meyerweb.com

Skip to: site navigation/presentation
Skip to: Thoughts From Eric

Excerpts Exacted; Shielding the Admin

In response to my request, the indomitable Hamish Macpherson has created NeverForgetcerpt, a plugin for WordPress 2.5+ that will warn you if you’re about to publish a post that lacks an excerpt.  I’m already using it on meyerweb and it’s working like a charm.  He’s also expressed interest in the idea of a plugin that does that and also warns you if you forgot to add tags or categories, so stay tuned.  Meantime, all hail Hamish!

I have another plugin request, but in this case I’m looking for help in modifying something I’ve already done.  Or half-done, maybe.

I don’t know about you, but I get a lot of comment spam.  As I type this sentence, Akismet has stopped 837,806 spam attempts in total.  A false positive makes it past Akismet and my other defenses to land in the moderation queue about once every four days, on average.

Some of those false positives are really, really, really easy to spot, and they get marked as spam in order to help improve the recognition algorithms.  Others are hard to evaluate just by looking at the comment.  Many are trackbacks from sites in langauges I can’t read, and others that I can read look legit enough.  In such cases, I usually go visit the author’s URL to see if it looks spammy or not.

Now, the way I used to do this was to right-click on the blog link, copy the URL of the target, open a new browser tab, and paste the URL into the address bar.  Why?  To prevent my WP admin URL from landing in the referer logs of a potentially unscrupulous site owner.  But sometimes I forget to do all that, and just click.  I figured, well, why not stop fighting the tendency to just click and write a plugin that routes all outbound links through a redirect service?

So I did.  You can grab it for yourself if you want, but if you do, understand that it’s pretty clunky right now.  Which is the part I’d like help fixing.

The heart of the plugin is simplicity itself:

if (is_admin_page()) {
	add_filter('get_comment_author_url','_mw_obscurify',5);
}

function _mw_obscurify($url) {
	if ($url) return 'http://google.com/url?q=' . $url;
}

There’s a little more to it than that (specifically, the routine is_admin_page(), which I got from someone else’s plugin and wish now I could remember whose it was) but that’s the core.  So any time the URL of a comment author is fetched, it’s prepended to turn it into a Google redirect.

That’s true for both href values and displayed URLs, though, which is the clunky part.  The end result is that on comments from the aforementioned mighty Hamish, for example, I get the following markup on the “Comments” page:

<a href="http://google.com/url?q=http://hamstu.com">

http://google.com/url?q=http://hamstu.com</a>

What I’d very much prefer is:

<a href="http://google.com/url?q=http://hamstu.com">

http://hamstu.com</a>

Or even:

<a href="http://google.com/url?q=http://hamstu.com">
hamstu.com</a>

So what I’d like to know is if there’s any way to make that happen short of rewriting and replacing get_comment_author_url, which I’d prefer not to do since it could change in future versions of WordPress and I’m not particularly interested in turning a basic plugin into a continuing maintenance headache.  I mean, I will if absolutely necessary, but I’d like to find a better way if there is one.  Thus the request for help.

Also, are there better redirect strategies than using Google the way I have?  It’s very slightly annoying that I have to click through the Google redirect page, and though I absolutely understand why they do that, I’d love to find an automatic redirect that wouldn’t expose my referer to the target site.  Anyone know of one, or have a related sharp idea?

14 Responses»

    • #1
    • Comment
    • Thu 12 Jun 2008
    • 1007
    Shaun Inman wrote in to say...

    You want http://hiderefer.com/.

    I come across this site all the time when dealing with nulled copies of Mint. Sigh.

    Just add a question mark and url you want to redirect to.

    • #2
    • Comment
    • Thu 12 Jun 2008
    • 1008
    Fireball wrote in to say...

    There is http://anonym.to/, which gives you a slight feeling of anonymity… don’t know if it’s better, but it’s widley used in the german speaking web.

    • #3
    • Comment
    • Thu 12 Jun 2008
    • 1032
    Alan Gresley wrote in to say...

    Not knowing WordPress or script, I will make this suggestion in sheer ignorance.

    Why not make the referrer string reflect the domain that is the possible spammer. Their logs would show their site referring to itself. This is what we see normally in our logs from inbound links but would be good payback to spammers.

    • #4
    • Comment
    • Thu 12 Jun 2008
    • 1111
    Eric Meyer wrote in to say...

    Thanks, Shaun– at least some small good might come from your pain. I’ll also look at your suggestion, Fireball. Maybe I’ll randomly switch between the two for extra obscurity!

    Alan: I’d do that, but I don’t know of a way for WP/PHP to forge the referer for the browser to pick up and pass along, or to just generally forge the referer. Some Googling turned up zippo, though perhaps I wasn’t using the right terms. I’ll poke around some more.

