WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] [closed] Spam subscribers becoming users through backdoor? (39 posts)

  1. wickedmike
    Member
    Posted 2 years ago #

    I have had 2 "subscribers" automatically become Users instead of subscribers. They do not appear under Subscribers nor on my MailChimp list. And with edresses such as "jes.p.erv.erefuj@gmail.com" furthers the notion that a back-door has been found into WordPress. Thank goodness my setting was on the default User Subscriber rather than editor or admin.

  2. Knut Sparhell
    Member
    Posted 2 years ago #

    What do you mean by "become Users"? Subscribers are users with only read access. Do not confuse WordPress subscriber role with subscribers to a mailing list. There is no connection.

    You never set the default user role to Editor or Administrator, unless you are running a sandbox. At least not when your blog is open for users to register themselves. You are aware that you may turn that feature off?

    And exactly why do you suspect a "backdoor", other than plain user registration?

    Please do not use ALL CAPS in the subject line. It looks like SCREAMING.

  3. wickedmike
    Member
    Posted 2 years ago #

    Thanks for the response.

    Literally, became Users in a WordPress Role. How could they that if there wasn't an option to do so. I never added them. And, as said, the edresses are dodgy.

  4. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    There is no default role in WordPress called "Users". Have you set up some custom user roles?

  5. Knut Sparhell
    Member
    Posted 2 years ago #

    There is such an option. Are you aware of the Settings - General - Membership: Allow any user to register? If ticked, anybody can become a user, preferably with the subscriber role (se below that option)

  6. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    Are you aware of the Settings - General - Membership

    That's added by a plugin that sets up custom roles - as per my original question. It's not part of WP core.

  7. wickedmike
    Member
    Posted 2 years ago #

    I'm thought i was with Knut on that. I've always had Settings -> General -> New User Default Role.

    I have made about a dozen WordPress sites. Having 2 unidentified people become Subscribers in a default user role was a first for me. I may have deleted them and upgraded WordPress but i still feel it was of enough concern to share.

  8. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    There is no User role in WordPress core. See Roles_and_Capabilities. Nor is there a Settings - General - Membership menu in core. These are being added by a plugin.

  9. wickedmike
    Member
    Posted 2 years ago #

    I don't understand because there's always been an option to be an Administrator, Editor, Author, Subscriber.

  10. Knut Sparhell
    Member
    Posted 2 years ago #

    @esmi: That is not added by a plugin. It's a checbox that tells WordPress to accept registrations. It's in core.

    If you have other roles than subscriber, contributor, author, editor and administrator, then you have plugin that lets you define new roles. I thinks this is not the case here.

    @wickedmike: I had a couple of spam user registrations every day until a made it more difficult to register on tyhose blogs that was most spammed or "probed" by this.

    A subscriber has no rights to change anything and may only se a few statistics about the number of posts and comments, theme ad widgets and so on. A subscriber can not read unpublished or private material or list plugins. (Unless you change the capabilities, that is.)

    The only reason registeringand then stay a subscriber is that you may comment without entering your name and e-mail address.

  11. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    Yes - and Contributor. But no "User". That's a custom role. And since it's been created via a plugin, this does suggest that the plugin itself may have inadvertently opened up a hole.

  12. wickedmike
    Member
    Posted 2 years ago #

    Thanks all! Nice that people bother to give their input.

    I'm not overly worried but always cautious after being hacked by fundamentalists on a previous, non-Wordpress site. It's worthwhile mentioning in case others had had the same experience, after all, people doing what they shouldn't be doing can only mean bad intention of some sort.

    I'll rest on this thread but hopefully it stays open for a while in case there's a repeat.

    Thank you.

  13. If you have other roles than subscriber, contributor, author, editor and administrator, then you have plugin that lets you define new roles. I thinks this is not the case here.

    Just to reiterate - The role NAMED 'User' would be a newly defined role. Something made it.

    wickedmike - What plugins ARE you using?

  14. wickedmike
    Member
    Posted 2 years ago #

    Sorry for being unclear. I was speaking of User roles and not a role called User.

  15. Okay :) That matters a GREAT deal!

    So to unravel all this, can you explain what you mean here:

    I have had 2 "subscribers" automatically become Users instead of subscribers.

    What user role were they granted?

  16. wickedmike
    Member
    Posted 2 years ago #

    Subscriber which is default.

    Main point is that i never added them and there is no option for them to add themselves. And their edresses were obviously not real.

  17. Do they show up under your users list?

    You said before that they did not but that seems contradictory now, and how would you see them if not on the list...

    WHERE are we seeing these subscribers, I guess is the question :)

  18. wickedmike
    Member
    Posted 2 years ago #

    Settings -> Users -> All Users.

  19. So what you really mean from all this is

    "I have registration turned off, but regardless, two users suddenly showed up, as subscribers, on my site."

    What plugins are you using?

