WP eCommerce
spam users in wp_users after wpsc upgrade (182 posts)

  1. mmln
    Posted 1 year ago #

    I found my wp_users table growing heavily with spam users since I upgraded to latest version of this plugin last week.
    Initially i thought it is because of wp upgrade to 3.8, but when I saw one of the user as '_wpsc_bot' I suspected this is a sql injection thrrough wp e-commerce plugin. when I disabled the plugin all spam stopped.
    I found 80,000 users created in 4 days.
    As it is some kind of script/hack, you will not see these users in visitor log, no ip address and no email id of users. Only way is to disable the plugin.

    Fix it urgently.


  2. kscott29
    Posted 1 year ago #

    I had the same problem. Had to disable and delete over 6 thousand users and their metadata in mySQL. Created PHP errors, memory errors. Pain in the neck.

    Don't know a solution yet

  3. Justin Sainton
    Plugin Author

    Posted 1 year ago #

    Hi guys,

    I'm sure this is all really frustrating on your end of things. I want to assure you, first off, that this is NOT a hack or spam or anything of that nature. To speak to the "_wpsc_bot" issue, you can review the _wpsc_maybe_setup_bot_user() function and inline documentation therein to understand more of the purpose for that.

    In our latest release, we iterated on how we store customer data in our Customer Meta API. Part of the problem we're attempting to solve here is how to coherently store user data when a user may exist as a visitor or as a customer (and transition between the two). Not an easy problem to solve.

    Part of the solution was to create anonymous users with an anonymous user role. That's the role you see (wpsc_anonymous) that is being filling your user tables. WP e-Commerce runs a cron job every hour two purge those users (and their user meta) when they are more than two days old.

    Resolving the issue you're encountering here is really a two-pronged approach. First and, in my mind, most important - you mention encountering PHP errors, memory errors, etc. If we're able to identify what is causing this and resolve that - that's our foremost priority. We tested this system with it creating hundreds of thousands of entries in user tables on low-budget shared hosting systems with no major issues. If you're encountering problems, we'd love to be a part of the solution.

    Second is a UI issue - there's no reason for you to ever see the "Anonymous" role for a user. As you've experienced, it's confusing and an unnecessary interface for what is a low-level abstracted API.

    If you're able to help us craft a more helpful and elegant approach here, we'd appreciate the input. I think the API itself is actually fine (though after seeing some of the initial feedback, I might opt for a quicker purge cycle) - it's mostly a matter of UI and figuring out what, if anything, we can do about errors you're seeing. Would you be able to forward us the PHP/memory errors from your logs?

    For more context, see this pull request, and this issue (among many others).

  4. Dan Milward
    Posted 1 year ago #

    Thanks for the feedback Justin.

    I'm personally very sorry that you guys are having issues! We'll hopefully all get this sorted asap and any help in the meantime would be much appreciated.


  5. kscott29
    Posted 1 year ago #

    Deleting the 200,000 rows in mySQL that the wpsc_bot created from 6,500 anonymous users fixed the memory and php errors for me. But as soon as I enable the WP eCommerce plugin, it begins generating anonymous users again so it remains disabled until I figure out a fix

  6. Martin Black
    Posted 1 year ago #

    Hi kscott29. I'm also having the same problem on two sites, I rolled back to and used a database back up from 26th dec (the backup I made before upgrading to ) for now everything is as it should be.
    I will wait for a fix and then wait some more for people to report the fix works before upgrading again.

    Best wishes
    Martin Black

  7. nadworks
    Posted 1 year ago #

    Holy cow, this cannot be a feasible solution, guys. This is horrendous.
    Like everyone else I am looking at a huge list of anonymous users and it's growing by the minute. How is this possible? My site doesn't even have that many visitors, let alone transactions.

    You are also saying "WP e-Commerce runs a cron job every hour two purge those users (and their user meta) when they are more than two days old." - how can this be if mmln (above, who started the thread) is looking at 80,000 such user accounts generated over 4 days?

    IMHO this really needs to get fixed.

  8. Gary Cao
    Plugin Author

    Posted 1 year ago #

    Hi everyone,

    First of all I would like to say that this is a common issue and implementation in almost all good e-commerce systems out there, including WooCommerce, JigoShop etc. Here's an example: http://wordpress.org/support/topic/a-lot-of-wc-sessions?replies=14 . Mapping each anonymous customer to a row in your database is unavoidable. If you have 80,000 anonymous hits (spam, bots and real users combined), then invariably, you'll have 80,000+ new rows in your database (unless there's a bug in WPEC that create 3 user accounts for one anonymous customer, which is unlikely because the majority of our users and all of our test sites don't have this problem).

