Support » Plugin: WP eCommerce » spam users in wp_users after wpsc upgrade

  • I found my wp_users table growing heavily with spam users since I upgraded to latest version of this plugin last week.
    Initially i thought it is because of wp upgrade to 3.8, but when I saw one of the user as ‘_wpsc_bot’ I suspected this is a sql injection thrrough wp e-commerce plugin. when I disabled the plugin all spam stopped.
    I found 80,000 users created in 4 days.
    As it is some kind of script/hack, you will not see these users in visitor log, no ip address and no email id of users. Only way is to disable the plugin.

    Fix it urgently.

Viewing 15 replies - 16 through 30 (of 178 total)
  • @bob Baker: I understand your frustration and am working on a fix on the UI (will be released as I didn’t try to justify the problem at all, just merely provided an explanation that all those user accounts are harmless and didn’t affect your site negatively (aside from the admin UI inconvenience).

    We always release early alpha and beta versions at least 2 weeks before the official releases so that users can test and give us feedback in time. The same will happen with (although the time difference between this and the official release will be merely days). As a result, it would really be helpful if you could try out the beta as soon as it’s out and give us your feedback. For this release, please send me an email to and I will personally notify you when the beta is ready for testing.

    I’m suspecting this is caused by another plugin that depends on WPEC. Are you by any chance using any user subscription plugin?

    @webaware: As we already admit in multiple posts above, not hiding the phantom users in the admin area is a bad idea and we’re fixing this UI issue in the upcoming minor release. That being said, we’re not switching back to using transients and option table as that solution has its own set of problems, and many users were also complaining about their options table being bloated when we did that from 3.8.9 to 3.8.12.

    @garyc40: You would get better feedback during beta phase if you tell people about the major changes you make — e.g. in the changelog of your readme file. I certainly didn’t see any hint that anonymous user sessions had been moved to wp_users, and would have checked / commented sooner if I had known to look there.

    I tend to test in a multisite testbed installation to check for new compatibility issues with my own plugins, then drop into some client dev environments to check theme compatibility, but had no need to look at the Users admin. A heads-up would have made me look there, and you would have had your feedback sooner.

    As for table “bloat”, explaining that after the fact is again not the best but what can you do I guess.

    Best of luck getting the update out before too many site owners return from xmas holidays 🙂

    @webaware: I just checked our changelog again and indeed it was too generic (“Better customer API”), so thanks for the feedback. We’ll communicate the changes better in upcoming releases.

    Thanks for the response Gary, would be really helpful if you could give an ETA for release of update. Dont want to hang you with it, but need to plan degree of interim solution.

    Gary, I appreciate these users are harmless, but this is very time consuming and we could of been warned of the problem – with a bulletin or similar, you must have admin emails on file.

    We spent 5 hours trying to find out who was spamming us, raised an issue with our hosting company, and then had to find a way of deleting users enmasse. Commercially this is costly.

    We found plugin “No Posts User Delete Plugin” v1.0 works to delete posts BUT beware if you have users without posts it will delete them, we just made sure everyone we wanted to keep had a post attributed to them.

    Glad to see this is a common problem. ETA of the update would be nice. So I know how to fix it in the meantime.

    I am relieved to find this thread as I am having the EXACT problem so I can stop spending fruitless hours searching my client’s site for malware and adding spammers but must add my plea for help to have this fixed soon! My client is not happy about this at all. Thanks!

    Also, will the release hide the thousands of anonymous users? Meaning I can stop deleting them and adding them to the spam widgets, correct?

    Thank you!

    Gary do we have an ETA yet

    I’m tagging this thread as I run some very large sites who rely on this plugin and are having this anonymous users issue!

    Please get us an ETA

    Yes, I’m have the anonymous users too. I was able to delete 250 at a time by dropping down “screen options” in the “All Users” list and changing to 250 shown at a time. It wouldn’t allow the delete with 500 users showing.

    I’m not an expert, however, a separate plugin that does maintenance might be a solution since I notice the anonymous users have a blank email field. Would a periodic delete of Role=Anonymous AND Email=blank be an easy query to automate? Assuming wp logs a creation date and time, maybe a setting for allowable age of entry or max number of entries could be included.

    My gripe is that I had to do a google search to find this thread since I don’t see a search feature on the support page of I am a gold cart paid customer but I shouldn’t have to use the paid support for this issue. I should have been able to search for “anonymous”. This thread is only listed as “spam . . .”
    Craig Carman craig.carman -at-

    I must be missing something BUT why do you need to generate an anonymous user for every visitor? I don’t see the point or need. If the visitor buys something then I get their details. If the visitor does not buy anything then the anonymous data is of no use to me nor man nor beast as it is ANONYMOUS.

    Gary Cao “Mapping each anonymous customer to a row in your database is unavoidable.”

    Can I point out that these are not customers, they are potential customers (or worse). Why do you need to map anything unless they put something in their trolley, visit the checkout, buy something. Using this data to measure conversions I can see being of use. Knowing how many visitors I get, is of use. A list of anonymous, WPEC generated users is a pile of crap that I don’t need or want.

    So please explain why I need these ‘users’.



    @gary cao
    Thanks for the insight and the work effort put into the wp-ecommerce plug-in as well as the tip regarding the auto-cleanup of this data via wp-config.php file.

    I am prepping another wordpress site on my local development server with wordpress (latest version) and this plug-in (latest version) and all is fine. Just a question regarding these “anonymous user” accounts and what WPEC sees as a “customer session”.

    I am the only “customer” testing this (local/secured development environment) but somehow have 19 (so far) instances of anonymous user (users) in 12 hours of installing WPEC.

    Can you give a litte more info on what declares an “anonymous customer”?

    For example why did WPEC create 19 anonymous users for one customer (me)?

    If I user a different browser (new cookies) I assume it creates one, anything else?

    Best Regards,

    This is a mess! The bulk delete plugin is not even working I suspect due to the 22,000 users I am trying to remove. The auto cleanup is obviously not working. nor is the

    define( ‘WPSC_CUSTOMER_DATA_EXPIRATION’, 12 * 3600 );

    Confirm, another one – by luck I spotted this thread as I thought I was under a major attack.

    With wp-ecommerce disabled, none are created. Turn it on and around one user a second is created. My shop is not seeing anywhere near this number of visitors (I wish!).

    It is being crawled by several bots, which may be the reason.

    The users are up to six days old and I had over 5,000 of them.

    Would appreciate something that didn’t cause this issue and would have preferred something that made it a lot clearer these were legitimately created users and my site was not in fact under attack, such as naming the users “_wpec_temp_user_randstring”

    Identified using this query, and deleted manually initially.

    SELECT * FROM wp_users WHERE user_login LIKE ‘\_%’

    22159 	_0a3jhAzO 	$P$REDACTED/ 	_0a3jhazo 	  	  	2014-01-06 13:33:23 	  	0 	_0a3jhAzO
    22160 	_Gtfkdlfu 	$P$B4Zi0lxMD.REDACTED/ 	_gtfkdlfu 	  	  	2014-01-06 13:33:24 	  	0 	_Gtfkdlfu

    Hi … Would appreciate an ETA as to when this will be fixed. The ‘define( ‘WPSC_CUSTOMER_DATA_EXPIRATION’, 12 * 3600 );’ didn’t have any effect and am having to delete stuff manually.

    This is killing my large customers! need ETA pls

Viewing 15 replies - 16 through 30 (of 178 total)
  • The topic ‘spam users in wp_users after wpsc upgrade’ is closed to new replies.