    • #5
    • Comment
    • Thu 12 Jun 2008
    • 1135
    Devon Young wrote in to say...

    You might be interested in the Simple Trackback Validation plugin if you’re going through that much effort. I forget the exact link, but you can find it in my latest blog post. Funny you mention comment spam today.

    • #6
    • Comment
    • Thu 12 Jun 2008
    • 1214
    Pete Nelson wrote in to say...

    One of my boss’ favorite things to check out is how many people came to our site via a google search, and then to look at the keywords they use.

    If someone wrote a common plugin that went through google to mask the referrer, we could see some very interesting side effects when we look at the keywords used to get to our site.

    Even more interesting, though, is that google gives me an intermediary page when I try a URL such as you suggest. It even adds a query param to the URL – “oi=unauthorizedredirect”.

    • #7
    • Comment
    • Thu 12 Jun 2008
    • 1225
    Nick wrote in to say...

    For the Comments page, get_comment_author_url is assigned to another variable and too many things are done with the variables after that.

    You could use Javascript to change all external links when viewing edit-comments.php. If I had any Javascript skills I’d give it a shot.

    • #8
    • Comment
    • Thu 12 Jun 2008
    • 1626
    Jemaleddin wrote in to say...

    @Nick: Sounds like a good job for GreaseMonkey – any takers?

    • #9
    • Comment
    • Thu 12 Jun 2008
    • 2004
    Peter Wilson wrote in to say...

    Why not put a simple file redirect.php on your server:

    <?php
    header("Location: " . $_GET["q"]);
    ?>

    Using this, the url could be http://meyerweb.com/redirect.php?q=http://hamstu.com allowing a single click while avoiding the reference to the WP Admin.

    Of course, this won’t work if you’re trying to avoid references to meyerweb all together.

    • #10
    • Comment
    • Sat 14 Jun 2008
    • 0315
    Stephen wrote in to say...

    Most browsers do not send the referer header on a meta refresh. That would be the method I would use– just link to your own redirect page. You would get to save bandwidth (a tiny amount), get to save time (by only clicking once and loading less pages), and get to use a deprecated method (according to the once useful W3C).

    Just thought I’d throw that out as a possibility.

    • #11
    • Comment
    • Sat 14 Jun 2008
    • 1026
    Andrew wrote in to say...

    Hi, nice idea for a plugin. Changed the code a bit, now it hides the appended URL nicely on Akismet’s page, but not on the edit comments page, as the filter get_comment_author_url_link is not used there. On the other hand that clearly shows when the browser is going to be redirected.

    Also changed it so only the links from not-approved comments are redirected either through hidereferer.com or anonim.to.

    http://www.laptoptips.ca/wpd/wp-content/img/mw_url_obscurify.zip

    • #12
    • Comment
    • Fri 1 Aug 2008
    • 1017
    David Eldridge wrote in to say...

    You can also use a more direct Google redirect/proxy, e.g. http://www.google.com/gwt/n?u=http://meyerweb.com. I am not sure if this would meet your requirement or not.

    • #13
    • Comment
    • Fri 15 Aug 2008
    • 0928
    Immeëmsol wrote in to say...

    Eric Meyer:
    Alan: I”d do that, but I don”t know of a way for WP/PHP to forge the referer for the browser to pick up and pass along, or to just generally forge the referer. Some Googling turned up zippo, though perhaps I wasn”t using the right terms. I”ll poke around some more.

    You could spoof your hostname into being their hostname (/etc/hosts)They will then see that domainname in their logs,but maybe they can still see the ip-address then, I don’t know that right now.

    I found this though:
    http://own-the.net/news_Hide-referer-tested-on-IE-and-FF_4.html

    • #14
    • Comment
    • Thu 25 Sep 2008
    • 0117
    Krissie wrote in to say...

    RE: NeverForgetCerpt…

    It’s a great little plugin, but I’ve just encountered a bug with it… namely that when the plugin is activated, the ability to publish immediately by just pressing the publish button when writing a post dissapears… to publish the post with the plugin active, I had to first choose “published” from the dropdown box before hitting the publish button. I don’t know if this plugin prevents scheduled publishing of a post too, but certainly it interfered with immediate publishing for me just now – I’ve, sadly, had to de-activate it.

Leave a Comment

Line and paragraph breaks automatic, e-mail address required but never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



Remember to encode character entities if you're posting markup examples! Management reserves the right to edit or remove any comment—especially those that are abusive, irrelevant to the topic at hand, or made by anonymous posters—although honestly, most edits are a matter of fixing mangled markup. Thus the note about encoding your entities. If you're satisfied with what you've written, then go ahead...


June 2008
SMTWTFS
May July
1234567
891011121314
15161718192021
22232425262728
2930  

Sidestep

Feeds

Extras