Hide My WP Ghost - Security Obfuscation

[DYevseyev]

Describe the bug Getting the dreaded" No more “Error: Please type your comment text.” " This is due to the wp-comments-post.php is hard coded in the php code The security plugin I use changes to whatever I want such as "x89yh8g1273g48yhj". It's useful because it makes it harder for attackers to find the right string to attack.

To Reproduce Steps to reproduce the behavior:

1. Install Hide My WP Ghost
2. Obscure all the default paths including wp-comments-post.php
3. Install Antispam Bee
4. Can't post any comments, get the following: Error: Please type your comment text.”

Expected behavior I expect to be able to post.

System (please complete the following information):

• OS: ALL
• Version Antispam Bee version 2.11.6

My original fix for myself Posted this 1:1 on wordpress.org, hope you can make an option to set custom wp-comments-post.php

I wanted to contribute a fix to make this work with Hide My WP Plugin. Open the zip file using file explorer (NOT WINRAR) Copy to local antispam_bee.php modify the wp-comments-post.php Change it to what you currently have “comments “Custom comment Path:” set I have something like “x89yh8g1273g48yhj” There are 2 places you need to modify line 1185 and 1140. This is for the version 2.11.6 of Antispam Bee. Delete the original antispam-bee.2.11.6\antispam-bee\antispam_bee.php Put your modified antispam_bee.php in that directory. No more “Error: Please type your comment text.” I hope this helps someone out there:)

[2ndkauboy]

Thanks for our suggestion. I've looked at the plugin and what it tries to do. In the plugin description, I find this line:

Note! No file or directory is physically changed. All the changes are made by server rewrite rules without affecting the SEO or the loading speed.

Why would one need to modify the wp-comments-post.php file then? Are there different ways on how to change the comments URL? Can you give us a quick step-by-step guide on how to configure the plugin, so we can try to reproduce the issue and maybe add a solution for that?

[DYevseyev]

This is what I normally do to obfuscate default paths. I'm not sure why it worked but it made sense in my mind that it would and it did...

[2ndkauboy]

But you have not renamed the files manually in your file system?

[DYevseyev]

But you have not renamed the files manually in your file system?

I have not renamed the files.. Come to think of it, wifey was testing it on the iphone and her msg came through (BEFORE ANY MODIFICATION) but on desktop I could not send out a message.

Not sure why she was able to but on desktop I was not. The modified code is working quite well, it's blocking all the spam. FINALLY MY INBOX IS CLEAR! I hope you figure this out as I have no clue.

[Zodiac1978]

It is on GitHub - this should be the lines: https://github.com/johndarrel/hide-my-wp/blob/dc2b9450c1064ca06a6d0b83434e3879fb4ad822/models/Rewrite.php#L407-L412

Not sure how we should fix it.

Making the "wp-comments-post.php" part filterable? Or should we try to detect the plugin and read the new string from their options if possible? (The last one would mean we need to maintain this part ourselves ...)

@2ndkauboy What do you think?

[2ndkauboy]

I'd like to investigate this code locally. I would say, all we can and should do is implement a filter for that part - or write a helper function like is_wp_commens_post() that offers a filter. We should not detect any security plugin specifically, as for one, there are just too many of them, and they could also change their implementation at any point, at which Antispam Bee would need to adapt.

[Zodiac1978]

A filter for this request path could maybe help us too for better supporting AJAX comments

See my comment here: https://github.com/pluginkollektiv/antispam-bee/issues/149#issuecomment-1870265781