Anti-Splog option Spam/Unspam Blog Users confusion and issue


First, the title of the option “Spam/Unspam Blog Users” as well as the by-line “Enable this to spam/unspam all of a blog’s users when the blog is spammed/unspammed.” is confusing to me. It seems to say that when a blog is marked as spam, this will cause all users assigned to that blog are marked as spam too.

But it appears the option does more than, or even the inverse of that. With this option activated, marking a user as spam will actually mark all blogs that that users is a member of as spam. This is the inverse of what the text says.

But more importantly, it will mark ALL blogs that that user is associated with as spam. Even those that that users is only a Subscriber to!

In both anti-splog.php and moderate.php the function get_blogs_of_user() is used. This returns all blogs that the user is associated with, indiscriminate of the user capability on those blogs. So I would suggest to add an extra check for the users capability to AT LEAST post un-moderated on that blog.

For example something like this in moderate.php line 14 and further:

$blogs = get_blogs_of_user( (int) $_GET['spam_user'], true );
foreach ( (array) $blogs as $key => $details ) {
if ( user_can( (int) $_GET['spam_user'], 'publish_posts' ) ) {
update_blog_status( $details->userblog_id, 'spam', '1' );
set_time_limit( 60 );

By the way, what’s the point of calling (=resetting) set_time_limit() each time in this foreach loop?

  • RavanH
    • The Crimson Coder

    Or maybe better, a reusable function in anti-splog.php:

    function ust_user_can_for_blog( $blog_id, $user_id, $capability ) {
    $return = false;
    switch_to_blog( $blog_id );
    if ( user_can( $user_id, $capability ) ) {
    $return = true;
    return $return;

    Actually, a function missing from WP core next to existing current_user_can(), user_can() and current_user_can_for_blog() would be user_can_for_blog()

    This can now be used like this in moderate.php and ust_do_ajax() :

    if ( !ust_user_can_for_blog( $details->userblog_id, (int) $_GET['spam_user'], 'publish_posts' ) ) {
    } // user cannot post on blog so do not mark as spam !

    Not really sure something needs to be done for the Spam IP routines though… Do user submissions like comments or save for draft post (to be moderated) get flagged as lastmod in the wp_ust table?

  • Dimitris
    • Support Star

    Hello there RavanH,

    hope you’re doing good today and thanks for reaching us! :slight_smile:

    I was able to replicate this in a testing site of mine.

    To ensure that I followed the correct steps, please confirm (or not) the following steps:

    1. Enable the aforementioned setting in Anti-Splog:

    2. Mark a testing user who has role in different sites as spam:

    3. All his sites are now spammed:

    I could then fulfil a complete report for our developers, along with your valuable feedback of course!

    Warm regards,


  • RavanH
    • The Crimson Coder

    Hi Dimitris, what user level did the test user have on /subsite/ ? It looks like /subsite/ was created and owned by user dimitris. Correct?

    Then yes, this is what I mean. Other sites, owned by other users than then spam user are marked as spam… The code suggestions above try to make sure the spam user has at least publish_posts capability before marking any site as spam.

    Thanks for passing this on to the devs :slight_smile:

  • Dimitris
    • Support Star

    Hey there RavanH,

    you’re right, the /subsite/ had been created by admin user and I manually added my testing user in there as a subscriber.

    I’m going to create a bug report for our developers shortly.

    Me or another colleague of mine will keep you posted here as soon as we’ve got some valuable insights. :slight_smile:

    Take care,


Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.