Support » Fixing WordPress » Spambots using exploit?

  • Resolved Kazerad


    I use WordPress to host a comic at . Up until now, I’ve been kept spam-free using the simple “Comment Quiz” plugin. However, a couple days ago hundreds of spam comments began slipping past my quiz – sometimes up to one every minute! My moderation queue catches most of them, but I prefer systems that keep the spam from ever being sent.

    I tried a few different quiz questions, tried ReCaptcha, and so far nothing has stopped the spam. A moment ago I even tried an impossible-to-answer spam question (featuring over 50 alphanumeric characters and no clues) and the spam is still coming in.

    At this point I think it’s safe to assume the spambots are somehow slipping past all my comment requirements. Has this happened to anyone else, and is there any way to fix this?

Viewing 12 replies - 1 through 12 (of 12 total)
  • Mark Jaquith


    WordPress Lead Dev

    If many of your posts use the default question, they may have just figured it out and scripted it in. If they’re answering post-specific questions, they’re probably using human labor to spam you. At that point, Akismet is your best bet.

    That’s the thing though, I’ve ascertained that it’s not due to the questions themselves. I literally had a blank question, a string of 56 random characters as the answer, tested it to make sure comments would only be posted if the 56 character answer was given, and the spam still came through. No human labor could do that (since I gave no hints as to what the answer was), and it would take ages for a machine to brute force it. Not just that, but it was the same spam that was coming through when I was using ReCaptcha.

    I’m not an expert at using WordPress, but the evidence I’ve found seems to suggest that whatever is posting the comment spam is somehow bypassing all of the captcha/quiz mechanisms entirely.

    Mark Jaquith


    WordPress Lead Dev

    And these are comments, not Trackbacks or PingBacks?

    May I suggest this one? Dropped me from hundreds of spam to about 5 a month. No captchas, no quizes, etc

    I set it to auto delete the spam (I like to live dangerously). No hassles!

    They might be trackbacks, I’m not sure I understand trackbacks enough to tell. Some of them follow the “teaser excerpt” format, some don’t. Picture below:

    I unchecked “pingbacks and trackbacks” in the Discussion settings, and the spam is still coming in, and with the same format. I also installed the plugin suggested by Rev. Voodoo, and am still getting spam (all it has caught so far was one legitimate comment).

    Cookies for Comments will not stop human spammers. Did you try Bad Behavior? You can probably use Akismet, Bad Behavior, Ban Hammer, Cookies for Comments, SI Captcha, and WordPress’ built in features combined all together to stop spammers. If that doesn’t work, then you have more serious problems.

    Did you update or install any new plugins/themes not too long before this happened?

    I had this problem with a user once. It was because they decided to install a plugin or theme before asking for my recommendation. It didn’t come from a reliable source. Nevertheless, I had to treat it as an infection and did a full re-install. That was just in my situation, yours could be different.

    I have no doubt that with enough spam-identification plugins, I could have most my spam automatically identified and sent to my spambox. My concern, though, is that this latest wave of spambots seems to by bypassing my posting requirements. Preventative measures such as ReCaptcha and Comment Quiz have been having no effect, and the spam continued to come through even when I temporarily required a 56 character password to post comments. Even if they were using human labor to read ReCaptcha entries, it be impossible for them to guess a 56 character password.

    All the plugins I have installed right now are pretty tame things directly from the WordPress site (Google Analytics, NexGen Gallery, Cookies for Comments, WP Super Cache, etc) and nothing new was installed prior to the latest bot wave. I am using Suffusion version 3.8.1, which is one version behind, but as far as I know this shouldn’t affect the internal mechanics of the comment box.

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    Captcha’s are broken, and quiz’s can be answered.

    Cookies for Comments and Bad Behavior use neither and are, long term, more sustainable.

    Of all but the one at the bottom “Value for my care” are pingbacks. You can tell because they all look like [...] blah blah blah [...]

    I’ve unchecked pingbacks in the discussion options and it hasn’t had any effect. Is there something else I have to do to keep pingbacks from appearing?

    Up until a few days ago, I was kept entirely spam-free by a simple quiz question until the spambots found a way around it. Given the fact that they can still post when I set it to require an actual password to post comments, I think it’s safe to assume they aren’t actually answering the quiz, just bypassing it. The same bots post when I use Comment Quiz, ReCaptcha, or even Cookies for Comments, so it seems as though they are somehow bypassing all comment requirements.

    I’ve unchecked pingbacks in the discussion options and it hasn’t had any effect.

    That’s onle for NEW posts. The rest you have to change manually, or perhaps there’s a plugin.

    Do you have Bad Behavior running? It might help keeping away the/some bots themselves.

    That’s onle for NEW posts. The rest you have to change manually, or perhaps there’s a plugin.

    Aha! That would certainly explain it; I had assumed the default discussion settings for each post told it to use the default settings, rather than simply being set to whatever the default was at the time of posting. Lemme switch these old posts, then I’ll report whether it solves the problem.

    Yup, spam waves are now mitigated. Trackbacks remain disabled, but I wasn’t really using them much anyway. Thanks a bunch, Roy and Mark, for helping identify and fix the problem!

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Spambots using exploit?’ is closed to new replies.