I have had 2 "subscribers" automatically become Users instead of subscribers. They do not appear under Subscribers nor on my MailChimp list. And with edresses such as "jes.p.erv.erefuj@gmail.com" furthers the notion that a back-door has been found into WordPress. Thank goodness my setting was on the default User Subscriber rather than editor or admin.
[resolved] [closed] Spam subscribers becoming users through backdoor? (39 posts)
-
wickedmike
Posted 11 months ago # -
Knut Sparhell
Posted 11 months ago #What do you mean by "become Users"? Subscribers are users with only read access. Do not confuse WordPress subscriber role with subscribers to a mailing list. There is no connection.
You never set the default user role to Editor or Administrator, unless you are running a sandbox. At least not when your blog is open for users to register themselves. You are aware that you may turn that feature off?
And exactly why do you suspect a "backdoor", other than plain user registration?
Please do not use ALL CAPS in the subject line. It looks like SCREAMING.
-
Posted 11 months ago #Thanks for the response.
Literally, became Users in a WordPress Role. How could they that if there wasn't an option to do so. I never added them. And, as said, the edresses are dodgy.
-
There is no default role in WordPress called "Users". Have you set up some custom user roles?
-
Posted 11 months ago #There is such an option. Are you aware of the Settings - General - Membership: Allow any user to register? If ticked, anybody can become a user, preferably with the subscriber role (se below that option)
-
Are you aware of the Settings - General - Membership
That's added by a plugin that sets up custom roles - as per my original question. It's not part of WP core.
-
Posted 11 months ago #I'm thought i was with Knut on that. I've always had Settings -> General -> New User Default Role.
I have made about a dozen WordPress sites. Having 2 unidentified people become Subscribers in a default user role was a first for me. I may have deleted them and upgraded WordPress but i still feel it was of enough concern to share.
-
There is no User role in WordPress core. See Roles_and_Capabilities. Nor is there a Settings - General - Membership menu in core. These are being added by a plugin.
-
Posted 11 months ago #I don't understand because there's always been an option to be an Administrator, Editor, Author, Subscriber.
-
Posted 11 months ago #@esmi: That is not added by a plugin. It's a checbox that tells WordPress to accept registrations. It's in core.
If you have other roles than subscriber, contributor, author, editor and administrator, then you have plugin that lets you define new roles. I thinks this is not the case here.
@wickedmike: I had a couple of spam user registrations every day until a made it more difficult to register on tyhose blogs that was most spammed or "probed" by this.
A subscriber has no rights to change anything and may only se a few statistics about the number of posts and comments, theme ad widgets and so on. A subscriber can not read unpublished or private material or list plugins. (Unless you change the capabilities, that is.)
The only reason registeringand then stay a subscriber is that you may comment without entering your name and e-mail address.
-
Yes - and Contributor. But no "User". That's a custom role. And since it's been created via a plugin, this does suggest that the plugin itself may have inadvertently opened up a hole.
-
Posted 11 months ago #Thanks all! Nice that people bother to give their input.
I'm not overly worried but always cautious after being hacked by fundamentalists on a previous, non-Wordpress site. It's worthwhile mentioning in case others had had the same experience, after all, people doing what they shouldn't be doing can only mean bad intention of some sort.
I'll rest on this thread but hopefully it stays open for a while in case there's a repeat.
Thank you.
-
If you have other roles than subscriber, contributor, author, editor and administrator, then you have plugin that lets you define new roles. I thinks this is not the case here.
Just to reiterate - The role NAMED 'User' would be a newly defined role. Something made it.
wickedmike - What plugins ARE you using?
-
Posted 11 months ago #Sorry for being unclear. I was speaking of User roles and not a role called User.
-
Okay :) That matters a GREAT deal!
So to unravel all this, can you explain what you mean here:
I have had 2 "subscribers" automatically become Users instead of subscribers.
What user role were they granted?
-
Posted 11 months ago #Subscriber which is default.
Main point is that i never added them and there is no option for them to add themselves. And their edresses were obviously not real.
-
Do they show up under your users list?
You said before that they did not but that seems contradictory now, and how would you see them if not on the list...
WHERE are we seeing these subscribers, I guess is the question :)
-
Posted 11 months ago #Settings -> Users -> All Users.
-
So what you really mean from all this is
"I have registration turned off, but regardless, two users suddenly showed up, as subscribers, on my site."
What plugins are you using?
