wordpress

Blog post id enumeration can lead to unwanted information disclosure

With the rampant speculation there will be a new Raspberry Pi model released next week, I was wondering if the official Raspberry Pi blog might reveal anything of interest; they just posted a Four Years of Pi blog post on the 26th, which highlighted the past four years, and mentioned the excitement surrounding 4th anniversary of Pi sales, coming up on February 29th, 2016.

Glancing at the blog's source, I noticed it looks like a Wordpress blog (using httpie on the cli):

$ http https://www.raspberrypi.org/blog/four-years-of-pi/ | grep generator
<meta name="generator" content="WordPress 4.4.2" />

Having set up a few WP sites in the past, I knew there was a simple way to load content by its ID, using a URL in the form:

Questions about Wordpress

Having been away from the WordPress scene since version 2.x days (I think the last time I launched a WordPress website was around 2009), I recently had reason to develop some WordPress plugins, and I wanted to ask some questions about the WordPress coding standards and API that I hope will help enlighten me (and, maybe, other PHP developers coming from other frameworks/platforms to WordPress).

Here are some questions I've had while working on my first WordPress plugin (coming purely from the development side—I'm deliberately ignoring any mention of WordPress's UI, as I don't want to inspire any trolling along the lines of 'WordPress vs. [Another CMS]'):

Preventing Form Spam

Spam email folder - Gmail interface

There are many different techniques for preventing form spam on your website, and an important component of the battle against spam is your constant struggle between giving your 'real' users a good experience while preventing spammers and automated bots from spamming you and lowering the quality of the content on your website.

A Constant User-Experience Battle

Usually, the first thing someone will do after having trouble fighting spammers by manual comment/content moderation is place a complex CAPTCHA system on their forms. Something like this:

Spam CAPTCHA text difficult to read