Skip to:
Content

bbPress.org

Opened 9 years ago

Last modified 4 years ago

#2755 assigned defect (bug)

Banning

Reported by: netweb's profile netweb Owned by: johnjamesjacoby's profile johnjamesjacoby
Milestone: Under Consideration Priority: normal
Severity: normal Version:
Component: API - Moderation Keywords: 2nd-opinion
Cc: jjjay@…, pericam@…

Description

I saw a review of the plugin Thoughtful Comments on WP Tavern

A couple of the capabilities stood out that we currently do not offer, but could:

  • Delete and Ban IP
  • Delete Thread and Ban IP

When spamming a topic or reply we could add the IP to the banned list, though I think this might be "too heavy handed" behaviour by default.

Thinking a link for moderators/keymasters (maybe only keymasters) under the IP address of the topic/reply to ban said IP. Clicking said link would ban the IP and change all topic/reply statuses to spam.

Change History (28)

#1 @douglsmith
9 years ago

This would be very useful.

Clicking said link would ban the IP and change all topic/reply statuses to spam.

When you say "statuses" (plural) are you saying it would mark other messages with the same IP too, or something else?

#2 follow-up: @johnjamesjacoby
9 years ago

  • Milestone changed from Future Release to Under Consideration

That's interesting. The one gotcha is shared IPs (think cafes or campuses) where there's no way to know what is being blocked.

I agree that our moderation abilities should be improved with better connectivity between user and content actions. Something along the lines of: if user only has 1 topic and its manually marked as spam, also mark the user as spam.

Historically though, we've shyed away from these types of decisions since the tools are often misused and cause issues in multi-network or shared user table installations. On WordPress.org, marking a user as spam means disabling their account across the entire installation, but maybe they are only being a jerk in 1 forum or on 1 site. Does that warrant a spam status? I don't think our current tools do a good job communicating the repercussions of the actions they are connected to.

#3 follow-up: @tharsheblows
9 years ago

I've had this box open for ages and have just read jjj's and agree with it, especially this:

I don't think our current tools do a good job communicating the repercussions of the actions they are connected to.

I've thought about this type of thing a lot. I ban by IP it only very very occasionally for the reasons JJJ mentioned and when I do, I almost always need to ban a range of IPs (like nn.mm.*.*)

However, when it comes to spammers - in particular, people who have signed up simply to add affiliate or business links to the forum - I spam all their posts and then block the user loads. I also add a key phrase to the moderation list in settings -> discussion but always with a slight sense of dread as I know one of these days I'm going to put something in there that moves all posts to moderation. (I can't use akismet because it thinks the whole forum is spam. Let's not go there.)

One plugin that helps is the unmaintained https://wordpress.org/plugins/stop-spammer-registrations-plugin/ I'd like to be able to contribute to the Stop Forum Spam database but our privacy policy doesn't allow it - I'm based in the UK and am almost certain that it'd be against data protection rules to add stuff to it.

Anyway, I'd find an in depth discussion of how people deal with spam useful at some point. What did you do when bbPress and BuddyPress got hit? I have a feeling this is somewhat forum dependent but think everyone probably deals with people registering with the sole intent to add affiliate links ("clickbank" catches a lot for me) or promote their business.

#4 @tharsheblows
9 years ago

  • Cc jjjay@… added

#5 follow-up: @douglsmith
9 years ago

I have the pleasure of a forum where the participants are almost always well behaved. So it's rare that I would mark a real user's post as spam. For me, it's mostly about drive-by spammers who register accounts just to post something shady or attempt to build links. In those cases, I mark the message as spam so Akismet can learn from it, delete any legitimate replies (i.e., users saying they reported the spam to the admins), then delete the offending user's account.

#6 follow-up: @jeffr0
9 years ago

That's interesting you created this ticket as I was thinking how seeing the frontend comment moderation links reminded me of forums. After reading @jjj reply on banning account would ban them across the entire network of sites, that's not good. Thanks for at least considering that it would be neat to see similar tools like this in bbPress.

#7 in reply to: ↑ 2 @netweb
9 years ago

Replying to douglsmith:

When you say "statuses" (plural) are you saying it would mark other messages with the same IP too, or something else?

Kind of, it might not actually be spam, it may be offensive content, so spam and pending statuses though as I pointed out in the original I think automatically marking all the other topics and replies with the same reply would be too heavy handed.


Replying to johnjamesjacoby:

That's interesting. The one gotcha is shared IPs (think cafes or campuses) where there's no way to know what is being blocked.

Yes

I agree that our moderation abilities should be improved with better connectivity between user and content actions. Something along the lines of: if user only has 1 topic and its manually marked as spam, also mark the user as spam.
Historically though, we've shyed away from these types of decisions since the tools are often misused and cause issues in multi-network or shared user table installations.

Agreed, the complexities of the available array of install types is where this all becomes extremely challenging.

On WordPress.org, marking a user as spam means disabling their account across the entire installation, but maybe they are only being a jerk in 1 forum or on 1 site. Does that warrant a spam status?

There is ban, block, and b-tag, not all carry over to all sites, and I agree if your a jerk on one forum that doesn't explicitly define you as a spammer, just a jerk.

I don't think our current tools do a good job communicating the repercussions of the actions they are connected to.

Not just a communication thing, also a tool thing, in that we need a few more ;)

#8 in reply to: ↑ 3 @netweb
9 years ago

Replying to tharsheblows:

I've thought about this type of thing a lot. I ban by IP it only very very occasionally for the reasons JJJ mentioned and when I do, I almost always need to ban a range of IPs (like nn.mm.*.*)

However, when it comes to spammers - in particular, people who have signed up simply to add affiliate or business links to the forum - I spam all their posts and then block the user loads. I also add a key phrase to the moderation list in settings -> discussion but always with a slight sense of dread as I know one of these days I'm going to put something in there that moves all posts to moderation. (I can't use akismet because it thinks the whole forum is spam. Let's not go there.)

I think I am with you here in this regard, for the most part banning, blocking, deleting the user would typically suffice, blocking by IP is kind of the next step up.

One plugin that helps is the unmaintained https://wordpress.org/plugins/stop-spammer-registrations-plugin/ I'd like to be able to contribute to the Stop Forum Spam database but our privacy policy doesn't allow it - I'm based in the UK and am almost certain that it'd be against data protection rules to add stuff to it.

I think you would, it is a very similar issue to email spam, I am presuming that email spam databases are still being updated with current data across the EU, I haven't researched any of this, just an assumption, email spam would be in a different place than it currently is if the EU privacy laws stopped submissions to these databases IMHO.

Anyway, I'd find an in depth discussion of how people deal with spam useful at some point. What did you do when bbPress and BuddyPress got hit? I have a feeling this is somewhat forum dependent but think everyone probably deals with people registering with the sole intent to add affiliate links ("clickbank" catches a lot for me) or promote their business.

It is very forum specific, here and on WordPress.org we allow "Not Safe For Work" (NSFW) links, we just ask that this be highlighted and give recipients a heads up, our forum is about forums about anything, once you start limiting your forum to a specific subject e.g. Automobiles your handling of what is acceptable content and what is not is remarkably different.

#9 in reply to: ↑ 6 @netweb
9 years ago

Replying to douglsmith:

I have the pleasure of a forum where the participants are almost always well behaved. So it's rare that I would mark a real user's post as spam. For me, it's mostly about drive-by spammers who register accounts just to post something shady or attempt to build links. In those cases, I mark the message as spam so Akismet can learn from it, delete any legitimate replies (i.e., users saying they reported the spam to the admins), then delete the offending user's account.

Yes, I think the majority of sites fit this category and I'd suggest it would be very rarely you'd actually need to ban any specific IP address.


