WordPress.org

Ready to get started?Download WordPress

Forums

Host shut down my WP blog because of spambots (24 posts)

  1. EditorB
    Member
    Posted 8 years ago #

    My webhost (Midphase) shut down my site because of a "massive amount" of connections, presumably from spambots attacking my WP install. The volume was such that it was bringing Apache to its knees.

    The tech admin's exact words:

    "There was huge numbers of connections to your wp-comments-post.php file. Probably the connection was generated by spam bots."

    They won't restore my account until I "fix" it, and they advised me to ask for help over here.

    I feel this is somewhat unfair, since my host offers WP as an autoinstall. However, I did install this version myself.

    I think it was version 2.0.1. I was running Akismet, and it was catching a lot of spam.

    Does anyone have any advice for me? Would upgrading to 2.0.5 help? Or do I just need to find a new host? (I hope not!)

    Editor B

  2. Trent Adams
    Member
    Posted 8 years ago #

    There were a few security fixes with 2.0.5 and that will be a big improvement. As well, Bad Behavior is a huge saver of stopping unwanted traffic and spambots before they can do much to your site.

    http://error.wordpress.com/2006/12/15/bad-behavior-208/

    There is more information on that page. As well, if the spambots are commenting like crazy, take a look at Akismet. Just search for it in the forums.

    Trent

  3. vkaryl
    Member
    Posted 8 years ago #

    Another option is Spam Karma 2 from http://unknowngenius.com/blog/wordpress/spam-karma/

  4. moshu
    Member
    Posted 8 years ago #

    There was another plugin update posted today:
    http://wordpress.org/support/topic/84820?replies=7

  5. vkaryl
    Member
    Posted 8 years ago #

    Yup, forgot about that one, I like it too! Thanks for the update info, moshu....

  6. EditorB
    Member
    Posted 8 years ago #

    Thanks for the help. I was using Akismet and Spam Karma, but it seems to me that such plug-ins only delete spam after the bots have already posted. This is good for the blogger but doesn't reduce the load on the server. Bad Behavior might do the trick, though. I'll post a note to follow let you know how it goes.

  7. moshu
    Member
    Posted 8 years ago #

    Yes, BB kills them before. ALthough the plugin at the link I've posted above also claims to stop them before reaching the wp-comments-post.php file.

  8. EditorB
    Member
    Posted 8 years ago #

    Well, I installed Bad Behavior and thought that solved the problem. But now midPhase has suspended my account again.

    They say: "I don't see how we can enable it because every time I enable the account the server gets flooded with thousands connections to b.rox.com

    "We cannot host this site on shared server, it puts down the whole server with hundreds users on it."

    They want me to upgrade to a VPS, which costs $50/month, a bit more than the $12 I'm paying now. I'm on the line with tech support now.

  9. czimmerman33
    Member
    Posted 8 years ago #

    I'm having the same problem with my primary WP account on HostGator. They've moved me to a temporary server and are threatening to shut it down.

    Akismet has caught over 83,000 comment spams in the last 9 days on this site. I have over 2,600 posts with comments enabled.

    Anyone know of a way to easily disable comments on all the old posts?

  10. vkaryl
    Member
    Posted 8 years ago #

    There's a plugin I think.... take a look here: Plugins - specifically in the comments plugins section.

  11. EditorB
    Member
    Posted 8 years ago #

    I don't know if disabling comments on old posts will do the trick though. I bet the spambots will (stupidly) keep requesting the wp-comments-post.php even with all comments disabled. I'd certainly be interested in hearing if it works for czimmerman33.

    As for me, my host has shut me down. I found the customer service less than satisfactory. I am considering moving to another host. But what will I do if the spambot problem follows me?

    I'm at a loss, completely mystified. I thought Bad Behavior would satisfy the overloading concerns. I'm quite sure I installed it correctly -- it's very simple to deploy, and it evidently was catching spam. But that didn't stop the bots from overloading the system.

    Any advice is welcome!

  12. EditorB
    Member
    Posted 8 years ago #

    More follow-up: They let me look at the logfiles. There were over 10,000 requests for wp-comments-post.php in four hours. I suppose that is a lot. They said this was bringing the whole server down. I don't know enough to know whether this was really caused by spambots or if it was somesort of DoS attack.

    The more I think about it, I don't believe any plugin or even removing the file or closingcomments would have helped. I suggested removing wp-comments-post.php but they said that wouldn't help because it's the requests themselves that are overloading the server.

  13. whooami
    Member
    Posted 8 years ago #

    thats alot, and I would definitely call that a DOS attack,

    Is that the site that in your profile?

    You dont by chance use that domain for any bouncers on irc or anything, do you? I used to use my domain for vanity host bouncers, and one Saturday, my T1 got hammered for about 5 hours while I slept.

    Im positive that it was a result of having the domain on irc.