While it is possible this is a WP security hole, lets start with the likely suspects :)
-
Posted 10 months ago #Firstly, how do i turn registration on or off? I just don't see it as an option on the site live. What i see it as is a Dashboard User function. I enter a user role if i want someone to have access or contribute.
For general subscribers, on these 2 sites, i used the Mailchimp plugin. Are you wanting me to list all Plugins? I tend to use more well known ones so that there'd be less problems.
PS: I just had it happen on another of my sites but with different email, also Gmail, and producing no results from a Google search.
-
calisun
Posted 10 months ago #Same thing happened to me yesterday.
On my site I have registration turned off, I have comments turned off for all my blogs and I don't have any plugins installed.
Yet yesterday I received and email that I have two replies that need to be approved.
As soon as I logged in to my dashboard, I marked comments as spam. Right now I don't see these users in my user list, but I am not sure if they were there before I marked their comments as spam.As stated before, they had strange/ fake email. Their IP was from Germany and they posted spam about viagra which pointed to a Russian based page.
-
Posted 10 months ago #If it was normal spam, and them not becoming Subscribers within the WordPress dashboard itself, then it would be a different issue, Calisun.
-
frikafrax
Posted 10 months ago #I've been wondering about the possibility of a vulnerability or bug myself.
While I do have open registration, I've used a combination of an application firewall and several plug-ins that has proven to be highly effective in keeping spam and fake subscribers away.
The targeted blog in its current form has been online since 2008. Historically, I haven't seen a fake subscriber sign-up within the last two years, though not for a lack of trying on the spammers' behalf as shown by my logs.
But after upgrading to WordPress 3.2 and within the last day or so, I've had 70+ (and counting) fake subscriber sign-ups . Now the spam bots are able to create new subscriber accounts, waltzing through the application firewall and plug-ins as if they weren't there.
I do concede the possibility that this could just be coincidence. But the timing of the upgrade and then the sudden success that spammers are having at creating subscriber accounts despite months/years of failing is certainly curious as well as disconcerting.
-
Posted 10 months ago #If it was normal spam, and them not becoming Subscribers within the WordPress dashboard itself, then it would be a different issue, Calisun
My point was NOT if they show up or don't show up as users. Like I said, I marked them as spam before going to user list, so I don't know if they were there.
My point was that I have signup disabled and I have comments disabled on all my posts, yet somehow two accounts were created and two comments were posted on my site. One good thing is that the spam was not published, it waited for my approval.
-
Dion Hulse (@dd32)
Posted 10 months ago #So, To those of you that are seeing these spam signups, even though you have the "users can register" option turned off, What Plugins are you running? and to confirm, they're recieving the "Subscriber" user role?
Are the signups ongoing, or did they simply show up after the 3.2 upgrade, and you havn't seen any extras? (if this was the case, it's likely you had a old infection which was being hidden via CSS)
If they're ongoing, do you have access to the server logs for that time period? If so, is there any sign of a cause in there? (And if you're not able to interprate them, are you willing to send them along to the WordPress.org Security Team?)
It seems rather pointless for a bot to be exploiting WordPress and "only" creating Subscribers, they've got no permission to do almost anything.. I've seen some OAuth/Facebook Connect/etc style plugins ignore the WordPress users can register option and create accounts for any user which asks for one.. so thats a potential source of unprivledged accounts..
-
Posted 10 months ago #Like I said, I marked them as spam before going to user list, so I don't know if they were there.
Are you running MultiSite then?
-
Posted 10 months ago #Are you running MultiSite then?
Yes, I am running a Multisite, with signup disabled and comments disabled.
I will try to look at logs on Monday. -
Calisun, please make a NEW topic in the MultiSite forum :) Posting related but not identical issues in a forum makes it harder to help anyone.
wickedmike, to see if registration is on or off on a SingleSite install, go to Settings -> General -> Membership
If it's checked, you allow registration.
-
@wickedmike: You do have user registration enabled. Thus the "Register" link on your site:
http://www.wickedmike.com/wp-login.phpAllowing user registration is a core feature, which you can turn on or off on the Settings->General page.
-
Posted 10 months ago #Thanks, All. I realize that it's in General Settings but on the site itself, i don't see it as an option to the general public. As said, over the past 2 years, on about a dozen sites, i've had no unwanted Subscribers in a WordPress User Role. Suddenly i have 3 on 2 websites, all with Gmail edresses that seem rotten. I thought it worthwhile mentioning even though i deleted them and upgraded to 3.2. I'll leave it at that unless there's a disaster. Thank you.
Topic Closed
This topic has been closed to new replies.