    While it is possible this is a WP security hole, lets start with the likely suspects :)

  20. wickedmike
    Member
    Posted 2 years ago #

    Firstly, how do i turn registration on or off? I just don't see it as an option on the site live. What i see it as is a Dashboard User function. I enter a user role if i want someone to have access or contribute.

    For general subscribers, on these 2 sites, i used the Mailchimp plugin. Are you wanting me to list all Plugins? I tend to use more well known ones so that there'd be less problems.

    PS: I just had it happen on another of my sites but with different email, also Gmail, and producing no results from a Google search.

  21. calisun
    Member
    Posted 2 years ago #

    Same thing happened to me yesterday.
    On my site I have registration turned off, I have comments turned off for all my blogs and I don't have any plugins installed.
    Yet yesterday I received and email that I have two replies that need to be approved.
    As soon as I logged in to my dashboard, I marked comments as spam. Right now I don't see these users in my user list, but I am not sure if they were there before I marked their comments as spam.

    As stated before, they had strange/ fake email. Their IP was from Germany and they posted spam about viagra which pointed to a Russian based page.

  22. wickedmike
    Member
    Posted 2 years ago #

    If it was normal spam, and them not becoming Subscribers within the WordPress dashboard itself, then it would be a different issue, Calisun.

  23. frikafrax
    Member
    Posted 2 years ago #

    I've been wondering about the possibility of a vulnerability or bug myself.

    While I do have open registration, I've used a combination of an application firewall and several plug-ins that has proven to be highly effective in keeping spam and fake subscribers away.

    The targeted blog in its current form has been online since 2008. Historically, I haven't seen a fake subscriber sign-up within the last two years, though not for a lack of trying on the spammers' behalf as shown by my logs.

    But after upgrading to WordPress 3.2 and within the last day or so, I've had 70+ (and counting) fake subscriber sign-ups . Now the spam bots are able to create new subscriber accounts, waltzing through the application firewall and plug-ins as if they weren't there.

    I do concede the possibility that this could just be coincidence. But the timing of the upgrade and then the sudden success that spammers are having at creating subscriber accounts despite months/years of failing is certainly curious as well as disconcerting.

  24. calisun
    Member
    Posted 2 years ago #

    If it was normal spam, and them not becoming Subscribers within the WordPress dashboard itself, then it would be a different issue, Calisun

    My point was NOT if they show up or don't show up as users. Like I said, I marked them as spam before going to user list, so I don't know if they were there.

    My point was that I have signup disabled and I have comments disabled on all my posts, yet somehow two accounts were created and two comments were posted on my site. One good thing is that the spam was not published, it waited for my approval.

  25. Dion Hulse
    WordPress Dev
    Posted 2 years ago #

    So, To those of you that are seeing these spam signups, even though you have the "users can register" option turned off, What Plugins are you running? and to confirm, they're recieving the "Subscriber" user role?

    Are the signups ongoing, or did they simply show up after the 3.2 upgrade, and you havn't seen any extras? (if this was the case, it's likely you had a old infection which was being hidden via CSS)

    If they're ongoing, do you have access to the server logs for that time period? If so, is there any sign of a cause in there? (And if you're not able to interprate them, are you willing to send them along to the WordPress.org Security Team?)

    It seems rather pointless for a bot to be exploiting WordPress and "only" creating Subscribers, they've got no permission to do almost anything.. I've seen some OAuth/Facebook Connect/etc style plugins ignore the WordPress users can register option and create accounts for any user which asks for one.. so thats a potential source of unprivledged accounts..

  26. Dion Hulse
    WordPress Dev
    Posted 2 years ago #

    Like I said, I marked them as spam before going to user list, so I don't know if they were there.

    Are you running MultiSite then?

  27. calisun
    Member
    Posted 2 years ago #

    Are you running MultiSite then?

    Yes, I am running a Multisite, with signup disabled and comments disabled.
    I will try to look at logs on Monday.

  28. Calisun, please make a NEW topic in the MultiSite forum :) Posting related but not identical issues in a forum makes it harder to help anyone.

    wickedmike, to see if registration is on or off on a SingleSite install, go to Settings -> General -> Membership

    If it's checked, you allow registration.

  29. Samuel Wood (Otto)
    Tech Ninja
    Posted 2 years ago #

    @wickedmike: You do have user registration enabled. Thus the "Register" link on your site:
    http://www.wickedmike.com/wp-login.php

    Allowing user registration is a core feature, which you can turn on or off on the Settings->General page.

  30. wickedmike
    Member
    Posted 2 years ago #

    Thanks, All. I realize that it's in General Settings but on the site itself, i don't see it as an option to the general public. As said, over the past 2 years, on about a dozen sites, i've had no unwanted Subscribers in a WordPress User Role. Suddenly i have 3 on 2 websites, all with Gmail edresses that seem rotten. I thought it worthwhile mentioning even though i deleted them and upgraded to 3.2. I'll leave it at that unless there's a disaster. Thank you.

Topic Closed

This topic has been closed to new replies.

About this Topic