Hack attempts in list of subscribers
-
Hi all,
Thanks for the great plugin. I tried 5 of the top ranked comment subscription plugins and this was the only one that did not conflict with my theme!
I just installed the plugin and already on a couple of pages there are dozens of crazy entries in the list of subscribers. Hack attempts like injection attacks and penetration tests. Here is an image incase its not a good idea to enter text like this in a post.
Where do these values come from? Were they submitted as emails in the comments field? And why are they in this list if they were submitted before the plugin was installed and real email of commenters are not in this list? Should I remove them all? (a select all button would help with that).
Thanks
-
Hi,
I’m sorry for the inconvenience. First, this isn’t a hack attempt. Upon activation, this plugin imports any existing comment subscribers from these plugins:
- “Subscribe To Comments” plugin
- “Subscribe To Comments Reloaded” plugin
- “Comment Notifier” plugin
However, it only cleans and removes spam emails if you were using the “Comment Notifier” plugin.
For the other 2 plugins (“Subscribe To Comments” and “Subscribe To Comments Reloaded”) it only imports their subscribers as is. Based on this, it seems you had used one of these in the past. That’s where the values are coming from. Those plugins have allowed those to be subscribed without valid emails. (That is a problem that will not happen with this plugin because this plugin lets WordPress handle the sanitation and validation of the email address.)
Were you using 1 of those plugins? Thank you for pointing this out, as I didn’t think that those 2 plugins would subscribe without valid emails (they are popular plugins).
(EDIT: Only “Subscribe To Comments Reloaded” allows subscribers to be added outside of the native WordPress comments. This is the only plugin on the list above that would have allowed those hack subscribers to be added.)
This isn’t a current hack attempt. These were already stored in your database as “subscribers.” And since this plugin escapes all strings before outputting, any would-be malicious code (such as what you have there) is rendered impotent.
As a solution, I will add a check to validate email addresses before importing subscribers from the 2 listed plugins, and I’ll have that cleaning run once upon the next update. I’ll release this update ASAP within the next day or few. Thank you again for reporting this.
An Important Note:
Please note, however, that the spammy data still exists in your database as “postmeta” attached to your posts. This plugin didn’t create that data, it only copied it from your postmeta which was placed there by other subscription plugins.
This plugin doesn’t add/delete/modify any postmeta. This means that if you had spammy, invalid subscribers with invalid emails attached to your posts as “postmeta,” they still remain there.
We had copied that data and pasted it into our subscriber list. Now, I’ve removed it from our own subscriber list, but that data still exists in its original location.
Both “Subscribe To Comments” and “Subscribe To Comments Reloaded” attach the subscribers to the actual post as “postmeta” and that data will remain there unless those plugins have a way to remove its data. With “Subscribe To Comments Reloaded,” you have to disable the “Safely Uninstall” option if you want all the data to be removed upon plugin deletion.
- The topic ‘Hack attempts in list of subscribers’ is closed to new replies.
