Epilogue: WordPress Plugins

Posted on by

Time to whinge again. This time I’ll deal with the only two other plugins I decided to use with this installation of WordPress and how they fared.

Recaptcha

I used to think it was a cause worth supporting: Get some people to decipher some blurry scanned-in text and help digitise our cultural heritage.

This is how Recaptcha is meant to work: To stop spammers, a visual (or auditory) task has to be solved. Two visually barely legible words are presented and the human (but supposedly not the bot) can read them and type them in to gain access to the Captcha-protected site. Recaptcha knows what one of the words is, and takes your word for what the second one is, and therein lies the problem. In order to pass the Captcha only one word needs to be right; if it’s the wrong one, this poses no problem at all to the bot; it just tries again. Nowadays OCR can solve at least half of the Captcha tasks and that makes it useless as protection against bots.

Bad Behavior

This plugin is also meant as protection against bots. The only problem is that it relies on assumptions about bot behaviour that may or may not be plausible.

For example, when a search engine pulls up to your site, it can be expected from the programmers who wrote it that it will tell your site what kinds of data it is prepared to accept. In technical terms this is the “Accept:” header and it says something like: give me only text or html, or if there are images only jpgs. An evil bot on the other hand will just say give me all your files, and thus won’t send an accept header, in the hope that it will receive some compromising data. In theory.

Practically, the accept header is old hat. Most servers are so secure that they won’t hand over compromising data. I have identified many a lawful search engine not sending an accept header; its value for discriminating between good and evil is close to zero.

One good thing that this plugin might do is to stop trackbacks, i.e. those messages from another website saying, “We mentioned your blog on our site”, but which in reality are just spam from the handbag crowd. These don’t get published on this blog in any case; there would be easy ways of identifying faux trackbacks, even if you did want to have them published on your site (check to see whether the site purportedly making the trackback mentions your site, or even exists at all – I’ve seen at least one genius with trackbacks to nonexistent sites – get your head around that!).

All in all not worth the $2.99 it constantly begs for, but quite amusing to see some poor search engine looking for my articles on the SpotTracker repeatedly being refused entry for not having a tie on. Go figure.

Leave a Reply

Your email address will not be published. Required fields are marked *