$options['refresh']) { if(count($options['key']) >= 5) array_shift($options['key']); array_push($options['key'], rand(21474836, 2126008810)); $options['key-date'] = time(); wphc_option($options); } } add_action('shutdown', 'wphc_refresh'); /** * Our plugin can also have a widget */ function get_spam_ratio( $ham, $spam ) { if($spam + $ham == 0) $ratio = 0; else $ratio = round(100 * ($spam/($ham+$spam)),2); return $ratio; } function widget_ratio($options){ $signups_ham = (int)$options['signups-ham']; $signups_spam = (int)$options['signups-spam']; $ham = (int)$options['comments-ham']; $spam = (int)$options['comments-spam']; $ratio = get_spam_ratio( $ham, $spam ); $signups_ratio = get_spam_ratio( $signups_ham, $signups_spam ); $msg = "
  • $spam spam comments blocked out of $ham human comments. " . $ratio ."% of your comments are spam!
  • "; if( $signups_ham && $signups_spam ) $msg = "
  • $signups_spam spam signups blocked out of $signups_ham human signups. " . $signups_ratio ."% of your signups are spam!
  • "; return $msg; } function wphc_widget_init () { if(!function_exists('register_sidebar_widget')) return; function widget_wphc($args) { extract($args); $options = wphc_option(); echo $before_widget . $before_title . 'WP Hashcash' . $after_title; echo ''; echo $after_widget; } register_sidebar_widget(array('WP Hashcash', 'widgets'), 'widget_wphc'); } add_action('widgets_init', 'wphc_widget_init'); /** * Admin Options */ add_action('admin_menu', 'wphc_add_options_to_admin'); function wphc_add_options_to_admin() { if( function_exists( 'is_site_admin' ) && !is_site_admin() ) return; if (function_exists('add_options_page')) { if( function_exists( 'is_site_admin' ) ) { add_submenu_page('wpmu-admin.php', __('WordPress Hashcash'), __('WordPress Hashcash'), 'manage_options', 'wphc_admin', 'wphc_admin_options'); } else { add_options_page('Wordpress Hashcash', 'Wordpress Hashcash', 8, basename(__FILE__), 'wphc_admin_options'); } } } function wphc_admin_options() { if( function_exists( 'is_site_admin' ) && !is_site_admin() ) return; $options = wphc_option(); if( !isset( $options[ 'signup_active' ] ) ) { wphc_install(); // MU has no activation hook $options = wphc_option(); } // POST HANDLER if($_POST['wphc-submit']){ check_admin_referer( 'wphc-options' ); if ( function_exists('current_user_can') && !current_user_can('manage_options') ) die('Current user not authorized to managed options'); $options['refresh'] = strip_tags(stripslashes($_POST['wphc-refresh'])); $options['moderation'] = strip_tags(stripslashes($_POST['wphc-moderation'])); $options['validate-ip'] = strip_tags(stripslashes($_POST['wphc-validate-ip'])); $options['validate-url'] = strip_tags(stripslashes($_POST['wphc-validate-url'])); $options['logging'] = strip_tags(stripslashes($_POST['wphc-logging'])); $options['signup_active'] = (int) $_POST['signup_active']; $options['comments_active'] = (int) $_POST['comments_active']; wphc_option($options); } // MAIN FORM echo ''; echo '
    '; echo ''; echo '
    '; echo '

    WordPress Hashcash

    '; echo '

    This is an antispam plugin that eradicates spam signups on WordPress sites. It works because your visitors must use obfuscated javascript to submit a proof-of-work that indicates they opened your website in a web browser, not a robot. You can read more about it on the WordPress Hashcash plugin page of my site.

    '; echo '

    Standard Options

    '; echo '
    '; wp_nonce_field('wphc-options'); if( function_exists( 'is_site_admin' ) ) { // MU only $signup_active = (int)$options[ 'signup_active' ]; $comments_active = (int)$options[ 'comments_active' ]; echo "

    "; echo "

    "; } // moderation options $moderate = htmlspecialchars($options['moderation'], ENT_QUOTES); echo '

    '; echo ''; echo '
    The default is to place spam comments into the akismet/moderation queue. Otherwise, the delete option will immediately discard spam comments.'; echo '

    '; // refresh interval $refresh = htmlspecialchars($options['refresh'], ENT_QUOTES); echo '


    Default is one week, or 604800 seconds.

    '; // current key echo '

    Your current key is ' . $options['key'][count($options['key']) - 1] . '.'; if(count($options['key']) > 1) echo ' Previously you had keys '. join(', ', array_reverse(array_slice($options['key'], 0, count($options['key']) - 1))).'.'; echo '

    '; // additional options echo '

    Additional options:

    '; $validate_ip = htmlspecialchars($options['validate-ip'], ENT_QUOTES); echo '


    Checks if the IP address of the trackback sender is equal to the IP address of the webserver the trackback URL is referring to.

