WordPress Comment Spam Hack Disables Plugins and Allows Massive Comment Spam Injection

The Internet Patrol - Patrolling the Internet for You

 

If you noticed that the Internet Patrol was down for a short while yesterday, it was because we were the target of a DCS (Distributed Comment Spam) attack. We actually took the site down ourselves, while we figured out what was going on, and now you can benefit from our hard-earned lessons! So pull up a chair, and listen, particularly if you run WordPress.

This new hack has WordPress hackers disabling all of your WordPress plugins (including, you see, Akismet or any other anti-spam comment spam stopper plugin), which then allows them to inject comment spam into your blog at will. So if you suddenly find yourself getting an enormous amount of comment spam all at once, or if you suddenly find your blog pages coming up blank (because with your plugins disabled, that often can be the case) you may be the victim of this latest plugin-disabling comment spam hack.

We first noticed that something was amiss when we suddenly started getting several requests to moderate comments a minute – comments that would ordinarily have never made it that far because they were so obviously spammy. Our first thought was to just block the IP address of the comment spammer – and that is when we noticed that the comments were coming from many different IP addresses. That meant that dealing with it was going to be much more complicated, as we couldn’t simply block the offending IP address.


The next thing we noticed was that, suddenly, our site was not loading properly – the page would just stop loading about a quarter of the way down the page.

That was actually the clue which lead me to realize that something was going on with our plugins, because the page always stopped loading right when there was a call to one of our plugins. So I went to the plugin admin page for WordPress, and saw that all of our plugins had somehow been deactivated.

And that’s when it hit me.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:
Get notified of new Internet Patrol articles for free!

By deactivating our plugins, the spammers had deactivated Akismet – which would otherwise have simply dispatched this comment spam to comment spam oblivion.

Sneaky.

Evil.

 

Fortunately for us, even though the spammer was submitting their comment spam by going straight to our comment form URL (rather than through the form at the bottom of an article), what they didn’t know was that we have comment moderation turned on – no doubt this hack method relies on WordPress sites that run Akismet or other anti-comment-spam plugins not also having moderation turned on – so none of the spam actually got posted. But that didn’t stop it from severely impacting us.

I should also point out that we routinely change the name of the comment posting form so that the URL for posting a comment also changes, and we do that to thwart exactly this kind of comment spam. When this happened yesterday we tailed our httpd log, and we saw the spammer going directly to that file and URL, which means that the spammer had already discovered our newest file name and URL. This leads us to suppose that part of the reason we are all seeing an uptick in manually posted comment spam may be because there is an advance spammer group who is out manually discovering the file names and URLs of comment forms.

As always, whenever the forces of good find a new way to thwart spam – be it email or comment spam – the forces of evil catch up, and the cycle starts all over again.

Now, I will confess here that we had not yet upgraded to the newest version of WordPress – WordPress 2.5. I also don’t know if it would have made a difference or not, but among the other things we did to counter this spam attack, we upgraded to 2.5. Even if there isn’t anything in 2.5 which directly addresses this hack, we know that we have the latest and greatest in WordPress security by having upgraded.

Then, we put into place the following suggestions, found over on Matt Cutts’ excellent blog. Those suggestions include securing your wp-admin directory and creating a dummy wp-content/plugins/index.html, so that which plugins you run becomes much more difficult to discover. While these suggestions were not made by Matt in the context of this hack (about which he may or may not have known), they are directly applicable to thwarting this hack. So, thank you, Matt!

So we’re back up and running, a little wearier, but a little wiser.

Of course, this had to happen while I was out of town – in fact, in the middle of nowhere. Thank goodness for my Verizon Wireless USB broadband modem, which kept me connected even while in the middle of the rockies, and allowed me to work with our dev team to trouble shoot this, and to download and install the 2.5 upgrade!

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

Leave a Reply

Your email address will not be published. Required fields are marked *