Replying to jeffr0:

That's interesting you created this ticket as I was thinking how seeing the frontend comment moderation links reminded me of forums. After reading @jjj reply on banning account would ban them across the entire network of sites, that's not good. Thanks for at least considering that it would be neat to see similar tools like this in bbPress.

Every discussion regarding WordPress comments I think in this way, comments are forum replies, posts are forum topics, these are all just post types and typically submitted by external parties to the site owners/authors. ;)

#10 in reply to: ↑ 5 ; follow-up: @tharsheblows
9 years ago

Oh ha, I spent some time yesterday cleaning up a massive link spam attack (go on, ask me where you can watch football games online...). Banning by IP would have been super useful and a "block user and mark all posts as spam" would have been fantastic.

Replying to douglsmith:

I have the pleasure of a forum where the participants are almost always well behaved. So it's rare that I would mark a real user's post as spam. For me, it's mostly about drive-by spammers who register accounts just to post something shady or attempt to build links.

This made me smile - it sounds like mine. To paraphrase the saying, when mine are good they're very very good...

I'm not actually worried about dealing with them when they're bad. That will always take a real live human. It's the drive-by spammers (I love that phrase, it completely sums it up) I'd like to build a tool to deal with.

I'd like to have another role for users similar to blocked that not only stops them from posting, but also removes their user profile page. I don't like deleting anyone / anything because I don't like losing that data. And of course, a "mark all posts as spam" option would be great.

I think the problem with the SFS database is that it lists all the email addresses on the site rather than allows you to simply check specific ones. Admittedly, I haven't looked into it carefully and the ICO (the agency responsible for UK data protection) seems to have no teeth - eg I am not too concerned about its enforcement of EU cookie law.

I'm not terribly familiar with multisite installations, but think that in the drive-by link spam cases, it'd be a good thing to be able to ban them from all sites. However, as has been mentioned, moderators have to know how to use any tool appropriately otherwise you'll get unintended consequences.

Anyway, again, it's an interesting discussion - maybe if there's something in common we all do, then it might make sense to add it as a tool, but the discussion in and of itself is helpful to me! I like seeing how other people handle these things.

#11 in reply to: ↑ 10 ; follow-up: @netweb
9 years ago

Replying to tharsheblows:

I'd like to have another role for users similar to blocked that not only stops them from posting, but also removes their user profile page. I don't like deleting anyone / anything because I don't like losing that data. And of course, a "mark all posts as spam" option would be great.

Thinking aloud here... Maybe leave the profile viewable by the "blocked" user and hidden or redirected for other users, similar to the "bozo" feature in bbPress 1.x, those users can see their own content and it is hidden for everyone else. This gives said user the illusion that there is nothing wrong with their account but is not seen by any other users and thus ignored.

#12 in reply to: ↑ 11 @Robkk
9 years ago

Replying to netweb:

Thinking aloud here... Maybe leave the profile viewable by the "blocked" user and hidden or redirected for other users, similar to the "bozo" feature in bbPress 1.x, those users can see their own content and it is hidden for everyone else. This gives said user the illusion that there is nothing wrong with their account but is not seen by any other users and thus ignored.

That sounds like a shadowban, there is a new plugin for WordPress comments that says has this kind of feature.

https://wordpress.org/plugins/feenban/

Other than that i would like to see ban options that would basically take away capabilities from the user. Maybe a front-end user role switcher under the reply author avatar??

Level 1 Ban - Spectator role

Level 2 Ban - Shadowban

Level 3 Ban - Blocked role

Level 4 Ban - Disable Account (maybe look at this plugin https://github.com/wpexplorer/ban-users-wordpress-plugin)

Level 5 Ban - IP Block/Mark as SPAM/Delete Account


#13 @Robkk
9 years ago

There is now a temporary ban plugin for bbPress, it does exactly as @tharsheblows explained in #comment:10

https://github.com/rebdev/rabbp-suspension

i already added it to the featured plugins list.

