Bad Behavior Behaving Badly
by Scott Allen - December 6, 2007
Filed Under Blogging, Website Security
Tonight, I was locked out of the WordPress blogs I manage, along with most other site-owners who have the Bad Behavior plugin installed. I was greeted with a standard Bad Behavior message informing me that my IP address was blacklisted. It included a link with the usual fix-it-yourself key, and a link to my email address. On the linked fix-it-yourself page, there really was nothing you could do to fix the problem, and I was further informed that my IP address was tied to criminal activity, or possibly that there were viruses on my computer. (Wow, good to know. As soon as I finish this post, I’ll be sure to take a sledgehammer to my computer to stop all the criminal activity it’s engaged in.) It’s a little disturbing to see this on your own blog(s), when you are the author, and you know for a fact that your IP is neither blacklisted or associated with criminal behavior. Until today, I really liked this plugin, but this demonstrated a serious flaw in the software, and it will be disabled pending further review.
This was no minor glitch, and something like this could have serious consequences for websites and businesses. If left unattended in this state for a long time, a site could lose valuable search engine rankings, after the spiders of the Big 3 (Google, Yahoo, and MSN) find that they are locked out repeatedly with 403 errors. It’s most likely that these losses would be temporary, but there’s no guarantee, and by that point the damage is done.
A colleague and friend of mine pointed out that there was a recent blog post on the Bad Behavior site with an update for the plugin and this brief explanation:
All users should update to Bad Behavior 2.0.11 immediately to prevent being blocked from your own site.
Within the past two days users have found themselves blocked from their own sites while using recent versions of Bad Behavior. A third party blacklist which Bad Behavior queries recently began sending false positives for any IP address queried, causing everyone using Bad Behavior to be blocked. This issue is fixed in Bad Behavior 2.0.11.
Download Bad Behavior 2.0.11 now!
P.S. Yes, Bad Behavior is still in development. More news coming soon.
Update: Some people have asked for more details on what exactly happened. In brief, yesterday I moved all of my sites to a new dedicated server. In the process, I decommissioned an old blacklist I was running which I thought wasn’t being used, not realizing that Bad Behavior was still set to use it. Shortly afterward, I found myself locked out of my own blog, just as you all did. So therefore, this release.
Needless to say, this didn’t exactly alleviate my concerns, or inspire me to install the update (2.0.11), especially after reading about the author’s carelessness. To be fair, I do give credit to the author for responding relatively quickly and releasing an update, but it still is alarming. Who knows when the same thing will happen again, and take down everyone’s sites? In my opinion, the plugin itself has become a risk (ironically). I’ll be following further development progress, but for now, the plugin will be removed from all sites we have that use it, and I’d recommend others do the same, until it’s stability can be re-established.
Tags:
Bad Behavior | WebGeek
If you enjoyed this post, make sure you subscribe to the RSS feed!
No related posts.
Comments
5 Responses to “Bad Behavior Behaving Badly”
Leave a Reply
If you have any questions about commenting, please see our Comment Policy.
[...] posts on “Bad Behavior Behaving Badly“: This was no minor glitch, and something like this could have serious consequences for [...]
I hate to see others having problems but my initial reaction was BWAHAHAHAHAHA!
Have you looked at how Bad Behavior validated actual bots such as Google and Yahoo?
I would never run that code.
@IncrediBILL:
LOL. I hadn’t, until your comment. WOW, that IS bad. I’ll be changing my recommendation to NEVER INSTALL BB.
Well, get CrawlWall launched so we can buy it! I’ll be your biggest promoter. (BTW…where’s my beta tester copy?)
I’ll tell you a little secret, OK, it’s on a blog so how secret is this going to be?
My wife really didn’t want me to release the damn thing until I got past some medical stuff, for a variety of reasons, which are all behind me after next week,
Yes, it’s been a long time coming, but so has the medical nonsense, long story….
No worries. Glad all that is out of the way for you. There’s always challenges, eh? I’m just looking forward to checking it out!