diego sevilla’s weblog
it is better to remain silent and be thought a fool,
than to open your mouth and remove all doubt -- groucho marx


WP-Morph 1.1

Filed under: english, español, blogging, código/code — Diego Sevilla @ 21:35 — In English

Update: Version 1.2 is out

(English version below)

*LEEME de WP-Morph*

WP-Morph es un plugin anti-spam para WordPress. Características:

* No requiere de ningún “capcha”. El usuario no tiene que introducir
ningún código extraño ni se entera de nada del proceso.
* Se requiere JavaScript en el browser.
* Los spammers tendran que interpretar el código JavaScript de la
página para poder enviar comentarios. Hasta ahroa no conozco a
ningún programa spammer que haya sido capaz de interpretar también
el código JavaScript de la página.


* Descarga la última versión del plugin de aquí
* Edita las líneas siguientes de wp-morph.php y pon un número al azar. Es importante que ese número sea diferente, ya que ser el secreto de tu sitio web que los spammers no sabrán:

////// Config values:
// * rnd_val is an integer greater than 0 and less than 1,000,000
// * form_valid_minutes is the number of minutes that the form is valid
//                      since the form appears in the screen till the user
//                      pushes the "submit" button. (15 minutes by default).
$rnd_val = xxxx;
$form_valid_minutes = 15;
////// End of config values.

* Copia wp-morph.php en el directorio de plugins de WordPress (normalmente WP-ROOT/wp-content/plugins/ ).
* Ve al menú “Plugins” de la administración de WordPress.
* Activa el plugin “WP-Morph”.

*Change Log*


* Generación de valores mejorada. Ahora los formulario expiran después de un número de minutos configurado por parte del usuario del plugin.
* Muestra que el formulario está protegido por WP-Morph.


* Versión inicial.

*(English version)*

*README for WP-Morph*

WP-Morph is an anti-spam plugin for WordPress. Features:

* No capcha. The user don’t have to enter any additional code.
* JavaScript support required in the browser.
* Spammers would have to interpret the JavaScript in the page to be able to submit comments. As far as I know, no one spammer in the world process a page including the JavaScript.


* Download the lattest version of the plugin from here.
* Edit the following lines (in wp-morph.php) to put a random value of your own:

////// Config values:
// * rnd_val is an integer greater than 0 and less than 1,000,000
// * form_valid_minutes is the number of minutes that the form is valid
//                      since the form appears in the screen till the user
//                      pushes the "submit" button. (15 minutes by default).
$rnd_val = xxxx;
$form_valid_minutes = 15;
////// End of config values.

* Copy wp-morph.php in the WordPress plugin directory (normally WP-ROOT/wp-content/plugins/ ).
* Go to the “Plugins” menu of the WordPress Admin console.
* Activate the “WP-Morph” plugin.

That’s it!! Bye, bye, spam!!

*Change Log*


* Improved the generation of the values. Now forms expire at some user-configured time.
* Show that the form is protected using WP-Morph.


* Initial release.


  1. There’s one thing that initially bothers me, and that is that you compare md5(calc_value + some secret number + 15 minutes) with md5($_POST[’result_md5′]). So, if I were going to try and beat this, I can set an arbitrary calc_value and minutes value. Then, the only thing holding it back is the secret number, which you know most users are not going to change from the default, in which case all default instances are compromised.

    Of course, this is assuming that spammers are fairly smart, determined, and targeting WP-Morph, which is pretty unlikely.

    Comment by Elliott Bäck — 16/5/2005 @ 22:19

  2. This might make it a bit clearer: don’t trust user input. Don’t compare the md5 that the form is giving you with another POST field, because it’s easy enough for me to just send you one or the other…

    Comment by Elliott Bäck — 16/5/2005 @ 22:23

  3. Elliott,

    Yes, you’re completely right. I know what are you meaning here. I think I forgot to change the key in the repository. I was planning to put an invalid value on the random value, as it’s true most users won’t change the default value. Thanks for pointing this. I’ll change it right now.

