Support » Fixing WordPress » Trackback Spam

  • I’ve been in a battle with a spammer lately. Got hit one day with 2,000 comments. I’ve since used a plugin to require commenters to enter a string shown in an image.

    Great. Now a spammer (same guy?) is coming at my with trackback-spam.

    He pings the correct URL, and voila, his junk messages appear with comments.

    I’ve gotten rid of trackbacks for now, but I do like having them available.

    Has anyone else had this problem? What can be done to combat/prevent this?

Viewing 15 replies - 16 through 30 (of 46 total)
  • Bryan Villarin


    Happiness Engineer at Automattic

    I’m at work, so I won’t try it out until I get home. In any case, thanks for whipping something up so quick, Joe! I hope it works well. =)

    I have just installed see and am curious what’s going to happen. Let’s pray the bots are stupid enough for now.

    Two days ago I was hit with hundreds of spam comments, even though I auto-shut off comments after two weeks. I plugged in Spam Karma and that stopped the spammers. Today, I’ve been hit with a flood of bestiality/incest trackbacks. I’m going to try the Trackback Spam Stopper. Thank you for that.

    Bryan Villarin


    Happiness Engineer at Automattic

    Thanks to O.F. Jay, I was able to disable pinging for all my older posts. Run this query in the SQL field in phpMyAdmin for your WP database:

    Update wp_posts
    set ping_status = "closed"
    where post_date < "2005-01-05"

    In addition to my post above, I don’t think I’ll be seeing spam until pingbacks and trackbacks are made separate. Either that, or Joe’s Trackback Spam Stopper will do the job. 😉

    Edited the erroneous usage of double quotes before – full temporary workaround posted here (which is the same link as I posted below).

    Looks like my hack didn’t work. I just got another flood of beastiality porn spam.

    Oh well, back to the drawing board…

    If the spamware is using trackback the same way most blogging software does, it is scanning the html page for the hidden “rdf:RDF” block(“trackback:ping=”), and using that info to send the trackback.

    As long as your plugin alters the RDF block to reflect the new trackback URL, the spammer will have no trouble sending the trackback.

    Bryan Villarin


    Happiness Engineer at Automattic

    I posted a workaround, if anybody’s interested:

    btvillarin – only one problem:
    “#1054 – Unknown column ‘closed’ in ‘field list'”

    BTW… Not all people are necessarily running the table as wp_posts.

    If you don’t mind disabling all trackbacks for now, rather than hacking your database, why not just remove wp-trackbacks.php (well, save it with another file name for future reference).

    That’s what we did and it worked a treat!


    ARG! Just got another spam flood!

    Hi Philaweb – I had the same problem. The SQL is good, but you need to check the quotes.

    This worked for me…

    UPDATE blog_posts SET ping_status = closed ;

    pulpmovies – thanks for your help.
    I’m trying to see the result of the file rename hack.
    Will keep the SQL solution as backup. 🙂

    Fortunately I’m able to see spammer details in my stats. The spammer uses Win ME and IE 5.5 with all hits. Most of the hits are warped via US ISP’s –, and

    I used two different hacks to combat trackback spammers. First, I enabled blacklist checking for moderation. Adding the words sex, rape and incest to the blacklist blocked the majority of trackbacks I was getting. That stopped them going on the site, but I was still getting emails.

    I followed anothers advice on these boards to change the default action in /wordpress/wp-admin/moderation.php from “Do nothing” to “Delete” so all I had to do was load the page and hit the submit button at the bottom and they went away.

    Later, I noticed all of my spam trackbacks pointed back to the domain. This hack to /wordpress/wp-trackback.php made trackbacks that go to that url go away:

    Immediately after the
    @header('Content-Type: text/xml');

    line add:

    /* TBK ADD */
    $pos = stristr($tb_url, "");
    if ($pos !== FALSE) {
    trackback_response(1, "Damn spammer.");
    /* TBK ADD end */

    Fixed that, at least for that host.

    now all we need to do is to make that hack work for a whole blacklist…

Viewing 15 replies - 16 through 30 (of 46 total)
  • The topic ‘Trackback Spam’ is closed to new replies.