After examining how this plugin worked, it became rather obvious that it was pretty much useless. The plugin always performs addition and the two numbers to be added are there in the form with very recognizable field names and, well, it does have “X + Y” within the form text. A bot that knows how this plugin works and the field names it uses could easily parse the form’s contents to get the two numbers, add them together, and then supply the answer using an obviously known POST variable name. In fact, because the plugin adds the numbers that are submitted to it by the form, the bots can simply supply their own arguments for the plugin to use. All it has to do is use the correct POST field names. Since this is an established plugin on the WordPress site, I’m sure the blog spammers have learned to expect this plugin to be in use on WordPress blogs and have written their code to effectively get around it.

The solution that I wanted to use, which I do with my guest book on my main website, is to store the answer and/or the arguments on the server, such as in a session variable because these values are only known to the scripts running on the server; however, the way the plugin is written (or WordPress itself), the function that sets up the form is some how executed more than once when viewing a post thereby causing the values to change from what is presented on the form itself. Maybe it’s related to this theme’s possibility of having nested comments. This may explain why they perform the math on the values sent in by the form itself. So, what I did was to simply change the field names that it used to some random things I thought of to throw the bot’s parsing or string searching and posting functions off.

This has appeared to do the trick as I can now see spam attacks in my latest visitors log at my webhost resulting in 403 errors that this plugin generates on a failed response. This also proves that these attacks are coming from bots and not humans putting in the answers.

To make this change yourself, edit the /wp-content/plugins/block-spam-by-math/block-spam-by-math.php file and look for function add_hidden_fields() and function check_hidden_fields() and simply change the corresponding name and $_POST[] variables it uses:

      function add_hidden_fields() {
         $mathvalue0 = rand(2, 15);
         $mathvalue1 = rand(2, 15);
         echo '<div><b>IMPORTANT!</b> To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-) ';
         echo "What is $mathvalue0 + $mathvalue1 ?";
         echo '<input type="text" name="changeme2" value="" />';
         echo '</div>';
         echo '<div style="display:none">Please leave these two fields as-is: ';
         echo "<input type='text' name='changeme0' value='$mathvalue0' />";
         echo "<input type='text' name='changeme1' value='$mathvalue1' />";
         echo '</div>';
      }
 
      // Check for hidden fields and wp_die() in case of error
      function check_hidden_fields() {
         // Get values from POST data
         $val0 = '';
         $val1 = '';
         $val2 = '';
         if ( isset( $_POST['changeme0'] ) ) {
            $val0 = $_POST['changeme0'];
         }
         if ( isset( $_POST['changeme1'] ) ) {
            $val1 = $_POST['changeme1'];
         }
         if ( isset( $_POST['changeme2'] ) ) {
            $val2 = $_POST['changeme2'];
         }
 
         // Check values
         if ( ( $val0 == '' ) || ( $val1 == '' ) || ( intval($val2) != (intval($val0) + ntval($val1)) ) ) {
            // Die and return error 403 Forbidden
            wp_die( 'Bye Bye, SPAMBOT!', '403 Forbidden', array( 'response' => 403 ) );
         }
      }

In the code above you want to change the changemeX items. The original code and my new code has something other than what is shown here. To be even sneakier you could change them once a week or however often and there’s no need for them to be the same thing with 0, 1, and 2 after them. They just have to match each other in the functions. As I’m sitting here typing this, I just had another idea to try. Anyway, hopefully this well help cut down some of the automated comment spam attacks.

