Two years of Mollom satisfaction

Gepost op door Matthias

Davy started a meme: show off how well Mollom has been performing on your site over the past weeks, months or even years. I picked it up at Wim‘s place. Here is the lowdown for my own blog.

2 years of Mollom satisfaction

To be more exact: Mollom was activated 703 days ago. Until now, 1,355 submissions were accepted and 23,999 rejected. Yesterday, Mollom blocked 12 spam attempts and accepted 0 ham messages. So far, Mollom blocked 13 spam attempts and 0 ham messages today.

Quite impressive.  The least I can say is that Mollom took away a big nag of mine. The gap in Q1 of 2009 was due to a critical bug which needed fixing in my code.  I ran Mollom in developer mode which means no real life statistics were recoreded during that particular timeframe. Apart from that, Mollom has been protecting my WordPress blog for the past 2 years and held on to it’s own.

Of course, you’re all probably eager to know whether I’m still maintaining the plugin. Yes, I am. Over the past few months, I’ve been working off and on to get a new version a the plugin ready. It will be a total rebuild with lots of improvements. I’m covering what’s to come and my own developer experience in depth in a future blog post.

So stay tuned!

WP Mollom 0.7.3

Gepost op door Matthias

Another month, a new release. I just tagged WP Mollom 0.7.3. It’s got the shortest changelog up to date, but the translations that are included make up for that.

  • fixed: multiple moderation would incorrectly state ‘moderation failed’ due to incorrect set boolean.
  • added: german (de_DE) translation
  • added: italian (it_IT) translation

Many thanks go out to Alexander Langer and Gianni Diurno for sending me their translations. With only 88 strings, translating the plugin doesn’t take that much time. So, If you could spare the time and you know your way around POEdit (or you’re willing to learn), just go out there and make this plugin easier to use for non-english speaking users of WordPress!

Of course, if you don’t use the plugin already: you can get it right here!

WP Mollom 0.7.2

Gepost op door Matthias

I just released version 0.7.2 of WP Mollom. Here’s the changelist

  • fixed: closing a gap that allowed bypassing checkContent through spoofing $_POST['mollom_sessionid']
  • fixed: if mb_convert_encoding() is not available, the CAPTCHA would generate a PHP error. Now falls back to htmlentities().
  • improved: the check_trackback_content and check_comment_content are totally rewritten to make them more secure.
  • added: user roles capabilities. You can now exempt roles from a check by Mollom
  • added: simplified chinese translation

So, for the most part, this release is about security related under-the-hood changes. Another great adition is the use of user roles. With previous releases, you didn’t have to pass the Mollom check if you were logged in. Which was a bit of a security issue in it’s own. This release allows you to exempt certain user roles from Mollom scrutiny.

Finally, I owe a big thank you to Donald for the great work he did translating the interface into simplified chinese and his numerous suggestions. Thank you!! I would like to encourage others to translate the plugin! German, French and/or Spanish, if you know them, now is the time to put them to use!

So, go grab it from WordPress Extend or upgrade your installation through the famous one-step intaller in your Dashboard!

WP Mollom 0.7.1

Gepost op door Matthias

I just released WP Mollom 0.7.1. Here’s the changelog:

  • fixed: all plugin panels are now shown in the new WP 2.7 administration interface menu
  • fixed: non-western character sets are now handled properly in the captcha form
  • fixed: handles threaded comments properly
  • fixed: multiple records in the manage module not correctly processed
  • improved: extra – non standard – fields added to the comment form don’t get dropped
  • improved: revamped the administration panel
  • improved: various smaller code improvements
  • added: the plugin is now compatible with the new plugin uninstall features in WordPress 2.7
  • added: the ‘quality’ of ‘spaminess’ of a comment is now logged and shown as an extra indicator

Wishing all the best in 2009!

WordPress 2.7

Gepost op door Matthias

Yes. WordPress 2.7 is out. Your favorite blogging tool has gotten a serious overhaul: a totally new administration panel, loads of bugfixes and lots of new features.

The plugin API has been extended: you should now use a seperate file to store all uninstallation logic instead of relying on the deactivate callback, options should be registered with WP (mandatory in near future versions) and the submenu structure onto which you can hook your own settings is revamped.

If you haven’t already noticed, WP Mollom 0.7.0 has some minor issues with 2.7. Most notably, The management panel disappears. Between boxing my stuff, frantic phonecalls and spending countless hours commuting through Flanders, I’m trying to get the plugin up to speed.

