WordPress 5.4.2: Prevent unmoderated comments from search engine indexation

WordPress 5.1 previously added the possibility to show the “awaiting moderation” message on comments list when comment cookies are disabled. Indeed, this changeset included a hash in the redirect URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org, allowing the website to identify that a preview of the moderated comment should be displayed. By providing an hash in the URL when users did not consent to cookies, the changeset also provided a way to spammers to share an URL that actually contain their messages, and this URL was potentially indexable by search engines.

In WordPress 5.4.2, after a comment is submitted, only a brief window will be available to publicly see the awaiting moderation comment on the website. This change prevents search engines from indexing URLs that may contain spammy messages.

Here is the full list of changes:

  • Remove unapproved comments preview after 1 minute to avoid public access through the moderation hash.
  • Only pass querystring parameters if the user did not consent to cookies, otherwise they are not required.
  • For requests with the unapproved and moderation hash querystring parameters, Expires and Cache-Control HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. headers of 60 seconds are added for CDN and other cache hinting services.
  • Only display the requested comment if the querystring parameters are included in the request.
  • Hide the reply button on unapproved comment if it is displayed due to the moderation hash.

This is not considered as a security issuesecurity issue A security issue is a type of bug that can affect the security of WordPress installations. Specifically, it is a report of a bug that you have found in the WordPress core code, and that you have determined can be used to gain some level of access to a site running WordPress that you should not have.. Those changes were discussed publicly on Trac and milestoned to WordPress 5.4.2 point releaseMinor Release A set of releases or versions having the same minor version number may be collectively referred to as .x , for example version 5.2.x to refer to versions 5.2, 5.2.1, 5.2.3, and all other versions in the 5.2 (five dot two) branch of that software. Minor Releases often make improvements to existing features and functionality. few weeks ahead of the releaseRelease A release is the distribution of the final version of an application. A software release may be either public or private and generally constitutes the initial or new generation of a new or upgraded application. A release is preceded by the distribution of alpha and then beta versions of the software. date.

However, given the inconvenience caused by this issue, the WordPress coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. team decided to exceptionally backportbackport A port is when code from one branch (or trunk) is merged into another branch or trunk. Some changes in WordPress point releases are the result of backporting code from trunk to the release branch. those changes to each affected branchbranch A directory in Subversion. WordPress uses branches to store the latest development code for each major release (3.9, 4.0, etc.). Branches are then updated with code for any minor releases of that branch. Sometimes, a major version of WordPress and its minor versions are collectively referred to as a "branch", such as "the 4.0 branch". of WordPress, from WP 5.1 to WP 5.4.

For reference, see the related TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. ticketticket Created for both bug reports and feature development on the bug tracker.: #49956

#5-4-2, #dev-notes