  14. czimmerman33
    Member
    Posted 8 years ago #

    I installed this plug-in on a personal site to test it before trying it on the one that's being attacked: http://codex.wordpress.org/Plugins/Auto_shutoff_comments

    I changed the interval to 1 day since it's set up for 21 days. It appears to work. There's code for applying the same to pings if you need it too.

    I'm going to try it on the site that's getting hit so hard today. My hosting company "abuse" dept. sent me this note this morning: "Hello, While on temporary (server) it appears you had an attack hitting the wp-comments-post.php page. I have had to disable this to keep the server alive. You were getting over 300 hits a second to this page all from different IP's. We apologize for having to disable the script, however we wanted to make sure we could keep your site up as you do the move. Thank You. If there is anything else we can assist you with please do not hesitate to ask."

    I'm in the process of moving to a new hosting company that may be able to provide some support for this issue.

  15. Samuel Wood (Otto)
    Tech Ninja
    Posted 8 years ago #

    While this is not a perfect solution to the problem, it might help.

    In your theme, look in your comments.php file (or it may be in other files in your theme). Wherever users can post comments will be something like this:
    <form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php"...

    If you change the "wp-comments-post.php" to something else and then rename that file to that same thing, then they won't be pounding hell out of your server anymore. In it's place you can put a new wp-comments-post.php file which just does this:
    <?php header("HTTP/1.0 404 Not Found"); ?>

    You can then tell your host that since you no longer have any references to that file on your site, that anybody hitting it is DoS attacking you.

  16. Ghidra99
    Member
    Posted 8 years ago #

    Good call, Otto.

    Furthermore, is this being addressed in future updates of WP? This seems to be a growing problem.

    Maybe someone could make a sticky of all the links in the Codex that help make WP secure?

  17. whooami
    Member
    Posted 8 years ago #

    bah!

    make WP secure..

    Thats not about security. And what would you have addressed in future versions that would stop the original posters problem??

    Apache has a very simple mod that addresses those sorts of 'attacks', btw. Accordingly so.

  18. Ghidra99
    Member
    Posted 8 years ago #

    Haha.

    I meant to say "Additionally," before that bit. ;)

  19. whooami
    Member
    Posted 8 years ago #

    honestly though, theres very little that can be addressed at an application level that will ****prevent**** what he/she described. After the fact though, upstream IP bans using iptables are whats needed, and when the use of multiple IPs is involved that's hard to do.

    It would be nice if more hosts employed DNSBL lookups as well as simple DNS .. few do. They're server intensive, and maintaining local copies is uhh.. too much work. Not really. But thats what they'll say.

    They wait for Apache to do it's work, and most times, dont provide the right tools for it to do anything.

  20. EditorB
    Member
    Posted 8 years ago #

    whoami, yes, the site in question is the one in my profile, b.rox.com. I don't even know what an irc bouncer is, so I'm pretty sure that wasn't the issue!

    Otto42, I asked about the idea of renaming wp-comments-post.php and they said that wouldn't help (as even a 404 response will still overload the server with that many connections). I don't think reclassifying this as a DoS attack rather than a spambot attack will make any difference to my host. They told me if it happened again they'd suspend my account permanently. Nice huh? So the site remains offline.

    czimmerman33, I wish my host had the courtesy to notify me. Instead they suspended my account, including about a dozen other domains hosted on my account, which really ticked me off, so I'm looking to move now too.

  21. Samuel Wood (Otto)
    Tech Ninja
    Posted 8 years ago #

    I asked about the idea of renaming wp-comments-post.php and they said that wouldn't help (as even a 404 response will still overload the server with that many connections). I don't think reclassifying this as a DoS attack rather than a spambot attack will make any difference to my host. They told me if it happened again they'd suspend my account permanently. Nice huh?

    Change hosts immediately. If they're willing to suspend your account for actions that they even admit are not your fault, then you don't need to do business with them.

    Oh, and I'd tell everybody who they are as well, so we can not do business with them either.

  22. EditorB
    Member
    Posted 8 years ago #

    Believe me I'm researching other hosts right now.

    I had quite a few good years with midPhase, and often recommended them to others. I kind of hate to leave, but they really leave me no choice.

  23. Ghidra99
    Member
    Posted 8 years ago #

    EditorB, http://www.networkredux.com was mentioned to me a few weeks ago as a viable alternative to APlus.net (who seem to be just as bad as midPhase).

    Perhaps a thread listing less than stellar hosts and ones who work fantastically?

  24. EditorB
    Member
    Posted 8 years ago #

    Following up again. I'm happy to report it looks like I'll be staying with midPhase for a while. Read the full story on my blog which hopefully will stay up for a long time!

    http://b.rox.com/archives/2006/12/20/disconnected-part-iii/

    Also, I'm now trying the fix which is mentioned here:

    http://codex.wordpress.org/Combating_Comment_Spam/Denying_Access

    Namely, the "no referer" block.

Topic Closed

This topic has been closed to new replies.

About this Topic