    '; $validate_url = htmlspecialchars($options['validate-url'], ENT_QUOTES); echo '


    Retrieves the web page located at the URL included in the trackback to check if it contains a link to your blog. If it does not, it is spam!

    '; // logging options echo '

    Logging:

    '; $logging = htmlspecialchars($options['logging'], ENT_QUOTES); echo '


    Logs the reason why a given comment failed the spam check into the comment body. Works only if moderation / akismet mode is enabled.

    '; echo ''; echo ''; echo '
    '; echo '
    '; echo '
    '; echo '

    © Copyright '.date('Y').' Elliott Bäck

    '; echo '
    '; echo '
    '; } /** * Add JS to the header */ function wphc_posthead() { if( function_exists( 'is_site_admin' ) ) { $options = wphc_option(); if( !$options['comments_active'] ) return; } if((is_single() || is_page())) wphc_addhead(); } add_action('wp_head', 'wphc_posthead'); function wphc_signuphead() { if( function_exists( 'is_site_admin' ) ) { $options = wphc_option(); if( !$options['signup_active'] ) return; } wphc_addhead(); } add_action('signup_header', 'wphc_signuphead'); function wphc_addhead() { echo "\n"; } function wphc_getjs(){ $options = wphc_option(); $val = $options['key'][count($options['key']) - 1]; $js = 'function wphc_compute(){'; switch(rand(0, 3)){ /* Addition of n times of field value / n, + modulus: Time guarantee: 100 iterations or less */ case 0: $inc = rand($val / 100, $val - 1); $n = floor($val / $inc); $r = $val % $inc; $js .= "var wphc_eax = $inc; "; for($i = 0; $i < $n - 1; $i++){ $js .= "wphc_eax += $inc; "; } $js .= "wphc_eax += $r; "; $js .= 'return wphc_eax; '; break; /* Conversion from binary: Time guarantee: log(n) iterations or less */ case 1: $binval = strrev(base_convert($val, 10, 2)); $js .= "var wphc_eax = \"$binval\"; "; $js .= 'var wphc_ebx = 0; '; $js .= 'var wphc_ecx = 0; '; $js .= 'while(wphc_ecx < wphc_eax.length){ '; $js .= 'if(wphc_eax.charAt(wphc_ecx) == "1") { '; $js .= 'wphc_ebx += Math.pow(2, wphc_ecx); '; $js .= '} '; $js .= 'wphc_ecx++; '; $js .= '} '; $js .= 'return wphc_ebx;'; break; /* Multiplication of square roots: Time guarantee: constant time */ case 2: $sqrt = floor(sqrt($val)); $r = $val - ($sqrt * $sqrt); $js .= "return $sqrt * $sqrt + $r; "; break; /* Sum of random numbers to the final value: Time guarantee: log(n) expected value */ case 3: $js .= 'return '; $i = 0; while($val > 0){ if($i++ > 0) $js .= '+'; $temp = rand(1, $val); $val -= $temp; $js .= $temp; } $js .= ';'; break; } $js .= '} wphc_compute();'; // pack bytes if( !function_exists( 'strToLongs' ) ) { function strToLongs($s) { $l = array(); // pad $s to some multiple of 4 $s = preg_split('//', $s, -1, PREG_SPLIT_NO_EMPTY); while(count($s) % 4 != 0){ $s [] = ' '; } for ($i = 0; $i < ceil(count($s)/4); $i++) { $l[$i] = ord($s[$i*4]) + (ord($s[$i*4+1]) << 8) + (ord($s[$i*4+2]) << 16) + (ord($s[$i*4+3]) << 24); } return $l; } } // xor all the bytes with a random key $key = rand(21474836, 2126008810); $js = strToLongs($js); for($i = 0; $i < count($js); $i++){ $js[$i] = $js[$i] ^ $key; } $js=apply_filters('wphc_jskey',$js); // libs function encapsulation $libs = "function wphc(){\n"; // write bytes to javascript, xor with key $libs .= "\tvar wphc_data = [".join(',',$js)."]; \n"; $libs .= "\t\t//WPHC1\n"; //Placeholder - replace this comment in filter to apply custom 'security' // do the xor with key $libs .= "\n\tfor (var i=0; i'; } add_action('signup_hidden_fields', 'wphc_add_signupform'); add_action('bp_after_registration_submit_buttons', 'wphc_add_signupform'); function wphc_add_commentform(){ $options = wphc_option(); switch($options['moderation']){ case 'delete': $verb = 'deleted'; break; case 'akismet': $verb = 'queued in Akismet'; break; case 'moderate': default: $verb = 'placed in moderation'; break; } echo '
    '; echo '

