Support » Plugin: WP eCommerce » spam users in wp_users after wpsc upgrade

  • I found my wp_users table growing heavily with spam users since I upgraded to latest version of this plugin last week.
    Initially i thought it is because of wp upgrade to 3.8, but when I saw one of the user as ‘_wpsc_bot’ I suspected this is a sql injection thrrough wp e-commerce plugin. when I disabled the plugin all spam stopped.
    I found 80,000 users created in 4 days.
    As it is some kind of script/hack, you will not see these users in visitor log, no ip address and no email id of users. Only way is to disable the plugin.

    Fix it urgently.

Viewing 15 replies - 151 through 165 (of 178 total)
  • Haaalp!

    I can copy/paste mysql commands but I’m not sure what I need to do to scrub this mess. I’ve tried some plugins but can’t seem to run anything much from the Admin Panel.

    I’m also thinking a new installation without importing users might take care of the problem.


    Heres what I did to clear out my database bloat using phpmyadmin

    DELETE FROM wp_users WHERE ID >[a number which is higher than your maximum valid user ID ]


    DELETE FROM wp_usermeta WHERE user_id NOT IN
    (SELECT ID FROM wp_users)

    However this is not helping as new users are created a rate of one to three new users per second
    and about 8 rows per user in the user_meta table

    I still do not believe that these new users are created by site visitors – the wpsc appears to have gone cancerous

    Thanks pheriche, the site is working again. If I did it again, I’d add code so it batch deleted records as it hung the database for a long time.

    I will disable the bookstore until the authors fix this plugin properly.

    As far as I can tell a new anonymous user and associated metadata is created for every visitor to the site even if they go nowhere near a product page or use the shopping cart.

    To my thinking I don’t really want any sort of database record until a user actually checks out and buys something. And unless they add something to a shopping cart a site user does not need a cookie either. Especially if the cleanup of redundant data does not work very well. I am prepared to accept that I could be wrong about this but If I am it would be good if a developer could comment.

    I think sometimes companies like to put these forums up so we have a place to vent and leave them alone. I do not think the developer is reading this thread. I would like to recommend that you ALL go to THIS below link and tell them how you feel about what is happening. It may help get their attention.. In that be sure to link them back to this thread.

    @desktopmasters if you are as technically capable as your web site says you would have been easily able to find the technical details behind the issue, the available solutions, and help communicate the great progress towards a really nice long term solution.

    Maybe venting in a public forum makes you feel better? I really hope so.

    I would hope that if you are smart enough to level valid criticism you are smart enough to jump on the the public repository for this open-source collaboratively developed software take a look at the issues list to see how many defects are left to fix before calling this a finished release.

    If you really care about getting a solution to the community quicker how about picking one of the remaining issues and fixing it? If you don’t like to write code then it’s even more helpful to look at the defect list and test a fix that others have submitted and confirm that it works. Often a fix that is coded in a half a day might wait weeks for independent verification that it is working. You alone could be a hero and bring the next release to us all days sooner than it would otherwise have been available.

    I wrote up a summary of my personal view of the customer profile design and implementation evolution. Give it a read if you want some clarifications.

    Key questions I would anticipate from the community regarding the customer profiles are:

    Q: When will the issue be resolved?
    A: Release 3.8.14

    Q:When will release 3.8.14 be available for download at
    A: As soon as all the issues targeted for the release are resolved and the testing of the enhancements and fixes is complete.

    Q: Is the customer profile part of the release done?
    A: Yes, but it has to be tested with all of the other changes.

    Q: Can’t this get done any faster?
    A: Yes, if you help. Jump over to GitHub and help test. If your a developer you could also finish up one of the remaining issues.

    If you are trolling I anticipate the following thought to cross your mind
    Q: How can I convince the rest of community that you are lying, evil, have some ulterior motive and at the same time make me seem smarter than I am and make the rest of the community feel uncomfortable that all that is possible isn’t being done?
    A: You can’t because everything is done in the open. The issue list, development and testing discussion, coding activity and everything else is available for anyone to see on GitHub.

