Have already suffered an actual ’email injection’ breach because I was unaware that WP-ContactForm v1.1 needed to be updated to v1.4.3 (for WP2.0.1). Bad Behavior v1.2.4 is now also active, it’s currently 412’ing the continuing email injection attempts. MySQL is filling up.
Hoping to quash the current takeover activities have implemented the password protection [sic] feature on the contact form’s static page. Another static page called ‘password’ shows a simple cryptic clue to the password – ie it’ll stop robots/scripts but not people.
The logs show nice people going through the password area and on to the contact form.
The logs show nasty scripts completely ignoring ie bypassing the password area and implementing the POST directly.
How is this allowed!? More importantly what may I do to defend my WordPress sites?
- The topic ‘password protection [sic] bypassed;-(’ is closed to new replies.