Translation support: help needed

Gepost op door Matthias

Translating WordPress has always been very easy through gettext and tools like poedit. The availability of a whole range of languages and dialects that can be used to replace the standard English messages in WordPress is one of the factors that has contributed to the success of the CMS.

Of course, this support for translation is also available for plugins and themes. Since language shouldn’t be a barrier, I’ve been building support for translations into WP Mollom over the past weeks. The idea is that one can download a translation libary (a .mo file with all the translated strings in his language) and install it without a hussle.

So, today I tested the whole translation support fairly thoroughly and, well, there’s this rub. If I install the plugin using the local MAMP installation on my iBook G4, all is fine. The plugin gets translated in Dutch nicely. But if I try to enable the translation on line, on this blog and the testblog running on this domain, it doesn’t budge. Everything in the on line WordPress setups get translated fine… except for the plugin. I’ve tried switching off all the plugins, veryfing and re-veryfing paths, code, translation files,… and I still don’t see what’s really causing this.

So, I would like some help and see if other people are experiencing the same problem. If you are in for a challenge and you use translation support, dowload the development version of the plugin and give it a go. Just drop the wp-mollom/ folder in the plugins/ folder and make sure you have translation support on your WordPress installation activated.

Drop me a line if you have suggestion! Thanks!

Mollom 0.6.2, the Urgent One

Gepost op door Matthias

Since a couple of weeks people using WP Mollom got hit by some spam. On friday, Bert took the problem to Twitter, which caught my attention. Of course, we want to get rid of all the spam and so I notified Dries.

Over the weekend, Dries did some research in the logfiles and noticed some disturbing patterns concerning feedback sent from WordPress blogs using the plugin. Most moderated messages got reported as ‘profanity’ rather then ‘spam’. That led, with the much appreciated help of Pascal, to the discovery of a nasty bug in the feedback functions of the plugin.

It seems that spam was reported as ‘profanity’ and ‘unwanted’ as ‘spam’. The feedback qualifiers got totally messed up in a conditional block… and accustomed with the code as I got, I probably read over it a thousand times without really noticing the error. Through sending the wrong qualifiers, the Mollom servers can not interpret correctly what is spam or not for your blog. This has, of couse, a serious impact on the performance of Mollom.

Given the nature and the severity of the error, I corrected it and put version 0.6.2 with *only* this bugfix up for release on WordPress Extend. So, if you’re running version 0.6.1 or lower, you should download the fixed version as soon as possible.

Mollom 0.6.1

Gepost op door Matthias

I just tagged version 0.6.1 of WP Mollom in the WordPress Extend repository. Which means in a few moments, you’ll be able to download the latest installment of my plugin.

So, what has changed? Well, this is a bugfix release which means no new features. Here’s the changelog:

  • Fixed: division by 0 error on line 317
  • Fixed: if ‘unsure’ but captcha was filled in correctly, HTML attributes in comment content would sometimes be eaten by kses
  • Improved: the mollom function got an overhaul to reflect the september 15 version of the Mollom API documentation
  • Changed: mollom statistics are now hooked in edit-comments.php instead of plugins.php
  • Added: _mollom_retrieve_server_list() function now handles all getServerList calls

Although almost all basic functions are up and running now, there’s still a long road ahead. Today, I’m happy with what I’ve accomplished technically so far, but such things as usability, performance, flexibility,… still need more work. For instance, there’s still no WordPress MU version, i8n support is still missing, the backend needs more simplifying and much more.

But then again, if spam annoys you as much as the mosquitos in my room did me last night, then this is the plugin for you. Download the package, drop wp-mollom.php in your plugins folder, register with mollom.com to get your keys, just configure them in the plugin and you’re all packed with some serious spam stoppage power.

Happy blogging!

Mollom out of beta

Gepost op door Matthias

Congratulations are in order as the Mollom guys went out of beta over the weekend. Great! They did several upgrades to their service over the past weeks including improving their spam deterrents and the visual CAPTCHA.

When you settle with a free account, Mollom allows 100 legit comments to be posted on your blog a day. More then enough for most blogs. Powerusers should sign up for their Mollom Plus Service which allows 10,000 legit comments a day. Ideal for enterprise sites, businesses and community services.

You can find more information on their blog.

Over the past weeks, I turned my attention to several other priorities. But then again, I fixed several bugs in the plugin. A new version of the API documentation was released on the 15th of september. Maintainers of third party clients should turn their attention to section 9 of the API. Mollom now features an elaborate load balancing/fail over act.