    Prior to WPEC 3.8.9 (if my memory serves right), anonymous customer sessions are recorded in PHP sessions, which is not compatible with a lot of server configurations. So from 3.8.9 we switched from using PHP sessions, to storing anonymous customer data in transients, and eventually in user and user meta tables as we're doing now in 3.8.13.

    There are a few things I would like to clarify about the situation with customer data:

    1. Your site might have more anonymous traffic than your Google Analytics statistics show. The reason is because Google Analytics (and the likes) have already filtered out traffic from legitimate as well as spam bots (which could be 5 to 10 times the amount of real organic traffic, we've seen that many on getshopped.org). A better visit count could be obtained by getting the number of unique IPs in your server's access log.

    2. Every e-commerce system stores anonymous customer data behind the scene, they're just not showing it. We're sorry for not hiding all those accounts by default. This will be fixed in the next release.

    3. WPEC has a mechanism to filter out as many bots as possible that access your site, so that those will not create new user accounts, but it cannot replace a full-blown spam recognition and protection service. If you have 80,000 anonymous accesses in 4 days, and a lot of them are from spam bots, you need to do something on your server to prevent as many bots as possible. If all those 80,000 visits are by legitimate users, then what you need is a better server to handle that traffic. The size of the database is the least of your worries. Of course I cannot rule out the possibility that you probably have only about 5k anonymous users but somehow 80k accounts are generated, in which case, please email me at gary@instinct.co.nz and I will help you verify whether this is indeed the case.

    4. The leading e-commerce plugins such as WooCommerce, Jigoshop and WP e-Commerce in version 3.8.12 all use transients to store customer data (hence, threads like this: http://wordpress.org/support/topic/a-lot-of-wc-sessions?replies=14). What this means is, if you have 80k anonymous hits in 4 days, this would be blown into 160k transient rows in your options table. This could be a performance issue when you have a lot of anonymous customers. As a result, in 3.8.13 we migrated to using user account and user meta, which is a more viable option. The anonymous customer data has to go somewhere, and the user & user meta table is the "less bad" place for them. We just need to hide all those ugly anonymous users from your admin UI so that you're not inconvenienced by them.

    5. If your cron job is not being run and anonymous user accounts older than 2 days are still there, this could mean further issue with your server's firewall or caching system blocking the cron job request (mod_sec could sometimes be troublesome).

    So what I would advice you to do if you have a lot of user accounts created in a short amount of time:

    1. Edit your wp-config.php file, add this line below your database configuration:

    define( 'WPSC_CUSTOMER_DATA_EXPIRATION', 12 * 3600 );

    What this line does is it will instruct WPEC to clear anonymous accounts that have been around more than 12 hours. Modify the 12 number above to what you deem appropriate.

    2. If you find this step complicated, shoot an email to gary@instinct.co.nz along with SSH access to your server and I'm happy to personally help you do this, or point you to our support staff who can: verify the anonymous traffic you have on your site. Don't rely on Google Analytics alone because that analytics would already filter out the number of legitimate as well as spam bots. Take a look at your server's access log and you'll have a better estimate of the traffic you're handling by filter out the number of unique IP addresses in the last 48 hours (or 12 hours if you follow step 1 which is setting the expiration constant in wp-config.php). Then compare the number of unique IP addresses in your access log with the number of your anonymous user accounts. If the ratio is a lot more than 1 : 1 then this could mean it's a bug in WPEC. Otherwise, you need to setup another layer of spam bot protection (mod_sec is a great solution).

    3. Make sure cron job is not being blocked and are run at the correct interval. Install the debug bar plugin, then install this to take a look at your cron schedule:

    4. If indeed all of these IP addresses are legitimate customers, and you're concerned about the size of your user table, there are a lot of ways to mitigate this load, such as using memcached / APC, using hyperdb and separate your user table to another server etc. You have to do this anyways if you want to scale no matter what e-commerce system you use.

  9. kscott29
    Posted 1 year ago #

    How can I disable this feature all together so that there are no anonymous users being created

  10. kscott29
    Posted 1 year ago #

    Anyone? I added in the line below the database config in the wp-config file but I had no luck with it actually deleting the anonymous users after an hour or so (I set the 12 to 1). The plugin (and all of my products) remain down until I find a solution.

  11. bobbyg99
    Posted 1 year ago #

    Same problem here. Thousands of anonymous users registered all starting with "_"

    We need a fix and soon, please.

  12. Dave Riddle
    Posted 1 year ago #

    For the time being I'm using this plugin to "Bulk Delete" those accounts.


  13. Bob Baker
    Posted 1 year ago #


    I too am having same issue with thousands of users being created.

    Just installed latest WPEC goldcart update, nothing has changed.

    WPEC still at Version

    This is complete and utter madness and I see someone actually trying to justify the problem above.

    Come on guys these are being used to run business sites, this is serious.

    This is after we wasted hours (billed time) trying to shut out the "spammers" that didn`t actually exist!

    Please, guys advise when this will be fixed.

  14. Dan Milward
    Posted 1 year ago #

    @ Bob Baker - I understand your frustration and I'm sorry about that. A patch should be ready and out the door sometime next week. In the meantime there are a couple of options listed about as to how to keep things manageable.

    We are not trying to justify the problem but explain how the problem came from an honest place and a desire to do things better. Like Gary said all the WordPress e-Commerce Plugins handle customer meta this way and we'll have the UI cleaned up as soon as possible :)

  15. jlowgren
    Posted 1 year ago #

    Hi, while you are fixing this issue I am being bombarded with 1000's of emails like this:

    "There was an error canceling the subscription for user with ID=1000. You will want to check your payment gateway to see if their subscription is still active.

    Error: not changing?"

    I suspect it is generated when the cron job deletes the temporary users created. How can I change this so I receive no more emails?

    Thank you

  16. webaware
    Posted 1 year ago #

    WooCommerce and JigoShop hide their temporary session data away in wp_options rows (two rows per session) where site admins don't get to see them. Adding temporary session data as phantom users means site admins will be confronted by a sudden mess of randomly named users in the user admin screen -- of course they're going to think the website has been hacked!

    What on earth possessed you to think this was a good idea?

  17. Gary Cao
    Plugin Author

    Posted 1 year ago #

    @Bob Baker: I understand your frustration and am working on a fix on the UI (will be released as I didn't try to justify the problem at all, just merely provided an explanation that all those user accounts are harmless and didn't affect your site negatively (aside from the admin UI inconvenience).

    We always release early alpha and beta versions at least 2 weeks before the official releases so that users can test and give us feedback in time. The same will happen with (although the time difference between this and the official release will be merely days). As a result, it would really be helpful if you could try out the beta as soon as it's out and give us your feedback. For this release, please send me an email to gary@instinct.co.nz and I will personally notify you when the beta is ready for testing.

    I'm suspecting this is caused by another plugin that depends on WPEC. Are you by any chance using any user subscription plugin?

    @webaware: As we already admit in multiple posts above, not hiding the phantom users in the admin area is a bad idea and we're fixing this UI issue in the upcoming minor release. That being said, we're not switching back to using transients and option table as that solution has its own set of problems, and many users were also complaining about their options table being bloated when we did that from 3.8.9 to 3.8.12.

  18. webaware
    Posted 1 year ago #

    @garyc40: You would get better feedback during beta phase if you tell people about the major changes you make -- e.g. in the changelog of your readme file. I certainly didn't see any hint that anonymous user sessions had been moved to wp_users, and would have checked / commented sooner if I had known to look there.

    I tend to test in a multisite testbed installation to check for new compatibility issues with my own plugins, then drop into some client dev environments to check theme compatibility, but had no need to look at the Users admin. A heads-up would have made me look there, and you would have had your feedback sooner.

    As for table "bloat", explaining that after the fact is again not the best but what can you do I guess.

    Best of luck getting the update out before too many site owners return from xmas holidays :)

  19. Gary Cao
    Plugin Author

    Posted 1 year ago #

    @webaware: I just checked our changelog again and indeed it was too generic ("Better customer API"), so thanks for the feedback. We'll communicate the changes better in upcoming releases.

  20. Bob Baker
    Posted 1 year ago #

    Thanks for the response Gary, would be really helpful if you could give an ETA for release of update. Dont want to hang you with it, but need to plan degree of interim solution.

    Gary, I appreciate these users are harmless, but this is very time consuming and we could of been warned of the problem - with a bulletin or similar, you must have admin emails on file.

    We spent 5 hours trying to find out who was spamming us, raised an issue with our hosting company, and then had to find a way of deleting users enmasse. Commercially this is costly.

    We found plugin "No Posts User Delete Plugin" v1.0 works to delete posts BUT beware if you have users without posts it will delete them, we just made sure everyone we wanted to keep had a post attributed to them.

  21. robzelf
    Posted 1 year ago #

    Glad to see this is a common problem. ETA of the update would be nice. So I know how to fix it in the meantime.

  22. giesemedia
    Posted 1 year ago #

    I am relieved to find this thread as I am having the EXACT problem so I can stop spending fruitless hours searching my client's site for malware and adding spammers but must add my plea for help to have this fixed soon! My client is not happy about this at all. Thanks!

    Also, will the release hide the thousands of anonymous users? Meaning I can stop deleting them and adding them to the spam widgets, correct?

    Thank you!

  23. Bob Baker
    Posted 1 year ago #

    Gary do we have an ETA yet

  24. Kihon
    Posted 1 year ago #

    I'm tagging this thread as I run some very large sites who rely on this plugin and are having this anonymous users issue!

    Please get us an ETA

  25. MrCarman
    Posted 1 year ago #

    Yes, I'm have the anonymous users too. I was able to delete 250 at a time by dropping down "screen options" in the "All Users" list and changing to 250 shown at a time. It wouldn't allow the delete with 500 users showing.

    I'm not an expert, however, a separate plugin that does maintenance might be a solution since I notice the anonymous users have a blank email field. Would a periodic delete of Role=Anonymous AND Email=blank be an easy query to automate? Assuming wp logs a creation date and time, maybe a setting for allowable age of entry or max number of entries could be included.

    My gripe is that I had to do a google search to find this thread since I don't see a search feature on the support page of wordpress.org. I am a gold cart paid customer but I shouldn't have to use the paid support for this issue. I should have been able to search for "anonymous". This thread is only listed as "spam . . ."
    Craig Carman craig.carman -at- calltool.com

  26. Robin
    Posted 1 year ago #

    I must be missing something BUT why do you need to generate an anonymous user for every visitor? I don't see the point or need. If the visitor buys something then I get their details. If the visitor does not buy anything then the anonymous data is of no use to me nor man nor beast as it is ANONYMOUS.

    Gary Cao "Mapping each anonymous customer to a row in your database is unavoidable."

    Can I point out that these are not customers, they are potential customers (or worse). Why do you need to map anything unless they put something in their trolley, visit the checkout, buy something. Using this data to measure conversions I can see being of use. Knowing how many visitors I get, is of use. A list of anonymous, WPEC generated users is a pile of crap that I don't need or want.

    So please explain why I need these 'users'.

  27. nwdwp
    Posted 1 year ago #

    @gary cao
    Thanks for the insight and the work effort put into the wp-ecommerce plug-in as well as the tip regarding the auto-cleanup of this data via wp-config.php file.

    I am prepping another wordpress site on my local development server with wordpress (latest version) and this plug-in (latest version) and all is fine. Just a question regarding these "anonymous user" accounts and what WPEC sees as a "customer session".

    I am the only "customer" testing this (local/secured development environment) but somehow have 19 (so far) instances of anonymous user (users) in 12 hours of installing WPEC.

    Can you give a litte more info on what declares an "anonymous customer"?

    For example why did WPEC create 19 anonymous users for one customer (me)?

    If I user a different browser (new cookies) I assume it creates one, anything else?

    Best Regards,

  28. ccolotti
    Posted 1 year ago #

    This is a mess! The bulk delete plugin is not even working I suspect due to the 22,000 users I am trying to remove. The auto cleanup is obviously not working. nor is the

    define( 'WPSC_CUSTOMER_DATA_EXPIRATION', 12 * 3600 );

  29. digdilem
    Posted 1 year ago #

    Confirm, another one - by luck I spotted this thread as I thought I was under a major attack.

    With wp-ecommerce disabled, none are created. Turn it on and around one user a second is created. My shop is not seeing anywhere near this number of visitors (I wish!).

    It is being crawled by several bots, which may be the reason.

    The users are up to six days old and I had over 5,000 of them.

    Would appreciate something that didn't cause this issue and would have preferred something that made it a lot clearer these were legitimately created users and my site was not in fact under attack, such as naming the users "_wpec_temp_user_randstring"

    Identified using this query, and deleted manually initially.

    SELECT * FROM wp_users WHERE user_login LIKE '\_%'

    22159 	_0a3jhAzO 	$P$REDACTED/ 	_0a3jhazo 	  	  	2014-01-06 13:33:23 	  	0 	_0a3jhAzO
    22160 	_Gtfkdlfu 	$P$B4Zi0lxMD.REDACTED/ 	_gtfkdlfu 	  	  	2014-01-06 13:33:24 	  	0 	_Gtfkdlfu
  30. GFHS
    Posted 1 year ago #

    Hi ... Would appreciate an ETA as to when this will be fixed. The 'define( 'WPSC_CUSTOMER_DATA_EXPIRATION', 12 * 3600 );' didn't have any effect and am having to delete stuff manually.


Topic Closed

This topic has been closed to new replies.

About this Plugin

  • WP eCommerce
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic