Long term readers may be aware that there have been ongoing and persistent issues with people trying to comment here. Ironically, given the nature of the site, comments featuring words like ‘dominatrix’ or ‘BDSM’ were the ones causing problems. It was just my luck to get stuck with a prudish comment system on a sex blog.
The good news is that after devoting some serious effort to it, and at one point yesterday breaking the site entirely, I think I’ve finally fixed it. For anyone interested, or with similar issues, I’ll put some technical details after the obligatory pretty femdom picture. Â For everyone else, the upshot is…
- If you’ve tried to comment before and been driven away in frustration, please try again in the future. No more weird errors of ‘page not found’.
- On the tiny tiny chance – crosses fingers – that anyone still sees problems then please email me with the comment. Now I’ve identified the root cause I can quickly fix any odd remaining errors if I have the comment text. I’ve tested with all manner of naughty words, and it seems to be fine, but it’s possible there’s some particularly deviant combination I’ve missed.
And now for a pretty picture as promised…
The dirty stuff for the technically depraved: It was nothing to do with a WordPress at all. It was a module called ModSecurity buried inside Apache that I knew nothing about and certainly didn’t install. It scans the incoming http requests and blocks ‘bad ones’ based on a big set of rules. This makes total sense for protocol level attacks like SQL injection or buffer overruns. Unfortunately it also has a set of spam rules which perform checks against a blacklist of adult words (like bdsm, latex, plug, dominatrix, etc.) In my opinions that’s a really dumb layer in the stack to do spam filtering, so I didn’t really think to look there. The end result was that incoming comments would be blocked before ever making it to WordPress and its comment management system.
If you ever have this issue, then fixing it can be a pain. My cpanel only lets me turn ModSecurity on/off, not configure it. WHM gives a lot more detail in its security section, but the UI kept giving errors when I tried to tweak rules. In the end I had to use shell access and edit the mod_sec .conf files. There’s a whitelist file you can use to kill rules you don’t want.