Blacklists and blind-spots
After yesterday’s post about the apparent problems with my WPBlacklist plugin, I decided to do some testing on my own to see if things were indeed not working. And I’ve got both good and bad news :p The good news is that the WPBlacklist plugin does work and there are no hidden loopholes – the bad news is that it doesn’t exactly work the way you think it would :p I realized during the course of my investigation that I had either not paid as much attention to what happens in the WordPress core as I should have when I wrote the WPBlacklist plugin or that I did know one critical piece of information which I had then proceeded to forget all about :p
The piece of information? Well, actually it’s two bits of information :p One was the fact that I had not added any code to notify the user when a comment was held for moderation by the WPBlacklist plugin – it simply holds the comment silently – the strong, silent type :p The second bit of information was that the WP core code actually sends out confirmation of a comment posting (or of it being held for moderation) based on its internal spam list before it initiates the hook which allows external plugins like WPBlacklist to take a shot at comment spam. So basically, if a comment is not caught as spam by the internal spam list in WP, then the user gets a notification saying a comment was posted on his/her site but WPBlacklist in the meantime might have actually caught the problem and put the comment on hold silently. This actually explains several reports I got from users who said that WPBlacklist wasn’t working even when certain words were in their blacklist – they were probably depending on the e-mail confirmation instead of checking the actual comments appearing under an entry – or, at least, that’s what I think now :p
Of course, finding the cause is just half the solution. Now I need to find a way around it. Unfortunately, to provide a solution that works for all, it looks as if I will have to modify some of the core WP code and submit it to the WP devs and hope that they accept the change – or something. I’ve already checked the CVS code from the end of August and it still has the same problem. So, unless they’ve fixed it within the last two weeks, I think I’ll need to submit my own fix to the WP devs. Of course, this also brought up the possibility that I might have my own bug hiding in the WPBlacklist plugin code – I don’t remember whether I checked to see if a comment was already held for moderation and if so, then simply exit the check routine. Because if I didn’t do that, then it is possible that something which got tagged as spam by the internal routines (perhaps because it had too many links in the comment ..) might get untagged by WPBlacklist – now that just wouldn’t do :p So now I’ve got lots of stuff to keep me occupied for the next few days 🙂