Bad Behavior 2.0.37 and 2.1.3
July 9th, 2010 by Michael Hampton
Bad Behavior versions 2.0.37 and 2.1.3 have been released. For the 2.0 stable branch, this release is a maintenance release recommended for all users.
Please note: The 2.0 series of Bad Behavior is receiving limited updates, including unblocks, bug fixes and security fixes only. Future development is taking place in the 2.1 development tree.
Who should upgrade?
Users deploying Bad Behavior on Microsoft IIS should upgrade to ensure that all Bad Behavior functionality works as intended.
Users who receive a significant amount of traffic from proxied connections (e.g. small business and enterprise users) should upgrade to prevent a tiny minority of these users from being blocked.
Users following the development branch should upgrade to take advantage of support for the CloudFlare reverse proxy service.
What’s new?
New in the 2.0.37 stable release (since 2.0.36):
- In rare configurations, the Firefox and Safari web browsers may send the nonexistent “Proxy-Connection” HTTP header. Old versions of Internet Explorer may also send this header in their default configurations. This usually occurs when the web browser is configured to connect to an (obsolete) HTTP/1.0 proxy or has been explicitly configured to use HTTP/1.0 when talking to a proxy, even if the proxy understands HTTP/1.1. This header originated with a proposal made by (then) Netscape which was rejected for inclusion in HTTP in 1998 due to its causing interoperability problems. Bad Behavior checks for this header as it has historically made an excellent indicator of malicious activity if it is seen at the origin server, because proxy servers are expected to strip the header. Because of the slight possibility of blocking legitimate users, this check is now active only in strict mode. (Thanks to Mark Nottingham for reporting this issue.)
- A workaround for a problem with PHP on IIS servers has been implemented. This issue caused various parts of Bad Behavior’s functionality to fail on IIS. (Thanks to Michael Kingery for reporting this issue.)
New in the 2.1.3 development release (since 2.1.2):
- The changes listed above for 2.0.37 have also been implemented.
- New code which implements “round-trip DNS” for verifying that an IP address belongs to a specific entity is now being used to verify Googlebot and MSNbot. This code replaces the old hard-coded IP addresses.
- Support for the CloudFlare reverse proxy service has been added. Users of this service should now be able to use Bad Behavior successfully. (Thanks to Matthew Prince at Project Honey Pot for his assistance with this implementation.)
Download
Download Bad Behavior now!
The 2.1 development releases will not be offered through the WordPress automatic upgrade facility. Only stable releases will be offered through automatic upgrade.
Support
You’ve probably noticed that there hasn’t been a release of Bad Behavior in several months. This is due entirely to the fact that I can only spend time on it when incoming donations cover the cost of my time. Otherwise I have to engage in paying work to keep food on my table.
I happen to like giving spammers a hard time, and it’s frustrating that I don’t get to spend enough time on it. You can help me make Bad Behavior even better by setting up a recurring contribution, or making your most generous one-time contribution for any amount.
Thank you again for supporting Bad Behavior development!
Brett Says
I receive this error when installing BB 2.1.3 on WP 3.0:
Fatal error: Call to undefined function bb2_test() in /path/to/wordpress/plugins/bad-behavior/bad-behavior/core.inc.php on line 89 and WP 3.0 does not want to install the plugin. I deleted the prior devl release of BB and then uploaded the new file. Do you have any suggestions for correcting this issue?
Thanks!
Jul 13th, 2010 at 5:32 am
Michael Hampton Says
Congratulations, you’ve found a bug in Bad Behavior.
I apparently wrote this check for the old way that Bad Behavior was operating. I’ve rewritten the test and it will be incorporated into the next development release, which should be available in just a few minutes.
Jul 13th, 2010 at 7:16 am
Brett Says
Sweet, my first BB bug lol.
Jul 13th, 2010 at 7:23 am
Michael Hampton Says
This issue is addressed in Bad Behavior 2.1.4.
Jul 13th, 2010 at 7:30 am
Brett Says
http://downloads.wordpress.org/plugin/bad-behavior.2.1.4.zip lists 404 Not found. :/
Jul 13th, 2010 at 7:39 am
Michael Hampton Says
That’s their stupid svn for you. Give it ten minutes.
Jul 13th, 2010 at 7:42 am
Fab Says
Hi, is possible add in the whitelist specific outside url ? For example i’d give access to my blog to a specific domain, for example, http://www.yoursite.com that could be blocked by your software, i don’t find any way to this, the only possibility is add the ip
Jul 19th, 2010 at 8:17 pm
Michael Hampton Says
Fab, referrers can be faked easily, which would cause you to have a security problem if you actually could do that. What are you REALLY trying to do?
Jul 20th, 2010 at 12:00 am
Fab Says
There is a link exchange manager http://linkex.dk/ (it’s a pho script you must install in your hosting space to manage reciprocal exchnage) that is blocked by Bad Behavior when it tries to connect to check if exist the reciprocal link.
It’s very noise add the ips to the white list, and if the ip change Bad Behavior block linkex and it automatic delete my link.
So the more simple way should be add the domain instead the ip.
Or there is some way to permit to Linkex to check backlink ?
this is a sample form
http://www.freeinternetpress.com/linkex/
many thanks!
Jul 21st, 2010 at 5:55 pm
Michael Hampton Says
Fab, this script appears to be getting blocked because it is using fake User-Agent strings. This should be pretty easy for the script author (or anybody else who uses it) to fix.
Jul 21st, 2010 at 8:19 pm
Martin Starkey Says
Hey, I’m all for website security but when I get locked out of my own domain, that’s what I call “One step beyond”
Error 403
We’re sorry, but we could not fulfill your request for /wp-login.php on this server.
You do not have permission to access this server. Data may not be posted from offsite forms.
Your technical support key is: 50c0-9e21-cd36-1abb
You can use this key to fix this problem yourself.
If you are unable to fix the problem yourself, please contact admin at justsources.com and be sure to provide the technical support key shown above.
Jan 27th, 2011 at 6:39 am
Michael Hampton Says
Martin, is there a reason that you are reporting a problem that was already fixed in the most recent release?
Jan 27th, 2011 at 6:41 am
Martin Starkey Says
Yes manual login worked Michael. Thanks for prompting me on that. But, I had been using a Roboform login ( http://www.roboform.com/ ) whereby I would just select a login from a menu of recently used logins which would direct my browser to the login page & automatically complete & submit the form. I would imagine some other people use the same method. Anyway, after the most recent update Bad Behavior detected Roboform as a bot (Which I suppose it is) although in my case a legitimate bot. Sorry to trouble you on that. I’m not suggesting you should change anything you are doing. I suppose that ultimately it just goes to prove how thorough Bad Behavior is in the implementation of WordPress security.
Keep up the good work
Sent a donation
Jan 27th, 2011 at 3:41 pm