Scheduled for Wednesday June 10, 2020 and led by Jake Spurlock (helped by Sergey Biryukov, Jonathan Desrosiers and I), WordPress 5.4.2 addresses twenty bugs.
One of them is an important bug which affects all WordPress versions since 5.1. As noted in this devnote, it allows spammers to index in search engines results pages comments that are still awaiting moderation.
This fix will be deployed on WordPress 5.1, 5.2, 5.3 and 5.4 branches.
To sum up, update to WordPress 5.4.2 as soon as it is available, in the meanwhile, you may want to validate or delete your comments awaiting moderation.
If you want to know more about this bug, its origins and consequences, you can read the rest of this post 👇 🤓
⚙️The origins: WordPress 5.1 and pending comments preview management
This bug was introduced in WordPress 5.1, but it takes its origins from WordPress 4.9.8.
⏱Flashback: 2018 and GDPR
Since years, WordPress allows visitor’s comments to be previewed while they are pending validation. It works with a cookie created on the visitor’s browser. Since WordPress 4.9.8, which fixed a lot of privacy stuff to make WordPress compliant to GDPR, users are asked to opt-in to this cookie.
However, pending comments preview was unavailable to visitors who didn’t opt-in for this cookie. A solution was found and set up in WP 5.1: use a variable in the preview URL to store an hash generated for this comment. Then, display the pending comment only if the URL contains that hash. For those interested, here is the ticket that contains the patch that introduced our bug 🙂
🏴☠️A process hijacked by spammers
When it comes to SEO, people are able to demonstrate some cleverness! By bypassing this process, it is possible to use a site to publish spam links on any website, so Google could index them, without them being physically displayed to normal site visitors.
Here is the complete process:
Let’s say I want Google to believe that a reputable site has posted links to my site by allowing them in my comments.
I just have to post a comment containing my links and to opt-out for cookies in the comment form.
As my comment full of links is a little suspicious, the website will put my comment under pending moderation list. On front-end side, after submission of the comment form, the page reloads, and displays my comment’s preview, with the mention “Your comment is awaiting moderation”.
I can now see that the URL of this page (the page where my pending comment is previewed) contains a hash, allowing the website to know that I’m the author of the comment, and therefore to provide the preview.
Then, I just have to copy this URL and to paste it on a third party website that is already known by Google. Google’s indexing script will then follow this link and end up on the page of this favorably known website. As the link followed by Google has the hash, the search engine will see my comment yet still awaiting moderation and may therefore consider that this site voluntarily makes a link to my site.
This “tip” is based on the assumption that pending comments (especially if they are stored in spam) are not frequently sorted by website administrators. Which is no doubt the case: we don’t spend our time inspecting the dashboard of our site to filter pending comments.
Indeed, it’s possible to send cURL requests to the API available on wp-comments-post.php
. The cURL feedback returning the URL containing the preview hash, so it is quite easy to automate the links generation.
Moreover, a quick search shows that more than 700,000 URLs containing the moderation hash exist in Google search results.
🧯Related bug fix on WordPress 5.4.2
WordPress 5.4.2 fixes this bug by preventing pending comments previews during more than 60 seconds after its submission. This duration allows the visitor to receive feedback and know that their comment is awaiting moderation, but does not allow this preview to be used with search engines.
Here is the full list of the different fixes that led to a complete bug patch:
- Remove unapproved comments preview after 1 minute to avoid public access through the moderation hash.
- Only pass querystring parameters if the user did not consent to cookies, otherwise they are not required.
- For requests with the unapproved and moderation hash querystring parameters,
Expires
andCache-Control
HTTP headers of 60 seconds are added for CDN and other cache hinting services. - Only display the requested comment if the querystring parameters are included in the request.
- Hide the reply button on unapproved comment if it is displayed due to the moderation hash.
🚀A patch exceptionally deployed on 4 branches of WordPress: 5.1, 5.2, 5.3 and 5.4
Usually, only security patches are deployed on older versions of WordPress. However, given the importance of the issue, this patch will be exceptionally deployed on the 4 concerned branches of WordPress: 5.1, 5.2, 5.3 and 5.4.
So if your site is still running WordPress 5.3 (as a reminder: it is not at all recommended to remain out of date 😉), you can update to WP 5.3.4. If you are using WP 5.2, then 5.2.7 will be available. And if you are on WP 5.1 (be careful!), then version 5.1.6 will allow you to fix that bug.
Remember, the only actively maintained version of WordPress is the current one! Others only receive security patches.
📚Publicly available resources
First of all, kudos to Jon Kolbert, member of the Wikimedia staff, for the initial bug report 👍
Here is the commit which contains the code changes done on WP 5.4.2 concerning that bug, and the related Trac ticket.
To conclude, here is the dev note published on Make/Core:
Cover photo by Thomas Fields