// Server detection
 
/**
 * Whether the server software is Apache or something else
 * @global bool $is_apache
 */
//$is_apache = ((strpos($_SERVER['SERVER_SOFTWARE'], 'Apache') !== false) || (strpos($_SERVER['SERVER_SOFTWARE'], 'LiteSpeed') !== false)) ? true : false;
$is_apache = true;
/**
 * Whether the server software is IIS or something else
 * @global bool $is_IIS
 */
$is_IIS = (strpos($_SERVER['SERVER_SOFTWARE'], 'Microsoft-IIS') !== false) ? true : false;

I also had to edit the /wp-login.php file and add session_start(); at the beginning for the Register Plus plug-in to work properly as PHP sessions are not automatically started at my webhost (I could make them auto-start if I wanted but I’d rather have control of it via my scripts):

session_start();
/**
 * WordPress User Page

Now I could have stopped here; however, I wanted to use the new default WordPress theme, Twenty Ten which had a wider footprint and additional functionality beyond the previous default theme. I also figured it would be the most stable and up-to-date theme to work with the new WordPress version.  I made of a copy of the theme and placed it into its own directory, giving it my own name.

Since this was a new theme, I had to modify some of the PHP files to add my custom code. All I really had to do was add a JavaScript code snippet to the /mytheme/header.php file that some of my archived pages use to show and hide parts of their content. I also had to add a piece of code to the /mytheme/comments.php file for the Math Comment Spam Protection plugin to function; however, this theme’s coding of the comment form was much different and from what I could tell would have to do a lot of hacking around with the code to get it to work. So, I decided to look for something else. I came across the Block-Spam-By-Math plugin. This one worked with the new theme and I didn’t have to add any additional code anywhere to make it work! During this time frame where I did not have a functioning Math protection plugin, Akismet caught around 55 spam comments! This was in less than a day and a half. Since adding in the new plugin, Akismet has only seen one new spam comment. This just proves how many spam comments a plugin like this will stop.

At this stage all I’m really doing is playing around with CSS styles to get the blog to appear how I want. This is where things like Firebug for Firefox come in real handy by telling me where an element is getting its style from. It will tell you about the element’s inheritance, which file(s) contain the CSS, and the line numbers within those files. By the way, I found the CSS Tutorials at W3Schools to be rather helpful in testing out various font-size and line-height combinations which this theme seems to use heavily. I may change its use of fixed pixel sized line-heights in favor of relative values so that they scale properly with changes in font size, we’ll see.

Before I close and while there’s still 30 minutes left in the day, I just wanted to wish my dad and all the other dads out there a Happy Father’s Day!!

I decided to do it this way rather than using the plug-in to exclude the category from “single posts” as that would prevent the ability view the post individually (it causes a 404 error to be generated).

Now, the Daily Tweets will not get in the way of browsing the normal posts on my blog.

// Server detection
 
/**
 * Whether the server software is Apache or something else
 * @global bool $is_apache
 */
//$is_apache = ((strpos($_SERVER['SERVER_SOFTWARE'], 'Apache') !== false) || (strpos($_SERVER['SERVER_SOFTWARE'], 'LiteSpeed') !== false)) ? true : false;
$is_apache = true;
/**
 * Whether the server software is IIS or something else
 * @global bool $is_IIS
 */
$is_IIS = (strpos($_SERVER['SERVER_SOFTWARE'], 'Microsoft-IIS') !== false) ? true : false;

I also had to edit the /wp-login.php file and add session_start(); at the beginning for the Register Plus plug-in to work properly as PHP sessions are not automatically started:

session_start();
/**
 * WordPress User Page

Other than the modifications above, which I have always had to do, the upgrade went smoothly.

Of course, I did perform a complete database and file backup before upgrading!

// Server detection
 
/**
 * Whether the server software is Apache or something else
 * @global bool $is_apache
 */
//$is_apache = ((strpos($_SERVER['SERVER_SOFTWARE'], 'Apache') !== false) || (strpos($_SERVER['SERVER_SOFTWARE'], 'LiteSpeed') !== false)) ? true : false;
$is_apache = true;
/**
 * Whether the server software is IIS or something else
 * @global bool $is_IIS
 */
$is_IIS = (strpos($_SERVER['SERVER_SOFTWARE'], 'Microsoft-IIS') !== false) ? true : false;

Other than the modification to vars.php which I have always had to do, the upgrade went smoothly.

Of course, I did perform a complete database and file backup before upgrading!