    As for using user-provided values, you’re also right. I shouldn’t trust them. However, if we assume that the random value is *actually* secret, then I can trust it with a degree of confidenciality.

    As you say, the level of protection get paired to the effort spammers would put in a given plugin :) I don’t think either that any spammer would target WP-Morph :)

    Thanks again for your insights!

    Comment by dsevilla — 16/5/2005 @ 22:36

  4. Diego, it would be could if no editing were required for your plugin to work. To do so, try this:

    $rnd_val = get_option(’wp_morph_seed’);
    $rnd_val_last_updated = get_options(’wp_morph_seed_last_updated’);
    if ( /* no seed or seed timeout*/ )
    // generate a random seed
    update_option(’wp_morph_seed’, $rnd_val);
    update_option(’wp_morph_seed_last_updated’, time());

    Comment by Denis de Bernardy — 16/5/2005 @ 22:57

  5. Denis:

    Wow, thanks for the idea. I’m not very familiar with wordpress options. May I assume that this options are stored in WordPress’s own database? Then these values will live per-installation, right? Yes, that would be a perfect solution to avoid spammers infer the random value, and not forcing the users to select a random value… I’ll change this ASAP.


    Comment by dsevilla — 16/5/2005 @ 23:05

  6. Another thing you could do is change the way the plugin works with $form_valid_minutes.

    as a temporary fix, to make it ‘more’ wp-cache compatible, I suggest you force it to be equal to $cache_max_time when the latter exists. but this is not enough. since several users will be served the same page when wp-cache enabled, the same key could be used by several users who comment. thus, your plugin needs to manage this, if this isn’t the case already.

    Comment by Denis de Bernardy — 16/5/2005 @ 23:13

  7. Denis,

    Yes, this is a nice idea too. I have to check wp-cache too, because I’m not familiar with it either. I’m relatively new to WP and PHP. I think the plugin would work well even with wp-cache enabled, as the page loads are idempotent (giving that the cache time is synchronized between wp-cache and wp-morph). In fact, I introduced form expiration based in time because I had no way of storing a different (and changing) random key. With the option idea you gave me, I don’t even think the expiration is necessary. I have to think it twice.

    Really thanks for the advice.

    Comment by dsevilla — 16/5/2005 @ 23:25

  8. One last suggestion: it is that you remove the link to WP-Morph. I’ve received several hate mails as of today because of web sites that were using my theme with a link to my site on it. I imagine you’ll get even more of the same. :D

    Comment by Denis de Bernardy — 17/5/2005 @ 11:09

  9. Denis:

    You’re again right. I’ll drop the publicity from the plugin. And when I have time I’ll add the option support. I’m just very busy right now. However, I won’t bump the version number till I study how does it work with the WP-Cache plugin…


    Comment by dsevilla — 17/5/2005 @ 14:47

  10. Yikes! I got a ‘Spammer, go home’ on my very own blog. I trust this comes from wp-morph and wp-cache interacting together. :)

    Comment by Denis de Bernardy — 17/5/2005 @ 22:56

  11. Mmm… Denis. You put form minutes variable to $cache_max _time + 15? or something similar? I’m sorry this is causing you interactivity problems in your Weblog. Wow. I didn’t know you have WP-Morph installed. I still haven’t tested it against WP-Cache.

    However, the thing seem to be easy: it’s just a matter of time. I _think_ that adjusting the form valid minutes variable within the Morph plugin will suffice to not to obtain those messages.

    Once again, sorry about the problems. I’m rather busy by my real work out here. I’ll try to dedicate a little more time to the plugin.

    Best regards,

    Comment by dsevilla — 17/5/2005 @ 23:19

  12. Nice site!

    Comment by Nik — 13/2/2006 @ 22:00

RSS feed for comments on this post. TrackBack URI

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Anti-Spam by WP-Morph 

Creative Commons License
This work is licensed under a Creative Commons License.
EWWV  AWStats  Site Meter 24 queries. 0.088 seconds. Powered by WordPress
406022 email messages processed in this box. 10858 were spam