admin管理员组

文章数量:1326282

Unlike most of the spammer/spambot plugins out there, which stop registrations from a known list of spam IPs and email domains, I need to stop malicious users who may try and register more than one account from the same ip address. Their intentions may be to either harass people in the comments once they've been banned on other accounts, or they may try and play games with one of my submission forms and submit duplicate results to attempt to ruin the integrity of the output.

Is there a way that I can limit an ip address from registering accounts per a given time period? Since IP addresses change, I'd like to still allow some innocent who may end up with a previously blocked IP, to register.

Unlike most of the spammer/spambot plugins out there, which stop registrations from a known list of spam IPs and email domains, I need to stop malicious users who may try and register more than one account from the same ip address. Their intentions may be to either harass people in the comments once they've been banned on other accounts, or they may try and play games with one of my submission forms and submit duplicate results to attempt to ruin the integrity of the output.

Is there a way that I can limit an ip address from registering accounts per a given time period? Since IP addresses change, I'd like to still allow some innocent who may end up with a previously blocked IP, to register.

Share Improve this question asked Mar 21, 2015 at 1:22 KreationKreation 1472 silver badges9 bronze badges 3
  • This will not work. Not only that it is easy to overcome for dedicated trolls, it will also block whole organizations and the IP addresses for cellular network are probably changing every time you connect to the net which will make the whole thing pointless and will just force you to play smack a mole with the trolls. If you have problem with content it needs to be handles at content level. – Mark Kaplun Commented Mar 21, 2015 at 4:29
  • I'm confused as to how it would block entire organizations and addresses if the block is temporary and lasts maybe a week or so? Maybe less time? – Kreation Commented Mar 21, 2015 at 4:56
  • It is common for traffic to be routed through a gateway address, such as that of a cellular network or large organization and even regular ISP, therefore you may not actually be dealing with the specific device (or user). – Adam Commented Mar 21, 2015 at 5:02
Add a comment  | 

2 Answers 2

Reset to default 2

Despite that this approach may be flawed by the fact that it can be by-passed using proxies, here is a simplistic (yet untested) approach, which you would need to improve upon but would give you the foundation for achieving your desired goal.

The process as I see it:

  • filter user registerations on the pre_user_login or pre_user_nicename hooks
  • check database to see if IP exists in a time-limited blacklist
  • if IP exists within range, reject registration with custom error message
  • if IP does not exist within range, add the IP to the time-limited blacklist
  • rinse and repeat for each registration attempt

Example:

function filter_user_registration_ip($user_nicename) {

    $ip        = $_SERVER['REMOTE_ADDR'];                    //get current IP address
    $time      = time();                                     //get current timestamp
    $blacklist = get_option('user_ip_blacklist') ?: array(); //get IP blacklist

    /*
     * If IP is an array key found on the resulting $blacklist array
     * run a differential of the 
     * 
     */
    if ( array_key_exists($ip, $blacklist) ) {

        /*
         * Find the difference between the current timestamp and the timestamp at which
         * the IP was stored in the database converted into hours.
         */
        $diff_in_hours = ($time - $blacklist[$ip]) / 60 / 60;


        if ( $diff_in_hours < 24 ) {

            /*
             * If the difference is less than 24 hours, block the registration attempt
             * and do not reset or overwrite the timestamp already stored against the
             * current IP address.
             */
            wp_die('Your IP is temporarily blocked from registering an account');
        }

    }    

    /*
     * If the IP address does not exist, add it to the array of blacklisted IPs with
     * the current timestamp (now).
     *
     * Or if the IP address exists but is greater than 24 hours in difference between
     * the original stored timestamp and the current timestamp, add it to the array
     * of blacklisted IPs.
     */
    $blacklist[$ip] = $time;
    update_option('user_ip_blacklist', $blacklist);      

    return $user_nicename;

}

add_filter('pre_user_nicename', 'filter_user_registration_ip', 10, 1);

Notes:

  • The above code is untested and may contain errors.
  • The approach to retrieving the current user IP is not fool proof.
  • The array of IPs will grow exponentially overtime, you will need to prune the array periodically.

A better solution would be not to ban their IP from within Wordpress, but if you have root access to WHM then you can ban their IP from your server altogether. This is the real solution to the problem.

Also, usually IP addresses do not change. However, a person may go to another internet connection, a proxy server, or some other manner to use an alternate IP. However, it will still be a pain for them because once you ban their home IP, the only real solution for them is to get their ISP to change their IP, of which many ISPs will be reluctant to do or will flat out deny the request.

If you do not have access to WHM or the root of your server, then you can still ban their IP by adding it to the .htaccess file like so:

order allow,deny
deny from 123.45.67.89
allow from all

本文标签: Plugin for limiting user registration based on ip with expiry period