Short of a few bugs, I’m trying to work out a better way of handling errors in the plugin. So a new version of the plugin is in the works and a release should be right around the corner.

WP Mollom 0.5.2

Gepost op door Matthias

So, I wrapped up version 0.5.2 of WP Mollom today. This release is all about fixing several bugs.

  • fixed: passing $comment instead of the direct input from $_POST to the show_captcha() and check_captcha() functions.
  • improved: implemented wpdb->prepare() in vunerable queries
  • improved: mollom_activate() function now more robust
  • changed: mollom_author_ip() reflects changes in the API documentation. This is to catch up on the abuse of proxies by spammers. If your host uses a reverse proxy and you know the ip(‘s), just enter them in the dashboard. The plugin takes care of the rest.

I tried to make the plugin compatible with the WP OpenID plugin over the past weeks. But no dice. Stable version 2.1.9 of WP OpenID doesn’t deal with extra fields added to the HTTP POST by other plugins when a request is send to wp-comments-post.php. This causes WP Mollom’s CAPTCHA form and subsequent checks to malfunction.

The good news is that Will Norris of WP OpenID is aware of the problem. The development version does contain a fix for this problem and is actually compatible with WP Mollom. You can check out a copy from the DiSo Project’s Google Code repository if you really want OpenID and Mollom support on your site.

As always: refer to the documentation regarding all the in’s and out’s.

WP Mollom “Holiday Edition” 0.5.1

Gepost op door Matthias

I just released a minor update of WP Mollom with some bugfixes. This is the changelog:

  • Fixed: minor issues with the Captcha not being rendered correctly
  • Added: mollom_manage_wp_queue() function which adds Mollom support to the default comment administration panel
  • Improved: updating from a previous version is now more robust

More info and download on WordPress Extend

Mollom 0.5.0 out now!

Gepost op door Matthias

It took me the better part of June to prepare a new version of Mollom. But today I released version 0.5.0. You can download the package here.

So, a lot has changed since version 0.4.0…

  • I rewrote the SQL after this suggestion on Pressed Words. Mollom now uses it’s own table to store all it’s data instead of fumbling with the WordPress data model.
  • I fixed the incompatibility issues with WordPress OpenID plugin.
  • Improved the error handling.
  • Status messages are now a lot more verbose
  • Added the mollom_moderate_comment($comment_id) tag for use in templates and themes. This allows direct moderation of a comment without first having to go to the dashboard.
  • … a lot more!

So download, go forth and protect your blog against those vile spammers through Mollom!

WP Mollom and WP OpenID

Gepost op door Matthias

These two weren’t the best friends over the past couple of weeks. Since someone notified me they weren’t compatible, it took some time to figure out what was going wrong. My initial suspects was an icky way of dealing with the action hooks. Either by my plugin or WP OpenID. But after extensive testing, I concluded that the order in which the action hooks call the different plugin functions, wasn’t problem.

I identified the problem as the comment data getting lost somewhere along the way. I tested the OpenID plugin and the transition to the Mollom plugin. In the end, I could narrow the problem down to odd behaviour of global variables in WordPress. Let’s take a look at this bit of code:


function dosomething($ds_comment) {
global $ds_comment;
print_r($ds_comment);
return $ds_comment;
}
add_action('preprocess_comment', 'dosomething');

For brevity’s sake, I ommitted the obligatory WordPress plugin header. But if you add it, put this bit in a seperate file, upload it to your plugins/ folder and activate. Now you can test if yourself. The idea is that the array containing the commentdata is shown in your browser just before putting it in the database (notice that your browser doesn’t redirect to the original page, but that’s not the issue here). In reality, you’ll get a blanco page. Meaning the array $ds_comment is in fact empty. Further on, you’ll just pass empty variables and in the end save an empty record to your database. The comment got lost into cyberoblivion. Not very nice.

Now. Just comment out or remove the global $ds_comment; bit and try again. Now, if you submit a new comment, the data will be output to the browser nicely.

Conclusion: If you make the very same variable that was passed as an argument through the function, global, the data just gets lost. Very odd. Now, if you create a new, empty, global variable within the function and assign the data from $ds_comment to it, there is no problem whatsoever.

I wonder how this could happen…

Ow. Making a lot of variables global, especially those with sensitive data, is not really best practice. There are more gracious ways of passing data around like OO programming design or paying attention to correct function reuse. In a future incarnation, I’ll try to reduce the amount of globals I use. For now, I just want the damn thing to behave like it should. ;-)

It’s out!

