Support » Plugin: WP eCommerce » spam users in wp_users after wpsc upgrade

  • I found my wp_users table growing heavily with spam users since I upgraded to latest version of this plugin last week.
    Initially i thought it is because of wp upgrade to 3.8, but when I saw one of the user as ‘_wpsc_bot’ I suspected this is a sql injection thrrough wp e-commerce plugin. when I disabled the plugin all spam stopped.
    I found 80,000 users created in 4 days.
    As it is some kind of script/hack, you will not see these users in visitor log, no ip address and no email id of users. Only way is to disable the plugin.

    Fix it urgently.

Viewing 15 replies - 1 through 15 (of 178 total)
  • I had the same problem. Had to disable and delete over 6 thousand users and their metadata in mySQL. Created PHP errors, memory errors. Pain in the neck.

    Don’t know a solution yet

    Plugin Author Justin Sainton


    Hi guys,

    I’m sure this is all really frustrating on your end of things. I want to assure you, first off, that this is NOT a hack or spam or anything of that nature. To speak to the “_wpsc_bot” issue, you can review the _wpsc_maybe_setup_bot_user() function and inline documentation therein to understand more of the purpose for that.

    In our latest release, we iterated on how we store customer data in our Customer Meta API. Part of the problem we’re attempting to solve here is how to coherently store user data when a user may exist as a visitor or as a customer (and transition between the two). Not an easy problem to solve.

    Part of the solution was to create anonymous users with an anonymous user role. That’s the role you see (wpsc_anonymous) that is being filling your user tables. WP e-Commerce runs a cron job every hour two purge those users (and their user meta) when they are more than two days old.

    Resolving the issue you’re encountering here is really a two-pronged approach. First and, in my mind, most important – you mention encountering PHP errors, memory errors, etc. If we’re able to identify what is causing this and resolve that – that’s our foremost priority. We tested this system with it creating hundreds of thousands of entries in user tables on low-budget shared hosting systems with no major issues. If you’re encountering problems, we’d love to be a part of the solution.

    Second is a UI issue – there’s no reason for you to ever see the “Anonymous” role for a user. As you’ve experienced, it’s confusing and an unnecessary interface for what is a low-level abstracted API.

    If you’re able to help us craft a more helpful and elegant approach here, we’d appreciate the input. I think the API itself is actually fine (though after seeing some of the initial feedback, I might opt for a quicker purge cycle) – it’s mostly a matter of UI and figuring out what, if anything, we can do about errors you’re seeing. Would you be able to forward us the PHP/memory errors from your logs?

    For more context, see this pull request, and this issue (among many others).

    Thanks for the feedback Justin.

    I’m personally very sorry that you guys are having issues! We’ll hopefully all get this sorted asap and any help in the meantime would be much appreciated.


    Deleting the 200,000 rows in mySQL that the wpsc_bot created from 6,500 anonymous users fixed the memory and php errors for me. But as soon as I enable the WP eCommerce plugin, it begins generating anonymous users again so it remains disabled until I figure out a fix

    Hi kscott29. I’m also having the same problem on two sites, I rolled back to and used a database back up from 26th dec (the backup I made before upgrading to ) for now everything is as it should be.
    I will wait for a fix and then wait some more for people to report the fix works before upgrading again.

    Best wishes
    Martin Black

    Holy cow, this cannot be a feasible solution, guys. This is horrendous.
    Like everyone else I am looking at a huge list of anonymous users and it’s growing by the minute. How is this possible? My site doesn’t even have that many visitors, let alone transactions.

    You are also saying “WP e-Commerce runs a cron job every hour two purge those users (and their user meta) when they are more than two days old.” – how can this be if mmln (above, who started the thread) is looking at 80,000 such user accounts generated over 4 days?

    IMHO this really needs to get fixed.

    Hi everyone,

    First of all I would like to say that this is a common issue and implementation in almost all good e-commerce systems out there, including WooCommerce, JigoShop etc. Here’s an example: . Mapping each anonymous customer to a row in your database is unavoidable. If you have 80,000 anonymous hits (spam, bots and real users combined), then invariably, you’ll have 80,000+ new rows in your database (unless there’s a bug in WPEC that create 3 user accounts for one anonymous customer, which is unlikely because the majority of our users and all of our test sites don’t have this problem).

    Prior to WPEC 3.8.9 (if my memory serves right), anonymous customer sessions are recorded in PHP sessions, which is not compatible with a lot of server configurations. So from 3.8.9 we switched from using PHP sessions, to storing anonymous customer data in transients, and eventually in user and user meta tables as we’re doing now in 3.8.13.

    There are a few things I would like to clarify about the situation with customer data:

    1. Your site might have more anonymous traffic than your Google Analytics statistics show. The reason is because Google Analytics (and the likes) have already filtered out traffic from legitimate as well as spam bots (which could be 5 to 10 times the amount of real organic traffic, we’ve seen that many on A better visit count could be obtained by getting the number of unique IPs in your server’s access log.