    ' . __('Powered by', 'wp-hashcash') . ' WP Hashcash

    '; echo ''; } add_action('comment_form', 'wphc_add_commentform'); /** * Validate our tag */ function wphc_check_signup_hidden_tag( $result ) { // get our options $options = wphc_option(); $spam = false; if( !strpos( $_SERVER[ 'PHP_SELF' ], 'wp-signup.php' ) ) return $result; // Check the wphc values against the last five keys $spam = !in_array($_POST["wphc_value"], $options['key']); if($spam){ $options['signups-spam'] = ((int) $options['signups-spam']) + 1; wphc_option($options); $result['errors']->add( 'blogname', __('You did not pass a spam check. Please enable JavaScript in your browser.') ); } else { $options['signups-ham'] = ((int) $options['signups-ham']) + 1; wphc_option($options); } return $result; } add_filter( 'wpmu_validate_blog_signup', 'wphc_check_signup_hidden_tag' ); add_filter( 'wpmu_validate_user_signup', 'wphc_check_signup_hidden_tag' ); function wphc_check_signup_for_bp(){ global $bp; // get our options $options = wphc_option(); $spam = false; // Check the wphc values against the last five keys $spam = !in_array($_POST["wphc_value"], $options['key']); if($spam){ $options['signups-spam'] = ((int) $options['signups-spam']) + 1; wphc_option($options); $bp->signup->errors['spam'] = __('You did not pass a spam check. Please enable JavaScript in your browser.'); } else { $options['signups-ham'] = ((int) $options['signups-ham']) + 1; wphc_option($options); } } add_action('bp_signup_validate', 'wphc_check_signup_for_bp'); function wphc_error_hook_register_page(){ do_action('bp_spam_errors'); } add_action('bp_before_register_page', 'wphc_error_hook_register_page'); function wphc_check_hidden_tag($comment) { // admins can do what they like if( is_admin() ) return $comment; // get our options $type = $comment['comment_type']; $options = wphc_option(); $spam = false; if($type == "trackback" || $type == "pingback"){ // check the website's IP against the url it's sending as a trackback if($options['validate-ip']){ $server_ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $web_ip = gethostbyname(parse_url($comment['comment_author_url'], PHP_URL_HOST)); $ipv = $server_ip != $web_ip; $spam = $spam || ($ipv); if($options['logging'] && $ipv) $comment['comment_content'] .= "\n\n[WORDPRESS HASHCASH] The comment's server IP (".$server_ip.") doesn't match the" . " comment's URL host IP (".$web_ip.") and so is spam."; } // look for our link in the page itself if(!$spam && $options['validate-url']){ if(!class_exists('Snoopy')) require_once( ABSPATH . WPINC . '/class-snoopy.php' ); $permalink = get_permalink($comment['comment_post_ID']); $permalink = preg_replace('/\/$/', '', $permalink); $snoop = new Snoopy; if (@$snoop->fetchlinks($comment['comment_author_url'])){ $found = false; if( !empty( $snoop->results ) ) { foreach($snoop->results as $url){ $url = preg_replace('/(\/|\/trackback|\/trackback\/)$/', '', $url); if($url == $permalink) $found = true; } } if($options['logging'] && !$found) $comment['comment_content'] .= "\n\n[WORDPRESS HASHCASH] The comment's actual post text did not contain your blog url (".$permalink.") and so is spam."; $spam = $spam || !$found; } else { $spam = true; if($options['logging']) $comment['comment_content'] .= "\n\n[WORDPRESS HASHCASH] Snoopy failed to fetch results for the comment blog url (".$comment['comment_author_url'].") with error '".$snoop->error."' and so is spam."; } } } else { // Check the wphc values against the last five keys $spam = !in_array($_POST["wphc_value"], $options['key']); if($options['logging'] && $spam) $comment['comment_content'] .= "\n\n[WORDPRESS HASHCASH] The poster sent us '".intval($_POST["wphc_value"])." which is not a hashcash value."; } if($spam){ $options['comments-spam'] = ((int) $options['comments-spam']) + 1; wphc_option($options); switch($options['moderation']){ case 'delete': add_filter('comment_post', create_function('$id', 'wp_delete_comment($id); die(\'This comment has been deleted by WP Hashcash\');')); break; case 'akismet': add_filter('pre_comment_approved', create_function('$a', 'return \'spam\';')); break; case 'moderate': default: add_filter('pre_comment_approved', create_function('$a', 'return 0;')); break; } } else { $options['comments-ham'] = ((int) $options['comments-ham']) + 1; wphc_option($options); } return $comment; } add_filter('preprocess_comment', 'wphc_check_hidden_tag'); ?>