Wordpress comment spam problem

boliston · 26 Apr 2015

I use wordpress to run my website and over the last few days I have had the site crash a few times when it runs for months without issue normally.
I have got the askimet spam plugin and it normally "kills" about 5,000 spam comments per month but the april 2015 stats show 269,449 spam comments "killed" so that has got to be my problem! Any other wordpress users had a sudden massive increase in comment spam? I'm considering disabling comments but would rather keep this ability if possible as i often comment on other blogs and it's a nice function to have.

ancient_mariner · 26 Apr 2015

Is there a way of making comments require a human verification system, maybe some form of registration otherwise? I use blogger, and the built in spam detection in the comments catches most of them, with just a few getting as far as the moderation screen where I delete them.

boliston · 26 Apr 2015

ancient_mariner said:
Is there a way of making comments require a human verification system, maybe some form of registration otherwise? I use blogger, and the built in spam detection in the comments catches most of them, with just a few getting as far as the moderation screen where I delete them.

I might have a look at wordpress plugins that do the "prove you are a human" check before commenting as a lot of other blogs seem to have this feature. I try and keep plugins to a minimum as some can slow a site down but these spam comments are becoming a real menace!

Cap'n Bill · 26 Apr 2015

Do you have the Askimet plug in? If not it may be worth trying.

boliston · 26 Apr 2015

Cap'n Bill said:
Do you have the Askimet plug in? If not it may be worth trying.

Yep, have askimet - i have just had a look at the askimet settings and there is an option to "Silently discard the worst and most pervasive spam so I never see it" - not seen this option before but I have enabled it and my site seems more stable now in that the cpu load has gone from about 80% to about 2% but it might just be temporary so will keep my fingers crossed!

Tony101 · 26 Apr 2015

Cap'n Bill said:
Do you have the Askimet plug in? If not it may be worth trying.

boliston said:
I have got the askimet spam plugin ...

Oops! I was far too slow in making my reply, please ignore as I don't think I can delete my message - sorry.

johnsy · 26 Apr 2015

If the spam is coming from the same ip addresses, you can block them from accessing your site.

boliston · 27 Apr 2015

johnsy said:
If the spam is coming from the same ip addresses, you can block them from accessing your site.

Thanks, have had a look at the weblogs and it looks like an attack from a single IP:
Line 61444: 185.11.144.82 - - [26/Apr/2015:16:03:02 +0000] "POST /xmlrpc.php HTTP/1.0" 200 619 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
There are about 58000 lines like this just in today's log at a rate of about 5 per second, but nothing more since 5pm today

johnsy · 27 Apr 2015

Do you have access to your control panel to blacklist that IP address? If not you can do it via the .htaccess file.

boliston · 27 Apr 2015

johnsy said:
Do you have access to your control panel to blacklist that IP address? If not you can do it via the .htaccess file.

Good idea - have typed the following command which I understand will block a single IP as that menace has been at it again this morning:
iptables -A INPUT -s 185.11.144.82 -j DROP

boliston · 27 Apr 2015

just discovered that the correct block ip command is:

/sbin/iptables -I INPUT -s 185.11.144.82 -j DROP

(the previous command did nothing for some reason)

and can be checked by typing

iptables -L -n

which then confirms the ip is blocked by showing the following message:

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 185.11.144.82 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Alex Hotoon · 28 Apr 2015

Hi Boliston,

This IP has also been hammering my company's Wordpress website.

Its an xmlrpc brute force attack. It finds a username/password, uploads php files and uses them to send 100,000's of drug/porn emails.

Forget blocking the IP, unless you want to block entire ranges.You need to disable xmlrpc via your .htaccess file in root. This is how they get in. You also need to block php files via .htaccess in wp-content/uploads. This will prevent the hacker uploading malicious php scripts. I also disabled wp-cron (setting in wp-config) because the sites don't need to use it. Check wp-users and remove all unknown users. Change your username to something other than admin/administrator. Change ALL passwords. Remove all malicious files via ftp, you should not have any php files in wp-content/uploads/* with the exception of a blank index.php file. If you have access to WHM, delete everything in the mail queue, if not ask your host to do it for you. You might find your IP is on the spam blacklists, effecting email, so have a look at mxtoolboxDOTcom/blacklists to see if your server ip is registered. Follow the links and advice to unregister it.

Hope this helps.

boliston · 28 Apr 2015

Alex Hotoon said:
Hi Boliston,

This IP has also been hammering my company's Wordpress website.

Its an xmlrpc brute force attack. It finds a username/password, uploads php files and uses them to send 100,000's of drug/porn emails.

Forget blocking the IP, unless you want to block entire ranges.You need to disable xmlrpc via your .htaccess file in root. This is how they get in. You also need to block php files via .htaccess in wp-content/uploads. This will prevent the hacker uploading malicious php scripts. I also disabled wp-cron (setting in wp-config) because the sites don't need to use it. Check wp-users and remove all unknown users. Change your username to something other than admin/administrator. Change ALL passwords. Remove all malicious files via ftp, you should not have any php files in wp-content/uploads/* with the exception of a blank index.php file. If you have access to WHM, delete everything in the mail queue, if not ask your host to do it for you. You might find your IP is on the spam blacklists, effecting email, so have a look at mxtoolboxDOTcom/blacklists to see if your server ip is registered. Follow the links and advice to unregister it.

Hope this helps.

Thanks Alex - I ran a security test on my site using the beyondsecurity.com site and my site was only "11% secure" due mainly quite old software versions (php, mysql etc) so I updated everything on my site to the latest software versions and now I get "90% secure" with only very minor things showing as insecure rather than major things. The site is also running faster with less lag generally so I now realise the importance of not running old versions of anything if possible. Not seen anything else bad on any logs after upgrading so will keep my fingers crossed.