Support » Plugin: WP eCommerce » spam users in wp_users after wpsc upgrade

  • I found my wp_users table growing heavily with spam users since I upgraded to latest version of this plugin last week.
    Initially i thought it is because of wp upgrade to 3.8, but when I saw one of the user as ‘_wpsc_bot’ I suspected this is a sql injection thrrough wp e-commerce plugin. when I disabled the plugin all spam stopped.
    I found 80,000 users created in 4 days.
    As it is some kind of script/hack, you will not see these users in visitor log, no ip address and no email id of users. Only way is to disable the plugin.

    Fix it urgently.

Viewing 15 replies - 46 through 60 (of 178 total)
  • @gary Cao, @gfhs mentioned a few days ago that this line of code doesn’t have an effect, I’m having the same issue.

    I copied and added the define( ‘WPSC_CUSTOMER_DATA_EXPIRATION’, 3.5 * 3600 ); to my wp-config.php file and changed the “3.5” to “3” hours and it has had no effect. It’s been 5 hours since I implemented the change. Still manually deleting users.

    Its by chance we discovered the problem wasn’t security related. For a product which claims: “We make setting up an ecommerce shop easy, and with over 2.6 Million downloads, we have unparalleled experience” it sure is a surprise that such a serious issue reaches the users without being identified.

    I remain unconvinced about the explanations as to why so many anonymous users are being created. In our site, its about 100 anonymous users for every real visitor!

    Downloading beta versions, installing temporary plugin(s) … its all too much for the non-techie user.

    A simple question for you: When will a comprehensible solution be available for the ‘everyday’ user?

    Our WP e-commerce package is disabled right now … if its not fixed over the weekend you’ve lost another user and we’ll write off the additional functionality we’ve invested in … I’m sure we won’t be the first to do so …

    The official release is coming within 24 hours. We wanted to gather as much feedback as we could about the beta so that we’re sure it fixes the issue and doesn’t cause any additional ones.

    For any pending issues that are not resolved by our package, please give us as much details as possible (your error log, if possible, your server and WP admin access so that we can debug it on your server). We will not delay the official release any longer, so any additional issues after it’s released will have to wait until the next version.


    Please check your error log as I said in the previous post. Any other clue would help. And also please confirm again that the users you’re deleting manually are indeed more than 3 hours old.

    Also you need to make sure the “define” line in wp-config.php is not below this line:

    require_once(ABSPATH . 'wp-settings.php');

    If you can’t find your error log, I can always help you debug this on your server. Please send me an email with FTP / WP admin access to


    We didn’t get much confirmation that our beta package fixes the issues so we needed to spend more time testing and make sure our fixes don’t break anything else. It’s going to happen within 24 hours anyways.

    As indicated in a lot of comments before, we couldn’t under any circumstance replicate the issue where multiple users are created for one unique visit. Hence I offered multiple times to help people debug this on their server by sending me a private email to so that we can get our support team to debug it for you asap. Simply saying you have this problem, and then refusing to test our beta package really is not helping us and yourself at all. If you don’t want to give us that chance, I’m afraid there’s nothing else we can do.

    Unfortunately for non-techie users, if they are running high-profile shops, it’s best practice to always test a beta or release on a separate testing environment before deploying it to a live store. Or at least maintain regular backups so that they can roll back when necessary (which is what we advised in every blog post). That way we can have your timely feedback and fix issues as soon as they arise while your shop is affected the least by any issues in the new release.

    @gary Cao
    Thanks a lot!I tried the WP e-Commerce beta version: and it worked for the time being…. Thanks a lot!

    We’re still waiting for it full updated version.


    @ Gary Cao

    I copied and added define (‘WPSC_CUSTOMER_DATA_EXPIRATION’, 3 * 3600) to my wp-config.php file and change-time “3” with the WP e-Commerce beta version:

    After a few hours are automatically deleted the anonymous users. Thank you.

    We look forward to the final version.

    NB: recognise that this is a solution for stand-alone sites, but not the network admin for multisite installations. For that, you’ll probably need to write a separate plugin that can be activated only on multisite, separately to WP e-Commerce.


    i noticed a large number in anon users on a site of mine a couple days ago. came here this morning to look for a way to delete them. found this thread and the functions-file fix and was going to try it. so i (backed up) and updated to new version of wpec and LO! the anon users are already magically gone!

    thanks for this thread!

    Looks like it is working and the Anonymous is filtered….HOWEVER the “All” user category still includes the anonymous users in the total. Still not 100% there IMHO.

    @ccolotti have you updated to the latest version of the plugin ?
    I am looking at the All page and it does not count the anon users.
    Can you post a screenshot maybe ?


    Updated to latest wpec
    Shows All including anonymous users

    Yes I am, the “Anonymous” bucket is no longer there, but you can see them listed in () next to all. This site only has 8 REAL users in it.

    I have a screen shot. The usernames are not LISTED, but they are accounted for in the “All (2900)” format.

    are you running the beta version that gary posted few topics back or the latest release ?

    are you running the beta version that gary posted few topics back or the latest release ?

    Latest release, updated about 30 mins ago


    I just installed the latest version, if I disconnect and I log in, a new anonymous user is created.

    If I close the site and open the back usuari anonymous disappears.

    I think it is working properly.

Viewing 15 replies - 46 through 60 (of 178 total)
  • The topic ‘spam users in wp_users after wpsc upgrade’ is closed to new replies.