    Thank you for the update Pye
    I look forward to the results of your labours in fixing this
    My website no longer has an ever expanding database -its calmed down to just having a few thousand users instead of a few million – maybe after I cleared the tables manually then the cron cleanup had a chance to do its work without bringing the server to a crawl

    @Pye Brook, I am not sure how you fit into all this.. however… Nothing I have said is incorrect or untrue. I am PAID user of this product like the rest. And for you to suggest that I should not be upset at the way has handled this is just silly. Look at all the pain this has caused so many people. I am sure MANY more people than have shown up on this thread.

    You listed out a very nice Q & A that really had no answers. We have been asking when and if this is going to be resolved. Your answer: When it gets done. That is actually a bit rude. Do you or ANYONE know if they are going to take the temporary user system out? I really want to know? That has been another question asked quite a bit.

    I paid my programmer to clean my database then removed restored my backup of the plugin. YOU should do the same. Your format may have been different but you pretty much stated what I have been asking all along. I suggested getting a hold of the plugin prior to the change to others. Instead of bashing me perhaps YOU should post the link to it as I have NO CLUE where it is.

    I am not sure who you directed the “trolling” comment at. But it made no sense to me and I am sure has very little to do with what is going on here. There is NO TROLL this is ACTUALLY happening to people.

    Again, I urge all people who read this thread to contact the publisher of this plugin at and urge them to post a due date to solve this issue and URGE them to remove the entire use of temporary users and switch to their own private sessions table.

    ~ Merlin!

    When is this update finally released? Website turns terribly slow and have to delete 10’s of thousands anonymous accounts manually. If anyone can post a well explained temporary solution.. PLEAS POST IT. With all the small parts of snippets in this thread i’m still not able to produce a temporary fix… (i have phpmyadmin access)

    Here is an easy to implement temporary SOLUTION. I spoke to the programmer that set this up for me, and he informed me that the plugin folder is not modified (I wish I had known this sooner). I have zipped up my version of the plugin from before the version that implemented the user accounts solution. This version will NOT create user accounts. I am still disappointed that GetShopped has not supplied us with this or given us any tangible information. I still feel like they could redeem themselves by releasing an official version of this and some sort of timeline.

    This is zipped up from my plugin folder and I take NO responsibility for its contents or affect on your site. However, I am fairly certain it will solve your problems, although it will obviously be missing any of the most recent but fixes and features.

    Again, I urge all people who read this thread to contact the publisher of this plugin at and urge them to post a due date to solve this issue and URGE them to remove the entire use of temporary users and switch to their own private sessions table.

    ~ Merlin

    and will this also empty al usermeta from the database? Is there a simple query i could run to delete al information above userid 7? I only have 7 legit users 🙂

    finally i have to deactivate the plugin..

    @desktopmasters Thank you very much. I have downloaded that file and now all is working like normal again. I’ll just have to wait for a better update from wpsc, but i guess that could take a while. I have figured out how to delete all anonymous users and their meta using SQL. If someone wants to know how, let me know in this thread

    @newzoo I am pleased to hear I could help make your world a better place.

    @alfredo49 Try using the plugin version I posted it will stop the problem. But then do NOT update after until we hear they have removed this silly feature from the plugin.

    @getshopped I am very disappointed in you. You should have eMailed us about this issue and you should have posted that version as I did or you should have rolled back your plugin. You should tell us WHEN (time frame) we will have this issue resolved and if you plan to take this temporary user thing out entirely as it really breaks your plugin. Especially on multisites like mine.

    Go to the getshopped website and tell them how they have affected your life with this problem and ask them for the above information. I think you can post to their website here:

Viewing 15 replies - 151 through 165 (of 178 total)
  • The topic ‘spam users in wp_users after wpsc upgrade’ is closed to new replies.