Bad Behavior 2.0.32 has been released. It is a maintenance release and is recommended for specific users identified below.

Please note: As of this release, 2.0 has been branched and development suspended. Further updates to the 2.0 tree will be bug fixes and security fixes only. Future development will be to the 2.1 development tree, the first release of which should be shortly. Expect a post within the next day with more information.

MediaWiki and WordPress users who have not updated in the last year or so should take note of special upgrade instructions below.

Who should upgrade?

Users of specialized web services integrated into their host platforms, for which Bad Behavior should not screen requests, should upgrade to correct potential problems with new functionality introduced in recent releases.

IPv6 users should upgrade to prevent users from being blocked inappropriately.

Users whose web site is hosted on a Windows server using IIS should upgrade to take advantage of new protection against certain attacks.

WordPress users should upgrade for enhancements to the administrative pages.

What’s new?

New in this release (since 2.0.31):

• Due to ongoing issues with various web services such as OpenID and PayPal IPN behaving in strange ways which trigger Bad Behavior, a new whitelist was added in version 2.0.30. You may now add URLs of your site to Bad Behavior’s whitelist. When a URL is added, Bad Behavior will ignore any HTTP request to that particular URL. If you need this feature, please check the bad-behavior/whitelist.inc.php file for further information. In version 2.0.31 this feature failed on some PHP versions due to undocumented PHP behavior. This has been fixed. In addition, the PHP documentation has been fixed to reflect PHP’s actual behavior (which I still think is broken).
• Users whose sites are accessible using IPv6 may find IPv6 users are blocked by Bad Behavior when the http:BL feature is enabled and certain versions of PHP are in use. This issue has been fixed.
• A SQL injection attack against Windows servers running IIS has been identified and blocked.
• The WordPress administrative page showing Bad Behavior logs has been enhanced slightly. It now shows reverse DNS records when available and identifies more search engines via http:BL.

Support

Thank you to everyone who has chosen to make a financial contribution toward further development of Bad Behavior. Your contributions ensure that I can prioritize Bad Behavior development and make more frequent and timely releases, like this one.

Download

Download Bad Behavior now!

Special Upgrade Instructions

Users of MediaWiki and WordPress upgrading from version 2.0.20 or earlier should follow these special directions (from 2.0.21 or later, upgrade normally):

For MediaWiki: Before installing this version of Bad Behavior, manually remove (e.g. using FTP or ssh) any old versions you may have, including the lines added to LocalSettings.php. Then install the new version fresh, following the installation instructions for MediaWiki.

For WordPress: If updating to this version through the automatic updater fails, manually remove (e.g. using FTP or ssh) any old versions you may have installed. Then upload and install the new version fresh, following the installation instructions for WordPress. After doing so, future automatic updates should proceed normally.

For other platforms: No changes to your upgrade procedures should be necessary.

Bad Behavior 1.2 Release Candidate 3 has been posted. Bad Behavior stops link spam at the front door by denying spammers the ability to access your PHP-based web site at all.

As I close in on a final 1.2 release, the reports I have gotten have been quite encouraging. Most testers have reported a complete elimination of link spam to their sites. So I’ve cleaned up a bit, fixed one problem, and this will probably be the final 1.2 release, or very close to it.

New in this release:

• A bug in Opera causes it to be incorrectly identified as a spambot by Bad Behavior. The check has been temporarily disabled until I can confirm that Opera has fixed its browser.
• Bad Behavior no longer sends any data to the Bad Behavior Blackhole. This proved entirely unnecessary, as Bad Behavior appears perfectly capable of catching spambots on its own without outside help.

New since version 1.1.4:

• Bad Behavior now has whitelisting capability. Edit the file bad-behavior-whitelist.php to add any IP address ranges or user agents you need to whitelist for your particular site. (Note that search engine bots should not be whitelisted by user agent, but by IP address range, because spammers pretend to be search engine bots. Bad Behavior already passes all major search engine bots which behave properly.)
• The specific reason for blocking is now logged in the database. This will help in determining whether new robots should be blocked by Bad Behavior or not.
• Several additional spammers have been identified and blocked in this release.
• When logging is turned on, Bad Behavior will identify spammers it has recently seen, even if their profile changes, and continue to block them.

Update 16 August: See Bad Behavior 1.2 release.