I have spent a few hours been chasing the bug that has been causing people to go into moderation automatically. Found it, killed it, and I thought I’d share it with you.
It was in Wordfence, a great security program for the site. Essentially it is one of the main plugins to block out irritating behaviours by bots treating the site as their own personal space. Because there are a lot of bots running around the net probing for security holes, reading content, and generally being a pain in the arse when trying to predict the computing resources required to operate the site.
Since we run the site on less than $300 per month funded by voluntary welcome donations (see here), I spend a lot of time keeping robot free loaders out of the site.
Our direct1 human traffic this year is about 80 gigabytes per month to mainly NZ resident humans. Our welcome and expected2 bot traffic averages about 150 gigabytes of traffic per month. And we routinely provide about another 70-80 gigabytes of traffic to various bots who follow our rules.
Otherwise we’d have to provide systems that are capable of handling many times our legitimate traffic.
But there are other rules in the system designed to block bots and humans from trying to take over our site and use it for purposes nefarious – like spam and free advertising. A lot of those are focused around getting logins as admins and authors, or placing comments as new or existing commenters on the site. These are known as spambots.
So Wordfence and other systems provide preventative measures for those as well. Some of the Wordfence security options are here
One of the reasons3 that we have run this site for many years without requiring logins is because it removes a major potential security issue. These days the only logins in active use are those of the authors and a few people who got them before I turned off access to obtaining them in 2011.
We handle robots leaving spam comments with some subtle programs that bank on human vs robot behaviours. The odd robot spam or troll that gets past those has to have an approved comment by a moderator before they can post freely.
However there are the odd persons who leave comments purporting to be by other people. Usually we know because of gravator differences because they have the wrong ’email’.
And then there is this behaviour that Wordfence protects against.
Hold anonymous comments using member emails for moderation
In WordPress it’s possible for someone who is not a member on your website to post a comment and to specify an email address of a real member on your site. This behavior is suspicious and may be incorporated into a more sophisticated attack. So we suggest that you leave this option enabled which will hold those comments for moderation before they’re published.
Thats ok – good security. It isn’t particularly relevant to our site however. Many of our authors comment without logging in because it is faster. Not having a special page generated for you is a whole lot slower than getting a cached page (apart from the replies tab). Our longer term commenters who have actual logins have mostly long since forgotten their passwords 🙂
I never noticed this option. It was added in an upgrade after I did the Wordfence setup years ago. It was off by default as are all new features. And it never got triggered when I did plugin upgrade testing.
However somehow this one button amonst the hundreds that control this site turned on and caused a week of nuisance for moderators and commenters ! ^&*%^*^%&%^$$!!!!!
Looking at the errors at wordfence, I see this.
We have released a fix that addresses a bug introduced with the release that went out 15 hours ago. The issue is that if a Wordfence options checkbox is unchecked and is different from the default setting, the release resets the Wordfence setting to the default setting of checked.
Arggghhhhh… The joys of upgrades and testing..