    2. Every e-commerce system stores anonymous customer data behind the scene, they’re just not showing it. We’re sorry for not hiding all those accounts by default. This will be fixed in the next release.

    3. WPEC has a mechanism to filter out as many bots as possible that access your site, so that those will not create new user accounts, but it cannot replace a full-blown spam recognition and protection service. If you have 80,000 anonymous accesses in 4 days, and a lot of them are from spam bots, you need to do something on your server to prevent as many bots as possible. If all those 80,000 visits are by legitimate users, then what you need is a better server to handle that traffic. The size of the database is the least of your worries. Of course I cannot rule out the possibility that you probably have only about 5k anonymous users but somehow 80k accounts are generated, in which case, please email me at and I will help you verify whether this is indeed the case.

    4. The leading e-commerce plugins such as WooCommerce, Jigoshop and WP e-Commerce in version 3.8.12 all use transients to store customer data (hence, threads like this: What this means is, if you have 80k anonymous hits in 4 days, this would be blown into 160k transient rows in your options table. This could be a performance issue when you have a lot of anonymous customers. As a result, in 3.8.13 we migrated to using user account and user meta, which is a more viable option. The anonymous customer data has to go somewhere, and the user & user meta table is the “less bad” place for them. We just need to hide all those ugly anonymous users from your admin UI so that you’re not inconvenienced by them.

    5. If your cron job is not being run and anonymous user accounts older than 2 days are still there, this could mean further issue with your server’s firewall or caching system blocking the cron job request (mod_sec could sometimes be troublesome).

    So what I would advice you to do if you have a lot of user accounts created in a short amount of time:

    1. Edit your wp-config.php file, add this line below your database configuration:

    define( ‘WPSC_CUSTOMER_DATA_EXPIRATION’, 12 * 3600 );

    What this line does is it will instruct WPEC to clear anonymous accounts that have been around more than 12 hours. Modify the 12 number above to what you deem appropriate.

    2. If you find this step complicated, shoot an email to along with SSH access to your server and I’m happy to personally help you do this, or point you to our support staff who can: verify the anonymous traffic you have on your site. Don’t rely on Google Analytics alone because that analytics would already filter out the number of legitimate as well as spam bots. Take a look at your server’s access log and you’ll have a better estimate of the traffic you’re handling by filter out the number of unique IP addresses in the last 48 hours (or 12 hours if you follow step 1 which is setting the expiration constant in wp-config.php). Then compare the number of unique IP addresses in your access log with the number of your anonymous user accounts. If the ratio is a lot more than 1 : 1 then this could mean it’s a bug in WPEC. Otherwise, you need to setup another layer of spam bot protection (mod_sec is a great solution).

    3. Make sure cron job is not being blocked and are run at the correct interval. Install the debug bar plugin, then install this to take a look at your cron schedule:

    4. If indeed all of these IP addresses are legitimate customers, and you’re concerned about the size of your user table, there are a lot of ways to mitigate this load, such as using memcached / APC, using hyperdb and separate your user table to another server etc. You have to do this anyways if you want to scale no matter what e-commerce system you use.

    How can I disable this feature all together so that there are no anonymous users being created

    Anyone? I added in the line below the database config in the wp-config file but I had no luck with it actually deleting the anonymous users after an hour or so (I set the 12 to 1). The plugin (and all of my products) remain down until I find a solution.

    Same problem here. Thousands of anonymous users registered all starting with “_”

    We need a fix and soon, please.

    For the time being I’m using this plugin to “Bulk Delete” those accounts.


    I too am having same issue with thousands of users being created.

    Just installed latest WPEC goldcart update, nothing has changed.

    WPEC still at Version

    This is complete and utter madness and I see someone actually trying to justify the problem above.

    Come on guys these are being used to run business sites, this is serious.

    This is after we wasted hours (billed time) trying to shut out the “spammers” that didn`t actually exist!

    Please, guys advise when this will be fixed.

    @ Bob Baker – I understand your frustration and I’m sorry about that. A patch should be ready and out the door sometime next week. In the meantime there are a couple of options listed about as to how to keep things manageable.

    We are not trying to justify the problem but explain how the problem came from an honest place and a desire to do things better. Like Gary said all the WordPress e-Commerce Plugins handle customer meta this way and we’ll have the UI cleaned up as soon as possible 🙂

    Hi, while you are fixing this issue I am being bombarded with 1000’s of emails like this:

    “There was an error canceling the subscription for user with ID=1000. You will want to check your payment gateway to see if their subscription is still active.

    Error: not changing?”

    I suspect it is generated when the cron job deletes the temporary users created. How can I change this so I receive no more emails?

    Thank you

    WooCommerce and JigoShop hide their temporary session data away in wp_options rows (two rows per session) where site admins don’t get to see them. Adding temporary session data as phantom users means site admins will be confronted by a sudden mess of randomly named users in the user admin screen — of course they’re going to think the website has been hacked!

    What on earth possessed you to think this was a good idea?

Viewing 15 replies - 1 through 15 (of 178 total)
  • The topic ‘spam users in wp_users after wpsc upgrade’ is closed to new replies.