Excerpts Exacted; Shielding the Admin

Published 15 years, 9 months past

In response to my request, the indomitable Hamish Macpherson has created NeverForgetcerpt, a plugin for WordPress 2.5+ that will warn you if you’re about to publish a post that lacks an excerpt.  I’m already using it on meyerweb and it’s working like a charm.  He’s also expressed interest in the idea of a plugin that does that and also warns you if you forgot to add tags or categories, so stay tuned.  Meantime, all hail Hamish!

I have another plugin request, but in this case I’m looking for help in modifying something I’ve already done.  Or half-done, maybe.

I don’t know about you, but I get a lot of comment spam.  As I type this sentence, Akismet has stopped 837,806 spam attempts in total.  A false positive makes it past Akismet and my other defenses to land in the moderation queue about once every four days, on average.

Some of those false positives are really, really, really easy to spot, and they get marked as spam in order to help improve the recognition algorithms.  Others are hard to evaluate just by looking at the comment.  Many are trackbacks from sites in langauges I can’t read, and others that I can read look legit enough.  In such cases, I usually go visit the author’s URL to see if it looks spammy or not.

Now, the way I used to do this was to right-click on the blog link, copy the URL of the target, open a new browser tab, and paste the URL into the address bar.  Why?  To prevent my WP admin URL from landing in the referer logs of a potentially unscrupulous site owner.  But sometimes I forget to do all that, and just click.  I figured, well, why not stop fighting the tendency to just click and write a plugin that routes all outbound links through a redirect service?

So I did.  You can grab it for yourself if you want, but if you do, understand that it’s pretty clunky right now.  Which is the part I’d like help fixing.

The heart of the plugin is simplicity itself:

if (is_admin_page()) {
	add_filter('get_comment_author_url','_mw_obscurify',5);
}

function _mw_obscurify($url) {
	if ($url) return 'http://google.com/url?q=' . $url;
}

There’s a little more to it than that (specifically, the routine is_admin_page(), which I got from someone else’s plugin and wish now I could remember whose it was) but that’s the core.  So any time the URL of a comment author is fetched, it’s prepended to turn it into a Google redirect.

That’s true for both href values and displayed URLs, though, which is the clunky part.  The end result is that on comments from the aforementioned mighty Hamish, for example, I get the following markup on the “Comments” page:

<a href="http://google.com/url?q=http://hamstu.com">
http://google.com/url?q=http://hamstu.com</a>

What I’d very much prefer is:

<a href="http://google.com/url?q=http://hamstu.com">
http://hamstu.com</a>

Or even:

<a href="http://google.com/url?q=http://hamstu.com">
hamstu.com</a>

So what I’d like to know is if there’s any way to make that happen short of rewriting and replacing get_comment_author_url, which I’d prefer not to do since it could change in future versions of WordPress and I’m not particularly interested in turning a basic plugin into a continuing maintenance headache.  I mean, I will if absolutely necessary, but I’d like to find a better way if there is one.  Thus the request for help.

Also, are there better redirect strategies than using Google the way I have?  It’s very slightly annoying that I have to click through the Google redirect page, and though I absolutely understand why they do that, I’d love to find an automatic redirect that wouldn’t expose my referer to the target site.  Anyone know of one, or have a related sharp idea?


Comments (14)

  1. You want http://hiderefer.com/.

    I come across this site all the time when dealing with nulled copies of Mint. Sigh.

    Just add a question mark and url you want to redirect to.

  2. There is http://anonym.to/, which gives you a slight feeling of anonymity… don’t know if it’s better, but it’s widley used in the german speaking web.

  3. Not knowing WordPress or script, I will make this suggestion in sheer ignorance.

    Why not make the referrer string reflect the domain that is the possible spammer. Their logs would show their site referring to itself. This is what we see normally in our logs from inbound links but would be good payback to spammers.

  4. Thanks, Shaun— at least some small good might come from your pain. I’ll also look at your suggestion, Fireball. Maybe I’ll randomly switch between the two for extra obscurity!

    Alan: I’d do that, but I don’t know of a way for WP/PHP to forge the referer for the browser to pick up and pass along, or to just generally forge the referer. Some Googling turned up zippo, though perhaps I wasn’t using the right terms. I’ll poke around some more.

  5. You might be interested in the Simple Trackback Validation plugin if you’re going through that much effort. I forget the exact link, but you can find it in my latest blog post. Funny you mention comment spam today.

  6. One of my boss’ favorite things to check out is how many people came to our site via a google search, and then to look at the keywords they use.

    If someone wrote a common plugin that went through google to mask the referrer, we could see some very interesting side effects when we look at the keywords used to get to our site.

    Even more interesting, though, is that google gives me an intermediary page when I try a URL such as you suggest. It even adds a query param to the URL – “oi=unauthorizedredirect”.

  7. For the Comments page, get_comment_author_url is assigned to another variable and too many things are done with the variables after that.

    You could use Javascript to change all external links when viewing edit-comments.php. If I had any Javascript skills I’d give it a shot.

  8. @Nick: Sounds like a good job for GreaseMonkey – any takers?

  9. Why not put a simple file redirect.php on your server:

    <?php
    header("Location: " . $_GET["q"]);
    ?>

    Using this, the url could be http://meyerweb.com/redirect.php?q=http://hamstu.com allowing a single click while avoiding the reference to the WP Admin.

    Of course, this won’t work if you’re trying to avoid references to meyerweb all together.

  10. Most browsers do not send the referer header on a meta refresh. That would be the method I would use– just link to your own redirect page. You would get to save bandwidth (a tiny amount), get to save time (by only clicking once and loading less pages), and get to use a deprecated method (according to the once useful W3C).

    Just thought I’d throw that out as a possibility.

  11. Hi, nice idea for a plugin. Changed the code a bit, now it hides the appended URL nicely on Akismet’s page, but not on the edit comments page, as the filter get_comment_author_url_link is not used there. On the other hand that clearly shows when the browser is going to be redirected.

    Also changed it so only the links from not-approved comments are redirected either through hidereferer.com or anonim.to.

    http://www.laptoptips.ca/wpd/wp-content/img/mw_url_obscurify.zip

  12. You can also use a more direct Google redirect/proxy, e.g. http://www.google.com/gwt/n?u=http://meyerweb.com. I am not sure if this would meet your requirement or not.

  13. Eric Meyer:
    Alan: I”d do that, but I don”t know of a way for WP/PHP to forge the referer for the browser to pick up and pass along, or to just generally forge the referer. Some Googling turned up zippo, though perhaps I wasn”t using the right terms. I”ll poke around some more.

    You could spoof your hostname into being their hostname (/etc/hosts)They will then see that domainname in their logs,but maybe they can still see the ip-address then, I don’t know that right now.

    I found this though:
    http://own-the.net/news_Hide-referer-tested-on-IE-and-FF_4.html

  14. RE: NeverForgetCerpt…

    It’s a great little plugin, but I’ve just encountered a bug with it… namely that when the plugin is activated, the ability to publish immediately by just pressing the publish button when writing a post dissapears… to publish the post with the plugin active, I had to first choose “published” from the dropdown box before hitting the publish button. I don’t know if this plugin prevents scheduled publishing of a post too, but certainly it interfered with immediate publishing for me just now – I’ve, sadly, had to de-activate it.

Add Your Thoughts

Meyerweb dot com reserves the right to edit or remove any comment, especially when abusive or irrelevant to the topic at hand.

HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <em> <i> <q cite=""> <s> <strong> <pre class=""> <kbd>


if you’re satisfied with it.

Comment Preview