Closed jenstornell closed 7 years ago
The plugin requires a unique session ID for submitting a comment, for which you have to request a new form. This does slows bots down. Implementing a temporary IP block-list would add to the plugins bot protection, but if someone is trying to attack you, limiting the bot comments to 10 comments a day is still annoying and your the plugin still has to do a lot of work handing the blocking process. If an IP is attacking your site, the best course of action is to block this IP on the server level.
Then the question is if an IP protection is still a good idea or if session ID is enough? Maybe just have an option to block IP:s manually from an array.
Blocking IPs manually make a lot more sense to me, but if someone is attacking the comments, why not block them on the server level? They are clearly not interested in buying your product/reading your blog.
Ahh, you mean with htaccess like this:
http://www.htaccess-guide.com/deny-visitors-by-ip-address/
That make total sense. Coming from the WordPress world, I'm a bit blinded by old habits. Maybe add something about this in the docs (for others like me):
This plugin does not block comments by IP. Instead of preventing bots from accessing your comments, block them from your site completely, in your htaccess file like this: [...]
It does not seems to be an IP protection of some kind to prevent spam. If someone breaks the honeypot it would be open for 1000+ comments spam?
Max 5 comments with the same IP on 10 posts on each day could be a solution. It should be optional if implemented, both to turn on/off and how many to allow before blocked.