Gepost op door Matthias

Well, nothing more to say for now: it’s out. You can download and play with it. It’s a first beta version so beasts can roar it’s head if you have a heavily customized wordpress installation with loads of plugins. Please, drop me a line with all your feedback, code, concerns, requests!

A big thank you to Dries, Benjamin, the testers and all those people that supported me!

Release of WP Mollom

Gepost op door Matthias

So. I scheduled a first public beta release of my Mollom plugin somewhere tonight (CET/UTC+1). The plugin runs quite stable on my own weblog and spam is happily being blocked. I didn’t receive major complaints from testers or users on my own blog in the past week. Yesterday, I cleared the code with Dries who took a glance at the major functionality.

Of course, it wouldn’t be a first beta release if there aren’t still some irks lurking around in the code. This morning, Leo Arias mailed me that the plugin won’t work together with the WP OpenId plugin. Having toyed with my own OpenID implementation for WordPress, I’m not a great proponent of this technology. The way you have to design a plugin implies using several shortcuts. I’m not going to push my release back now, though. I will try to fix this issue in the next release.

My code will also be thoroughly reviewed by the Mollom people.

Thanks to all the testers and those who just listed to become a tester!

Mollom workflow

Gepost op door Matthias

Dries made me a nice diagram on the process flow of Mollom. It shows the order in which your Mollom programmable should excute the different API calls.

Note: You should never try to save data to the database before all the Mollom checks including the CAPTCHA have been cleared. The idea is that through the challenge-response flow, the contributor has to validated him/herself as a human instead of forcing the administrator to make an educated guess.

As for the plugin itself: I noticed several small booboo’s myself over the weekend and sorted them out. A public release should be very soon-ish.

To moderate… or not?

Gepost op door Matthias

Well, I adjusted some of the plugin code over the weekend. The comments’ data (name, e-mail, url, content) isn’t stored in the database anymore but embedded in the CAPTCHA form as a collection of hidden fields. As I don’t want to store the data clientside (cookies and the likes) this seems to be the best way out. The comment is saved only if the CAPTCHA test was succesfully completed.

A particular issue I face are special characters like backslashes, quotes,… things you might encounter in URL’s and such. Luckily, WordPress is quite flexible as it takes this into account during the process of saving a comment in the database. The issue I have to focus on is not breaking the HTML CAPTCHA form itself. This will probably need some extensive testing.

The new version is already protecting this blog against comment spam. If everything goes well, the moderation queue should stay empty of unprocessable spam. In fact, it changes the usage of the queue entirely: instead of an indispensable tool, it becomes an optional means to teach Mollom if a message contains spam, profanity,… You don’t need to use it, but it allows you to correct Mollom in those few cases that may slip through.

Next up: implement functionality against trackback spam. I hope to get that part finished near the end of next week so I can put out a new betaversion of the plugin.

To moderate… or not?

Gepost op door Matthias

Today, I had an e-mail discussion with Dries and Benjamin over the use of a moderation queue within the context Mollom provides. I have on implemented in my plugin. The idea is that ‘unsure’ comments that don’t get through the CAPTCHA test, land in a moderation queue… sort of.

Mollom was actually designed to get rid of the queue. Checking if a commenter is human or a spambot happens through the CAPTCHA test. Early on in the process of posting a comment. That makes a queue where an administrator has to do the check after the facts quite unnecessary.

The problem is that the way I designed the plugin forced me use a moderation queue altogether. ‘Unsure’ labelled comments happen to land in the database, before the CAPTCHA check. Two months ago, that seemed the logical way out to me. Dries gave me some more insight in the workings of the Drupal module and was able to convince me to seperate the CAPTCHA check from the moderation queue. (I am not nearly into Drupal as I am into the workings of WordPress!)

So. It’s a bit back to the drawingboard for me as this means some parts of the plugin need to be reviewed.

Mollom vs Trackback spam

Gepost op door Matthias

Hum. The plugin in WordPress doesn’t support trackback checking yet. No big deal? Well, I have 24 spams in my moderation queue, the majority of them are trackback spam.

So… yet another feature to implement. Just wondering how the flow of operations should look like. Moreover: how/where do I implement a CAPTCHA? Is it necessary to do this implement? Given the 99.8% accuracy Mollom claims, is it a bad thing if a trackback would be identified as a false positive and the CAPTCHA step is skipped altogether? One can retrieve the false positive through the moderation queue altogheter, no?

Anyway, adding trackback support should be fairly simple.