Last edited 9 years ago by Robkk (previous) (diff)

#14 follow-up: @superbecc
9 years ago

Cheers Robkk for linking me in re the suspensions plugin on my github, which I'd be happy to see incorporated/could be convinced to throw some more time at developing further if it can be of any use. That said, it wasn't created for the drive-by spammers, but for a site where users can act up a bit and sometimes need to be put in the naughty corner for a short period. The plugin adds in a new 'suspended' forum role with restricted posting ability, and adds a 'suspension' post type to save the data on each suspension that's added. Admins add suspensions at the back end, specifying the naughty user, an optional time-out period (or it defaults to 7 days), and an optional reason they were suspended (for admin records). The naughty user's current role gets saved along with this data and their role is changed to 'suspended'. A wp cron runs each day that locates suspensions set to expire and reinstates the normal roles of those users. Suspensions are at this point marked as complete and remain in the database merely as a record for future reference.

Suspended users don't see a reply form (since via the suspended role they don't have posting privileges) and instead see a "You were bad so no comments for you"-type message specified by the admin in the plugin settings. I haven't made any changes to profile visibility as the goal was more about enforcing a bit of reflection on their bad behaviour rather than truly disappearing people. :)

I hadn't heard of the 'bozo' approach before but obviously a bozo role could be managed within the same schema; and there's no reason users couldn't be assigned a role indefinitely if that was a goal. Not sure about the drive-by spammers though, sorry!

#15 @Robkk
9 years ago

  • Summary changed from IP Banning to Banning

I changed the title because of my reasoning below, and just to focus on the subject of banning.

Banning IP addresses are tough since almost noone owns their own unique IP address, you could be banning an entire server that could host hundreds or more people that may have done nothing wrong. Also it is easy to change your IP address with some CPU software nowadays, and if you ban an IP, all the user has to do is switch to another IP address avoiding the ban completely.

The drive-by spammers that would come from using anonymous posting would require the comment blacklist, maybe a reply/topic form captcha or honeypot, but definitely constant moderation. Maybe in the future there could be more settings similar to the discussion settings like show topic/reply if the user was previously approved, but that is just some thoughts.

If registered users appear to be just spam-bots, just mark their posts as spam. If the spam-bots frequently post, consider changing their role to blocked.

If registered users appear to be a human spammer and just seem to be a jerk or a troll, use a temporary ban to change the user role with limited capabilities. Changing it to spectator will remove any posting capabilities or blocked to just be banned from the forums. Great thing about a temporary ban feature is it gives the user an opportunity to have a second chance to be a better user in the community. While there is a way change the users forum role on the site through their profile, thing is people might accidentally forget why the forum user has their role that way and leave the role like that and possibly forever. This is where @superbecc's wp-cron and reason for banning usage comes in and improves the experience of banning users.

The bozo/b-tag (its a hellban or shadowban and usually different terms for each forum solution) feature would be great to have in bbPress v2. Lets say after their second chance after being temporary banned or any additional chances the forum user is still abusive to the community, it is time to make sure he leaves the site by making the user feel ignored or a ghost to the community.

@superbecc

There is functionality in your plugin that will help the banning experience and to not rely on the users IP addresses. I will link the devs to this to see what their opinion on this is.

Also I saw some bozo/b-tag talk on the #bbpress channel on Slack that is why I mentioned it. If you want to help resurrect the feature for bbPress v2 in the near future, you always have the chance to.

Version 0, edited 9 years ago by Robkk (next)

This ticket was mentioned in Slack in #bbpress by robkk. View the logs.


9 years ago

#17 in reply to: ↑ 14 ; follow-ups: @ghoush
9 years ago

Replying to superbecc:

Cheers Robkk for linking me in re the suspensions plugin on my github, which I'd be happy to see incorporated/could be convinced to throw some more time at developing further if it can be of any use.

Hey @superbecc, any chance you could get your plugin working with https://github.com/afragen/github-updater ? Makes it a lot easier for people to install and update github hosted plugins.

