wordpress-activitypub
wordpress-activitypub copied to clipboard
Automattic
Question: How does this plugin interact with moderation and trust & safety on the fediverse?
Hi! I've had a look through the changelog & through open issues, and can't see anything about this topic.
Will this plugin implement support for handling Flag activities, additionally, will it support (at a bare minimum) a means through which to specify instances to not federate with? Or a way to block certain actors from interacting with the blog via the plugin?
Would be happy to provide advice either here or via the IFTAS matrix server.
Hey @ThisIsMissEm, thanks for reaching out and offering your help!
WordPress has some basic functionality to help block messages based on certain criteria.
When a comment contains any of these words in its content, author name, URL, email, IP address, or browser’s user agent string, it will be put in the Trash. One word or IP address per line. It will match inside words, so “press” will match “WordPress”.
- This will block every message from users that match one of the defined block words/tags/domains/eMails/WebFinger-IDs.
- Besides of that, every incoming post will be handled by WordPress' spam filter/system and held for moderation.
- And there are possibilities to manage/delet Followers.
This is not yet perfect and will not block the following process completely, so I would love to discuss further possibilities.
Thanks again!
@ThisIsMissEm in addition to what Matthias has outlined, the plugin supports Authorized fetch.
It isn't yet documented but to enable it, you would set the ACTIVITYPUB_AUTHORIZED_FETCH const to true:
define( 'ACTIVITYPUB_AUTHORIZED_FETCH', true )
@mediaformat Right, but Authorized Fetch only works if you've a list of domains/instances from which you don't wish to approve fetches from.
@pfefferle so, is the extent of the moderation thinking currently just "we'll let wordpress handle comment moderation"? Because you might have problems with that due to a group known as "the worst of the worst" (essentially malicious actors), some tactics seen used have been hammering an instance with CSAM or other horribly graphic imagery, which means a person reviewing the comment moderation queue would still have to see those.
I just want to make sure that there's a defense in depth approach here, and that we can shield your users from the most harmful and vile instances.
There are some WordPress mechanics that help atm. (WordPress strips all images from comments automatically for example) but I totally agree that there have to be some more possibilities! I am looking forward to discuss these options with you on the IFTAS server.
This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Because you might have problems with that due to a group known as "the worst of the worst" (essentially malicious actors), some tactics seen used have been hammering an instance with CSAM or other horribly graphic imagery, which means a person reviewing the comment moderation queue would still have to see those.
I believe WordPress' "Disallowed Comment Keys" setting mentioned by @pfefferle above should help with that. Since the posts from flagged malicious actors are sent to the Trash directly, moderators would not see the comments in the moderation queue; they'd bypass that queue altogether.
Since the posts from flagged malicious actors are sent to the Trash directly, moderators would not see the comments in the moderation queue; they'd bypass that queue altogether.
Ideally there should be a way to configure it so the malicious actors wouldn't be able to follow the WordPress blog at all to begin with though, right? The same as if you'd entirely defederated from them and/or had authorised fetch turned on with an explicit allow-list.
