysql.php”, which is not actually included in the zip. From what I can tell this seems to be a 2.1ism that slipped in. It makes it difficult to do an automated rollout of WordPress with the plugin included.
Would it be possible to do a 2.0.36.1 release or 2.0.37 release that removes this line?
Feb 17th, 2010 at 3:53 pm
Michael Hampton Says
Nat, I don’t know what you did to your system, but that line is not present in the 2.0.36 release. It did not “slip in.” It is simply not there.
Feb 17th, 2010 at 4:39 pm
Eran Galperin Says
You should be aware that this plug-in blocks the googlebot. I discovered this after several months of reduced organic visits, and it’s very disturbing. You should fix this ASAP
Feb 24th, 2010 at 9:35 am
Michael Hampton Says
Eran, you should not post false information such as that. Bad Behavior does not block Googlebot. If you’re having trouble and need assistance, you should also contact me.
Feb 24th, 2010 at 3:18 pm
LeetPirate Says
Just wanted to let you know the Joomla plugin was unpublished for some reason. Please look into that.
http://extensions.joomla.org/extensions/2891/details
Apr 12th, 2010 at 12:23 pm
Michael Hampton Says
Yep, you’re right. The Joomla! plugin was unpublished. I’ll take it off the list.
Apr 12th, 2010 at 2:13 pm
Luke Says
How can I confirm that Bad Behavior has not affected Googlebot accessing my site? I have seen many reports that it either blocks or hampers Googlebot. It is business critical for us that we are crawled. I’m not saying there is a problem, I’d just like to be sure and I’m asking if there is a test you might recommend to confirm we will continue to be crawled as per normal.
Thanks
May 31st, 2010 at 10:22 am
Álvaro Degives-Más Says
Luke, Google uses servers that are identifiable in a known manner. The fake ones don’t pass the “secret handshake” test. Of course, those who thrive on / use / propagate / developed a Stockholm Syndrome affinity for bad bots all claim loudly and colorfully that they are really, honest to Bob, the legit ones who are suffering a great injustice by getting the boot in the face.
Trust me: the real Google, Yahoo and Bing bots have no problem. Bad bots who try to pass themselves off as any (or all) of them, do not. Neither do idiots reporting all over the world wide web that “legitimate Googlebots were blocked” by Bad Behavior. They lie, they’re misinformed, or they’re just sloppy; take your pick, they’re still wrong nonetheless.
May 31st, 2010 at 11:21 am
Álvaro Degives-Más Says
Sorry – forgot the punchline. I have Bad Behavior on strict mode running for two years in a row, and we’ve “only” reaped massive benefits from that. Why? Because Google et al give extra cuddles to sites without a shred of spam or malware injected into them, and badly punishes those that are infected. Here’s the key analogy for you: openness to exposure and infection rate are proportionally linked phenomena.
May 31st, 2010 at 11:27 am
LeetPirate Says
I just wish somebody would make an updated extension for Joomla.
May 31st, 2010 at 11:30 am
Luke Says
Thanks Alvaro. Looking forward to not getting shafted by link spammers! Our send to a friend forms have been taking a hammering and our domain has landed up on email blacklists as a result.
May 31st, 2010 at 11:54 am
Michael Hampton Says
Bad Behavior checks every crawler claiming to be Googlebot, Yahoo! or MSN/Live/Bing/whatever they rename it to next week. Legitimate ones pass, while fake ones are blocked. Unfortunately some people go through their logs, see a request from “Googlebot” was blocked, and didn’t bother to check to see if it was the real Googlebot before they blogged about it. You can be sure that requests coming from a home cable ISP network are not from Google.
May 31st, 2010 at 12:55 pm
Chris Says
Michael
I’m having trouble getting Bad Behavior to work with WordPress MU. Elsewhere you say that Bad Behavior should work if it is placed in mu-plugins or plugins. How can I tell if it is working?
If I place it in the plugins directory, it needs to be enabled on a blog-by-blog basis, which isn’t ideal.
If I place it in mu-plugins, there’s no indication that it is working (i.e. the statistics don’t show up in the footer, presumably because the setup routines aren’t triggered).
Can I put something in my UA string that will trigger BB2?
Thanks in advance.
Jun 23rd, 2010 at 11:40 am
Michael Hampton Says
Chris, WordPress MU (now WordPress 3.0) has changed significantly since that forum post. I now recommend you install it in plugins, and activate it site-wide (or just make it available for individual blogs) from the site admin plugins page.
Jun 28th, 2010 at 5:39 pm
Chris Says
Aha. I didn’t see the link to “Activate Bad Behavior Site Wide”. Sorry if I wasted your time.
Jun 29th, 2010 at 3:59 pm
Michael Linder Says
I’ve read the conversations above regarding googlebots, but still have a problem.
When I “fetch as Googlebot” any of my WordPress 3.0.1 pages using Webmaster Tools, Bad Behavior rejects the Googlebot: “You claimed to be a major search engine, but you do not appear to actually be a major search engine.”
Turning off Bad Behavior eliminates the problem. I’m not using strict checking and am using your recommended minimim threat level settings.
Not here to argue, but I’m looking for a solution. Can you help?
Nov 7th, 2010 at 7:15 pm
Michael Hampton Says
The first thing to do is to use a current release of Bad Behavior. This release has been superseded.
Nov 7th, 2010 at 7:16 pm
Michael Linder Says
PS: The fix-it-yourself page is also blocked by Bad Behavior allegedly because my browser used a false User-Agent string.
Here it is for IE8: User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
Still, the same access error persists using Chrome, Safari for Windows or Firefox — whether or not Kasperski is active.
Nov 7th, 2010 at 7:45 pm
Michael Hampton Says
Michael, please email me the Bad Behavior log entries corresponding to the blocked request.
Nov 7th, 2010 at 7:50 pm