#18 in reply to: ↑ 17 @netweb
9 years ago

Replying to ghoush:

Hey @superbecc, any chance you could get your plugin working with https://github.com/afragen/github-updater ? Makes it a lot easier for people to install and update github hosted plugins.

This is the bbPress Trac for bbPress code and development. If you want to add suggestions for new features for code hosted elsewhere, in this case a plugin on GitHub then create an issue on GitHub directly, not here :)

#19 @Stagger Lee
9 years ago

  • Cc pericam@… added

#20 follow-up: @Stagger Lee
9 years ago

This man is on the good track:

https://wordpress.org/plugins/user-blocker/screenshots/

Needs some optimization, seems it takes much resources. And some other small fixes to adapt it to bbPress.
Calendar with time slider, no days in the week.
Other one is automatically ending login session when banned.

#21 in reply to: ↑ 20 ; follow-up: @superbecc
9 years ago

Replying to Stagger Lee:

This man is on the good track:

https://wordpress.org/plugins/user-blocker/screenshots/

Needs some optimization, seems it takes much resources. And some other small fixes to adapt it to bbPress.
Calendar with time slider, no days in the week.
Other one is automatically ending login session when banned.

Just checking your meaning on that last sentence. Are you saying my plugin's ending the login session? It wasn't intended to; if so I'll have to give it a look.

#22 in reply to: ↑ 17 @superbecc
9 years ago

Replying to ghoush:

Hey @superbecc, any chance you could get your plugin working with https://github.com/afragen/github-updater ? Makes it a lot easier for people to install and update github hosted plugins.

@ghoush, I've added a github plugin URI to the header as per your plugin's directions. Can't test it works with your plugin (which looks handy) just now but will do so tomorrow. :)

#23 in reply to: ↑ 21 @Stagger Lee
9 years ago

Replying to superbecc:

Replying to Stagger Lee:

This man is on the good track:

https://wordpress.org/plugins/user-blocker/screenshots/

Needs some optimization, seems it takes much resources. And some other small fixes to adapt it to bbPress.
Calendar with time slider, no days in the week.
Other one is automatically ending login session when banned.

Just checking your meaning on that last sentence. Are you saying my plugin's ending the login session? It wasn't intended to; if so I'll have to give it a look.

No, was talking about this plugin from URL and what is missing.
Killing login session is good thing. Or thez use keep alive with browser and can stay logged all the time they are banned. As with this plugin from my URL.

OK now, not so very important. As you can go to user profile and kill session.

Last edited 9 years ago by Stagger Lee (previous) (diff)

#24 @FolioVision
8 years ago

  • Owner set to FolioVision

Hi Guys,

Thanks for the mention of Thoughtful Comments. We're big bbPress 2 users ourselves (just recently moved to bbPress 2 hence were not participating much here when we were bbPress 1).

We'd be happy to adapt Thoughtful Comments to bbPress for adding to core.

There still seems to be a lot of division on what it is bbPress moderators want from a comment administration tool.

Is there any consensus?

Alec Kinnear

#25 @johnjamesjacoby
6 years ago

@FolioVision - any feedback after a few years? Anything specific to GDPR related functionality?

#26 @FolioVision
6 years ago

Hi JJJ,

Thanks for asking about Thoughtful Comments. We still don't support bbPress (1 or 2, we use 2 now). We're open to supporting bbPress as we're users. If you could take a look at Thoughtful Comments and let us know what we should change or include for bbPress we'd happily make those improvement.

GDPR doesn't affect Thoughtful Comments directly as we only use the data which WordPress already records. If a publisher who uses Thoughtful Comments would like to be GDPR (or more GDPR compliant, it's a moving target), s/he should address what s/he logs inside WordPress.

Does that help? Thanks, Alec

#27 @johnjamesjacoby
4 years ago

Haven't thought about this in a while, but it's still on the radar to improve.

#28 @johnjamesjacoby
4 years ago

  • Owner changed from FolioVision to johnjamesjacoby
  • Status changed from new to assigned
Note: See TracTickets for help on using tickets.