Herself’s Webtools

Since getting hacked last month I’ve seriously tightened up security. But it would be nice to stop attempts before they even get to the website. That is what Bad Behavior tries to do. It is a plugin that should work with just about any php based content management system.

Bad Behavior for WordPress and most other popular CMS
Bad Behavior Coppermine Plugin

Bad Behavior is completely different from any other anti-spam solution out there, in that it doesn’t specifically target spam itself. Rather, it targets the methods by which the spam is delivered. Until I released the first version in 2005, this approach had never been tried. It proved very effective at stopping a lot of malicious activity, not just spam: It also blocks many email address harvesters, meaning less e-mail spam, and some types of automated cracking attempts, improving your server’s security.

While a somewhat similar solution called mod_security exists, it has a rather different purpose, doesn’t target spam, and regular people can’t install mod_security on their shared web hosting accounts. Bad Behavior blocks spam as well as other malicious activity and can be installed by anyone.

On some high traffic sites, or those specifically targeted by spammers, the traffic from these spam attacks can be so excessive as to exceed your account’s bandwidth limits, or overload the server, and cause your account to be suspended. Bad Behavior helps to prevent both of these situations by blocking malicious activity as soon as possible, before either bandwidth or CPU are expended on a request which will turn out to be bogus.

It’s not the only tool you need but it is a great front line defense. The workings are straight forward; first BB checks the white list, then a known list of bad ips are checked, then bad user agents, then corrupted user agents. If POST is done instead of GET more tests are run. The author claims it runs by ‘black magic’. Looking at the simplicity of the code I have to say that is a good description.

You’ll also want the BB log reader for WordPress so you can see what Bad Behavior has been doing.

I found most of the bounces I had were from known trouble makers or browsers whose headers did not match what was expected of a particular browser.

I also found that BadBehavior gave a fair number of false positives. This doesn’t bother me so much on the Coppermine sites but it is one of the reasons I wrote the TTC Security plugin for Wordpress.. The second reason is that it is not easy for the user to change the criteria. I made this easy to do on the TTC Security plugin. So if those are important use the TTC security plugin, if not, use BadBehavior but use something. It also slows down posting a great deal. On the flip side it is quite a bit stricter than my plugin.