Wednesday, October 08, 2014

Wordpress spam comment hole and fix

I had comments turned off in Gordon’s Shares [1], but on a rare visit to my admin Dashboard I found 15,000 spomments in the Pending queue [2]. They looked to be all spam, there were several from today, and they were largely related to old posts.

That was a surprise. The blog has comments disabled, there’s no way in the UI to create a comment; I presume the attackers were leveraging an API bug. So in addition to confirming the Commenting was disabled, I also restricted the (disabled) commenting to registered users (which would be me). That seems to have fixed the problem.

[1] Mirrors/archives [1] my pinboard shares. Current setup is a bit different than 2012:
[2] I used the Delete All Comments plugin to clear out the 15K — it transiently tied down my database but it worked.

Update 10/9/2014

If you have unchecked Allow people to post comments on the article on the Options > Discussion panel, then you have only disabled comments on future posts.
This is the kind of thing that gives open source a bad name -- and it doesn't say much for the tech journalists who praise the WordPress organization either. Looks like a great way to do a DOS attack on a WordPress site -- fill up database storage with spomments.

Happily my workaround works perfectly.

No comments: