WordPress.org

Making WordPress.org

Opened 15 months ago

Last modified 12 months ago

#3544 new defect

Plugin Admin: IP Tracker

Reported by: Ipstenu Owned by:
Milestone: Priority: normal
Component: Plugin Directory Keywords:
Cc:

Description

We used to have a tool to check the IP address of submissions and compare to all others. This was useful to swiftly find people who were making serial plugins accounts to avoid previous restrictions.

/plugins/admin?ip=

It works much like the User Card (see an image here - https://make.wordpress.org/plugins/handbook/performing-reviews/review-walkthrough/ ) and the Author Lookup ( https://wordpress.org/plugins/wp-admin/tools.php?page=authorcards ) but is missing as a look up by IP.

This would be very helpful to hunt down serial abusers.

Change History (7)

#1 @obenland
13 months ago

  • Keywords close added

You can use the built-in search to pull up plugins based on IP. These searches are also linked to from the list of IPs in the Author Card.

#2 @Ipstenu
13 months ago

That doesn't give the same kind of output we used to have. And yes, it matters.

We USED to be able to look up an IP and see

1) A list of all users for the IP (and their plugins)

2) A breakdown by subset

And that second part is missing.

So if I looked up 123.45.67.89 I would also see 123.45.67.* and 123.45.*

We used that to find people who all belonged to the same company or group and were being silly and submitting a lot of plugins under multiple accounts to try and get around the guidelines.

For example, right now I've noticed a LOT of people seem to be submitting the same kind of plugin. I used to be able to check the IP and if I spotted four or five accounts with the same IP ranges, I knew I probably had some spammers and I could dig into it.

#3 @obenland
13 months ago

  • Keywords close removed

Ah! I didn't know about the subset support, I can see how that is useful.

#4 @obenland
12 months ago

Are there potential GDPR issues with recording IP addresses of plugin submissions?

#5 @Ipstenu
12 months ago

I don't THINK so (not a lawyer).

We need the IP addresses in order to track abuse, and since the submission is being made by a logged in account (where in we already have the email and username) I think it would be a reasonable exception.

IIRC it falls under the legitimate interest (Article 6).

1) We have prior consent via the account
2) We need it to prevent abuse and protect users

#6 @dd32
12 months ago

Storing IPs isn't ideal at all, and ideally we'd like to be able to move away from it I think. Storing other derived data-points instead (ie. only a anonymised IP 123.123.123.0 or the Network ASN instead perhaps)

However, that being said, for GDPR purposes if it's a required functionality of the directory for the purposes of anti-spam as long as it's disclosed I think that's fine.

#7 @Ipstenu
12 months ago

I don't know that the Network ASN would be beneficial for the reason we use them. Literally I only use them when I'm trying to catch someone circumventing a previous ban. If you break it down like anon, I wouldn't be able to compare "Oh these four people submitted plugins with the SAME IP" (which yes, makes me wonder if they're even trying...) but also "This plugin was submitted via a TOR proxy..." (yes, pretty common).

I agree it's not ideal, but in order to reduce the risk of bad actors, I think we kinda have to :(

Note: See TracTickets for help on using tickets.